管理keyring
创建keyring命令:ceph-authtool --create-keyring /path/to/kerying
[root@ceph-admin ~]# ceph-authtool --create-keyring ./client.abc.keyringcreating ./client.abc.keyring[root@ceph-admin ~]# cat ./client.abc.keyring[root@ceph-admin ~]#提示:创建keyring文件,里面没有任何内容,我们需要用ceph auth add 添加用户,然后通过ceph auth get或export命令将对应用户信息导入到对应keyring文件即可;这里说一下keyring文件的命名规则,keyring文件一般应该保存于/etc/ceph目录中,以便客户端能自动查找;创建包含多个用户的keyring文件时,应该使用cluster-name.keyring作为文件名;创建仅包含单个用户的kerying文件时,应该使用cluster-name.user-name.keyring作为文件名;这个是规范的keyring命名方式;
将用户的keyring合并至一个统一的keyring文件中命令:ceph-authtool /etc/ceph/cluster-name.keyring --import-key /etc/ceph/cluster-name.user-name.keyring
[root@ceph-admin ~]# lltotal 16-rw-r--r-- 1 root root 1568 Sep 25 11:40 ceph-deploy-ceph.log-rw------- 1 root root0 Oct2 00:57 client.abc.keyring-rw-r--r-- 1 root root151 Oct2 00:14 client.admin.cluster.keyring-rw-r--r-- 1 root root151 Oct2 00:14 client.admin.keyring-rw-r--r-- 1 root root164 Oct2 00:43 client.test.keyring[root@ceph-admin ~]# cat client.test.keyring[client.test]key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA==caps mds = "allow *"caps mgr = "allow *"caps mon = "allow r"caps osd = "allow rw pool=rbdpool"[root@ceph-admin ~]# ceph-authtool ./client.test.keyring --import-keyring ./client.admin.keyringimporting contents of ./client.admin.keyring into ./client.test.keyring[root@ceph-admin ~]# cat client.test.keyring[client.admin]key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA==caps mds = "allow *"caps mgr = "allow *"caps mon = "allow *"caps osd = "allow *"[client.test]key = AQB94C1jTO8jJhAAY4Zhy40wduyIONnRqxtkEA==caps mds = "allow *"caps mgr = "allow *"caps mon = "allow r"caps osd = "allow rw pool=rbdpool"[root@ceph-admin ~]#使用ceph-authtool命令管理用户
ceph-authtool命令可直接创建用户、授予caps并创建keyring
命令使用帮助
[root@ceph-admin ~]# ceph-authtool -husage: ceph-authtool keyringfile [OPTIONS]...where the options are:-l, --listwill list all keys and capabilities present inthe keyring-p, --print-keywill print an encoded key for the specifiedentityname. This is suitable for the'mount -o secret=..' argument-C, --create-keyringwill create a new keyring, overwriting anyexisting keyringfile-g, --gen-keywill generate a new secret key for thespecified entityname--gen-print-keywill generate a new secret key without set itto the keyringfile, prints the secret to stdout--import-keyring FILEwill import the content of a given keyringinto the keyringfile-n NAME, --name NAMEspecify entityname to operate on-u AUID, --set-uid AUIDsets the auid (authenticated user id) for thespecified entityname-a BASE64, --add-key BASE64will add an encoded key to the keyring--cap SUBSYSTEM CAPABILITYwill set the capability for given subsystem--caps CAPSFILEwill set all of capabilities associated with agiven key, for all subsystems--mode MODEwill set the desired file mode to the keyringe.g: '0644', defaults to '0600'[root@ceph-admin ~]#提示:-l或--list表示列出所有用户信息;-p表示打印对应用户的key信息,-C表示keyring文件,-g表示给指定用户生成key;-n用于指定用户名称;--cap 用于指定权限信息;--mode用于指定keyring文件的权限信息,默认是0600,即只有root或对应宿主拥有读写权限;
[root@ceph-admin ~]# ceph-authtool -C client.usera.keyring-n client.usera --gen-key --cap mon 'allow r' --cap osd 'allow rw pool=rbdpool'creating client.usera.keyring[root@ceph-admin ~]# lltotal 20-rw-r--r-- 1 root root 1568 Sep 25 11:40 ceph-deploy-ceph.log-rw------- 1 root root0 Oct2 00:57 client.abc.keyring-rw-r--r-- 1 root root151 Oct2 00:14 client.admin.cluster.keyring-rw-r--r-- 1 root root151 Oct2 00:14 client.admin.keyring-rw-r--r-- 1 root root315 Oct2 01:03 client.test.keyring-rw------- 1 root root121 Oct2 01:25 client.usera.keyring[root@ceph-admin ~]# ceph auth get client.useraError ENOENT: failed to find client.usera in keyring[root@ceph-admin ~]# cat client.usera.keyring[client.usera]key = AQAIeDhjTnmLGhAAWgL3GqtJsPwmOD6CPbJO8Q==caps mon = "allow r"caps osd = "allow rw pool=rbdpool"[root@ceph-admin ~]#
经验总结扩展阅读
- 肾结石有遗传因素吗
- 分布式存储系统之Ceph集群存储池操作
- 阴阳师剧情收录系统有什么功能
- 台式电脑怎么装系统
- 有没有像系统之乡土懒人的小说
- 怎么制作系统u盘win7
- 分布式存储系统之Ceph集群存储池、PG 与 CRUSH
- 苹果ios14.7新功能_苹果ios14.7系统怎么样
- centos7系统资源限制整理
- 引擎之旅 Chapter.4 日志系统