ceph 认证与授权
- 用户
• 用户是指个人或系统参与者(例如应用)
• 通过创建用户,可以控制谁(或哪个参与者)能够访问Ceph存储集群、以及可访问的存储池及存储池中的数据
• Ceph支持多种类型的用户,但可管理的用户都属于Client类型
• 区分用户类型的原因在于,MON、OSD和MDS等系统组件也使用cephx协议,但它们非为客户端
• 通过点号来分隔用户类型和用户名,格式为TYPE.ID,例如client.admin等
- 授权和使能
• Ceph基于“使能(caps)”来描述用户可针对MON、OSD或MDS使用的权限范围或级别
• 通用语法格式:daemon-type ‘allow caps’ […]
• MON使能
• 包括r、w、x和allow profile cap
• 例如:mon ‘allow rwx’,以及mon 'allow profile osd’等
• OSD使能
• 包括r、w、x、class-read、class-write和profile osd
• 此外,OSD 使能还允许进行存储池和名称空间设置
• MDS使能
• 只需要allow,或留空
环境
192.168.126.101 ceph01
192.168.126.102 ceph02
192.168.126.103 ceph03
192.168.126.104 ceph04
192.168.126.105 ceph-admin
192.168.48.11 ceph01
192.168.48.12 ceph02
192.168.48.13 ceph03
192.168.48.14 ceph04
192.168.48.15 ceph-admin
###所有节点内核版本要求4.5以上
uname -r
5.2.2-1.el7.elrepo.x86_64
[cephadm@ceph-admin ceph-cluster]$ ll -h
total 228K
-rw------- 1 cephadm cephadm 113 Jul 11 22:14 ceph.bootstrap-mds.keyring
-rw------- 1 cephadm cephadm 113 Jul 11 22:14 ceph.bootstrap-mgr.keyring
-rw------- 1 cephadm cephadm 113 Jul 11 22:14 ceph.bootstrap-osd.keyring
-rw------- 1 cephadm cephadm 113 Jul 11 22:14 ceph.bootstrap-rgw.keyring
-rw------- 1 cephadm cephadm 151 Jul 11 22:14 ceph.client.admin.keyring
-rw-rw-r-- 1 cephadm cephadm 309 Jul 11 22:12 ceph.conf
-rw-rw-r-- 1 cephadm cephadm 195K Jul 13 15:16 ceph-deploy-ceph.log
-rw------- 1 cephadm cephadm 73 Jul 11 22:12 ceph.mon.keyring
-rw-rw-r-- 1 cephadm cephadm 12 Jul 12 22:27 test.txt
[cephadm@ceph-admin ceph-cluster]$ ceph -s
cluster:
id: 8a83b874-efa4-4655-b070-704e63553839
health: HEALTH_OK
services:
mon: 3 daemons, quorum ceph01,ceph02,ceph03 (age 92m)
mgr: ceph04(active, since 91m), standbys: ceph03
mds: cephfs:1 {0=ceph02=up:active}
osd: 8 osds: 8 up (since 91m), 8 in (since 8d)
rgw: 1 daemon active (ceph01)
data:
pools: 8 pools, 288 pgs
objects: 214 objects, 3.6 KiB
usage: 8.1 GiB used, 64 GiB / 72 GiB avail
pgs: 288 active+clean
用户管理
列出用户
[cephadm@ceph-admin ceph-cluster]$ ceph auth list
installed auth entries:
mds.ceph02
key: AQBQhSldWqSjCxAAszmXNSnEBLk2KDJhUnrqKg==
caps: [mds] allow
caps: [mon] allow profile mds
caps: [osd] allow rwx
osd.0
key: AQDVSyddhyhmGhAAKjLu8fPY0luJzIRJNEuFPA==
caps: [mgr] allow profile osd
caps: [mon] allow profile osd
caps: [osd] allow *
osd.1
key: AQDnSyddw9ZZGhAAirUrxDEyw6ah9zPh2p3Fuw==
caps: [mgr] allow profile osd
caps: [mon] allow profile osd
caps: [osd] allow *
osd.2
key: AQD3Sydds1f9GRAAiYHWm26xV/veZkczK94dgg==
caps: [mgr] allow profile osd
caps: [mon] allow profile osd
caps: [osd] allow *
osd.3
key: AQAJTCddr3vpKxAAVVVQly0AAS+jaUwaeoSzoQ==
caps: [mgr] allow profile osd
caps: [mon] allow profile osd
caps: [osd] allow *
osd.4
key: AQAbTCddpdrhCBAADu8N/cHdJc5eJ3EVDIQ33Q==
caps: [mgr] allow profile osd
caps: [mon] allow profile osd
caps: [osd] allow *
osd.5
key: AQAqTCddSdYYBhAASd6v3pIxYjbZ4FZ3Yajjgg==
caps: [mgr] allow profile osd
caps: [mon] allow profile osd
caps: [osd] allow *
osd.6
key: AQA7TCddPw9ZBRAAjlXoRabaoAJXxGy114lggQ==
caps: [mgr] allow profile osd
caps: [mon] allow profile osd
caps: [osd] allow *
osd.7
key: AQBYTCddtJPTJhAAP5Vq2UO49cSdc66SpiLSTA==
caps: [mgr] allow profile osd
caps: [mon] allow profile osd
caps: [osd] allow *
client.admin
key: AQAmRCddqQBXBBAAhA+Ob/1PFcM/1iGk79q7xg==
caps: [mds] allow *
caps: [mgr] allow *
caps: [mon] allow *
caps: [osd] allow *
client.bootstrap-mds
key: AQAmRCddjRZXBBAAPee0p26CpiX3F4xTGd5PGg==
caps: [mon] allow profile bootstrap-mds
client.bootstrap-mgr
key: AQAmRCdd3iRXBBAAS7+zbbmQHB1pXydn7tkivw==
caps: [mon] allow profile bootstrap-mgr
client.bootstrap-osd
key: AQAmRCddjzJXBBAAhp1/mDnouOoqtQko5TvjXg==
