提示:该命令和上面的get-or-create类似,都是用户存在,如果权限匹配则返回对应用户的key,如果不匹配则告诉我们用户存在,但权限不匹配;如果不存在则创建,并返回对应用户的key;不同的是返回key的格式不同;get-or-create是返回keyring文件中的格式;而get-or-create-key则返回key的值,没有key = ;
注意:典型的用户至少对 Ceph monitor 具有读取功能,并对 Ceph OSD 具有读取和写入功能;另外,用户的 OSD 权限通常应该限制为只能访问特定的存储池,否则,他将具有访问集群中所有存储池的权限;
列出用户的密钥格式 命令:ceph auth print-key TYPE.ID
[root@ceph-admin ~]# ceph auth print-key client.jerryAQDDazhjLbMTIhAADsXyBkPS079vU7dqGs2E+A==[root@ceph-admin ~]#导入用户命令:ceph auth import
[root@ceph-admin ~]# lltotal 16-rw-r--r-- 1 root root 1568 Sep 25 11:40 ceph-deploy-ceph.log-rw-r--r-- 1 root root151 Oct2 00:14 client.admin.cluster.keyring-rw-r--r-- 1 root root151 Oct2 00:14 client.admin.keyring-rw-r--r-- 1 root root164 Oct2 00:43 client.test.keyring[root@ceph-admin ~]# cat client.test.keyring[client.test]key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA==caps mds = "allow *"caps mgr = "allow *"caps mon = "allow r"caps osd = "allow rw pool=rbdpool"[root@ceph-admin ~]# ceph auth get client.testError ENOENT: failed to find client.test in keyring[root@ceph-admin ~]# ceph auth import -i client.test.keyringimported keyring[root@ceph-admin ~]# ceph auth get client.testexported keyring for client.test[client.test]key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA==caps mds = "allow *"caps mgr = "allow *"caps mon = "allow r"caps osd = "allow rw pool=rbdpool"[root@ceph-admin ~]#提示:从keyring文件导入用户需要用到-i选项来指定对应导入的keyring文件;
修改用户caps命令:ceph auth caps TYPE.ID daemon 'allow [r|w|x|*|...] [pool=pool-name] [namespace=namespace-name]' ...
[root@ceph-admin ~]# ceph auth get client.testexported keyring for client.test[client.test]key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA==caps mds = "allow *"caps mgr = "allow *"caps mon = "allow r"caps osd = "allow rw pool=rbdpool"[root@ceph-admin ~]# ceph auth caps client.test mds 'allow rw' mgr 'allow r' mon 'allow rw'updated caps for client.test[root@ceph-admin ~]# ceph auth get client.testexported keyring for client.test[client.test]key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA==caps mds = "allow rw"caps mgr = "allow r"caps mon = "allow rw"[root@ceph-admin ~]# ceph auth caps client.test mds 'allow rw' mgr 'allow r' mon 'allow rw' osd 'allow rw pool=rbdpool'updated caps for client.test[root@ceph-admin ~]# ceph auth get client.testexported keyring for client.test[client.test]key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA==caps mds = "allow rw"caps mgr = "allow r"caps mon = "allow rw"caps osd = "allow rw pool=rbdpool"[root@ceph-admin ~]#提示:该命令会覆盖用户现有权限因此建立事先使用ceph auth get TYPE.ID命令查看用户的caps;若是为添加caps,则需要先指定现有的caps;若为删除某些权限,则对应权限不指定即可;
删除用户命令:ceph auth del TYPE.ID
[root@ceph-admin ~]# ceph auth del client.testupdated[root@ceph-admin ~]# ceph auth del client.tomupdated[root@ceph-admin ~]# ceph auth del client.jerryupdated[root@ceph-admin ~]# ceph auth del client.testuserupdated[root@ceph-admin ~]# ceph auth get client.testuserError ENOENT: failed to find client.testuser in keyring[root@ceph-admin ~]#Keyring
客户端访问Ceph集群时,客户端会于本地查找密钥环, 默认情况下,Ceph会使用以下四个密钥环名称预设密钥环;
? /etc/ceph/cluster-name.user-name.keyring:保存单个用户的keyring? /etc/ceph/cluster.keyring:保存多个用户的keyring? /etc/ceph/keyring? /etc/ceph/keyring.bin
cluster-name是为集群名称,user-name是为用户标识(TYPE.ID), client.admin用户的在名为ceph的集群上的密钥环文件名为ceph.client.admin.keyring;
经验总结扩展阅读
- 肾结石有遗传因素吗
- 分布式存储系统之Ceph集群存储池操作
- 阴阳师剧情收录系统有什么功能
- 台式电脑怎么装系统
- 有没有像系统之乡土懒人的小说
- 怎么制作系统u盘win7
- 分布式存储系统之Ceph集群存储池、PG 与 CRUSH
- 苹果ios14.7新功能_苹果ios14.7系统怎么样
- centos7系统资源限制整理
- 引擎之旅 Chapter.4 日志系统