caps: [mon] allow profile bootstrap-osd
client.bootstrap-rbd
key: AQAmRCddrT9XBBAAaSEbe1BQR4zNFJRCE2o+RQ==
caps: [mon] allow profile bootstrap-rbd
client.bootstrap-rbd-mirror
key: AQAmRCddzk9XBBAAmvA5DLhIV0iI35No1KSQBg==
caps: [mon] allow profile bootstrap-rbd-mirror
client.bootstrap-rgw
key: AQAmRCddcl1XBBAAoBBI/8MPevzERHax0GChNA==
caps: [mon] allow profile bootstrap-rgw
client.rgw.ceph01
key: AQAKgilduu/cORAAQ/Z3y1b8ESFwKHhVl0vQGA==
caps: [mon] allow rw
caps: [osd] allow rwx
mgr.ceph03
key: AQAFSyddP5ZgNhAABOCkgJt35BgHgPYKF7jvAA==
caps: [mds] allow *
caps: [mon] allow profile mgr
caps: [osd] allow *
mgr.ceph04
key: AQD1Sidd4K1LDxAAsvTRaCf51WWf4gJ4y8vqUA==
caps: [mds] allow *
caps: [mon] allow profile mgr
caps: [osd] allow *
添加用户
[cephadm@ceph-admin ceph-cluster]$ ceph auth add client.test mon 'allow rw' osd 'allow rw'
added key for client.test
[cephadm@ceph-admin ceph-cluster]$ ceph auth get client.test
exported keyring for client.test
[client.test]
key = AQBrqTJdkRu1HxAA7iYk6Ap6ZyTuLkSLgDC0sw==
caps mon = "allow rw"
caps osd = "allow rw"
列出用户key
[cephadm@ceph-admin ceph-cluster]$ ceph auth print-key client.test
AQBrqTJdkRu1HxAA7iYk6Ap6ZyTuLkSLgDC0sw==
修改权限
[cephadm@ceph-admin ceph-cluster]$ ceph auth caps client.test mon 'allow *'
updated caps for client.test
[cephadm@ceph-admin ceph-cluster]$ ceph auth get client.test
exported keyring for client.test
[client.test]
key = AQBrqTJdkRu1HxAA7iYk6Ap6ZyTuLkSLgDC0sw==
caps mon = "allow *"
删除用户
[cephadm@ceph-admin ceph-cluster]$ ceph auth del client.test
导出用户的keyring文件
[cephadm@ceph-admin ceph-cluster]$ ceph osd pool create rbdpool 64 64
pool 'rbdpool' created
[cephadm@ceph-admin ceph-cluster]$ ceph auth get-or-create client.rbdpool mon 'allow r' osd 'allow * pool=rbdpool'
[client.rbdpool]
key = AQAYrzJdUh5IIBAA4E13hVvtjkfnMc0JKPwbOA==
[cephadm@ceph-admin ceph-cluster]$ ceph auth get client.rbdpool
exported keyring for client.rbdpool
[client.rbdpool]
key = AQAYrzJdUh5IIBAA4E13hVvtjkfnMc0JKPwbOA==
caps mon = "allow r"
caps osd = "allow * pool=rbdpool"
[cephadm@ceph-admin ceph-cluster]$ ceph auth get client.rbdpool -o ceph.client.rbdpool.keyring
exported keyring for client.rbdpool
合并keyring
[cephadm@ceph-admin ceph-cluster]$ ls
ceph.bootstrap-mds.keyring ceph.bootstrap-rgw.keyring ceph.conf test.txt
ceph.bootstrap-mgr.keyring ceph.client.admin.keyring ceph-deploy-ceph.log
ceph.bootstrap-osd.keyring ceph.client.rbdpool.keyring ceph.mon.keyring
[cephadm@ceph-admin ceph-cluster]$ ceph-authtool --create-keyring cluster.keying
creating cluster.keying
[cephadm@ceph-admin ceph-cluster]$ ceph-authtool cluster.keying --import-keyring ./ceph.client.admin.keyring
importing contents of ./ceph.client.admin.keyring into cluster.keying
[cephadm@ceph-admin ceph-cluster]$ ceph-authtool cluster.keying --import-keyring ./ceph.client.rbdpool.keyring
importing contents of ./ceph.client.rbdpool.keyring into cluster.keying
[cephadm@ceph-admin ceph-cluster]$ cat cluster.keying
[client.admin]
key = AQAmRCddqQBXBBAAhA+Ob/1PFcM/1iGk79q7xg==
caps mds = "allow *"
caps mgr = "allow *"
caps mon = "allow *"
caps osd = "allow *"
[client.rbdpool]
key = AQAYrzJdUh5IIBAA4E13hVvtjkfnMc0JKPwbOA==
caps mon = "allow r"
caps osd = "allow * pool=rbdpool"
[cephadm@ceph-admin ceph-cluster]$ ceph-authtool -l cluster.keying
[client.admin]
key = AQAmRCddqQBXBBAAhA+Ob/1PFcM/1iGk79q7xg==
caps mds = "allow *"
caps mgr = "allow *"
caps mon = "allow *"
caps osd = "allow *"
[client.rbdpool]
key = AQAYrzJdUh5IIBAA4E13hVvtjkfnMc0JKPwbOA==
caps mon = "allow r"
caps osd = "allow * pool=rbdpool"