ceph对客户端授权流程:
ceph对客户端的授权是由mon节点进行授权的,mon节点对客户端进行身份认证并颁发秘钥(key,这个key就是/etc/ceph/ceph.client.admin.keyring)。因此为了避免单点,应该设置多个mon节点减少故障和应对认证性能瓶颈。
此时客户端和mon节点上都有key,当客户端向mon节点申请授权时,mon节点会生成一个session key,并用key对这个session key进行加密,然后加密后的session key发送给客户端,客户端使用mon颁发给它的key对加密后的session key进行解密,解密成功后,客户端会使用解密以后的session key向mon节点请求可以通往osd服务的门票,mon节点就会颁发一个使用secret加密的ticket给客户端,这个secret是mon和osd共享的,客户端就可以拿着这个用secret加密后的ticket去请求osd,osd看到ticket,用和mon节点共享的secret解密,解密成功后就认为客户端身份合法,于是客户端就验证通过了
ceph用户权限管理
ceph的认证,请查看ceph对客户端授权流程部分
#ceph用户管理,可以使用ceph auth -h进行命令查询,在任意有ceph客户端的节点执行,type表示种类(mon,osd,mds),id表示用户id或者名称,以下是增删改查
添加用户:
ceph auth add type.id 各种权限
ceph auth get-or-create type.id 各种权限
ceph auth get-or-create-key type.id 各种权限
删除用户:ceph auth del type.id
修改用户:ceph caps type.id 各种权限
获取用户权限:ceph auth get type.id
获取所有用户及其权限列表:ceph auth list
ceph的认证
#列出所有用户,
ceph@ceph-node1:~$ ceph auth list
mds.ceph-mgr1
key: AQDFZCZh/Z28CBAA4ZZ97KwsjQZ9WQ+iPfK/7w==
caps: [mds] allow
caps: [mon] allow profile mds
caps: [osd] allow rwx
osd.0
key: AQCCuSNhbNc5HRAADPrQOkORhBD/h9nJ3EVf+Q==
caps: [mgr] allow profile osd
caps: [mon] allow profile osd
caps: [osd] allow *
osd.1
key: AQCbuSNhHaVFORAAd5tG77DQqjG2R1FIOxIbbg==
caps: [mgr] allow profile osd
caps: [mon] allow profile osd
caps: [osd] allow *
#将秘钥保存在auth_list.key文件中
ceph@ceph-node1:~$ ceph auth list -o auth_list.key
#添加用户 有三种方法:均可-o file来指定file保存信息
ceph auth add 创建用户不反回key
ceph auth get-or-create,,后者创建用户,返回用户和key,如果用户已经存在则返回也返回用户和key
ceph auth get-or-create-key,后者创建用户,返回key
ceph@ceph-node1:~$ ceph auth add client.jerry mon "allow rw" osd "allow rwx pool=mypool"
added key for client.jerry
ceph@ceph-node1:~$ ceph auth get-or-create client.tom mon "allow rw" osd "allow rwx"
[client.tom]
key = AQDU6ixhU9W9FBAA7UEV6KP6qfqAmaRThNIq4A==
ceph@ceph-node1:~$ ceph auth get-or-create-key client.peter mon "allow rw" osd "allow rwx"
AQBm7CxhMVXjJxAA7aoY+cZcG9aK7qLoU4X2Rw==
#验证用户 ceph auth get type.id
ceph@ceph-node1:~$ ceph auth get client.jerry
[client.jerry]
key = AQAl6SxhGOaXCRAAVVxDWTDxS8HVN8ZdzqZCkQ==
caps mon = "allow rw"
caps osd = "allow rwx pool=mypool"
exported keyring for client.jerry
#获取单个用户信息
ceph@ceph-node1:~$ ceph auth print-key client.tom
AQDU6ixhU9W9FBAA7UEV6KP6qfqAmaRThNIq4A==ceph@ceph-node1:~$
#修改用户能力caps,设置新能力会完全覆盖当前的能力,因此如果要保留之前的caps,修改的时候需要加上已有的能力和新的能力
ceph@ceph-node1:~$ ceph auth get client.jerry
[client.jerry]
key = AQAl6SxhGOaXCRAAVVxDWTDxS8HVN8ZdzqZCkQ==
caps mon = "allow rw"
caps osd = "allow rwx pool=mypool"
exported keyring for client.jerry
ceph@ceph-node1:~$ ceph auth caps client.jerry mon "allow rw" osd "allow rw pool=mypool"
updated caps for client.jerry
ceph@ceph-node1:~$ ceph auth get client.jerry
[client.jerry]
key = AQAl6SxhGOaXCRAAVVxDWTDxS8HVN8ZdzqZCkQ==
caps mon = "allow rw"
caps osd = "allow rw pool=mypool"
exported keyring for client.jerry
#删除用户
ceph@ceph-node1:~$ ceph auth del client.tom
updated
用户的备份与恢复
通过秘钥环进行备份和恢复
#秘钥环:就是存放key,secrets,certificate的keyring file集合文件,可以保存一个或多个的认证信息,每个key都有一个实体名称加权限
备份:
#创建keyring
keyring命名格式: 集群.Type.username.keyring
ceph@ceph-mon1:~$ ceph-authtool --create-keyring ceph.client.user1.keyring
creating ceph.client.user1.keyring
#验证keyring,此时为空
ceph@ceph-mon1:~$ cat ceph.client.user1.keyring
ceph@ceph-mon1:~$ file ceph.client.user1.keyring
ceph.client.user1.keyring: empty
#导出keyring,后面的信息总是会覆盖前面的信息,正常情况,需要每天备份
ceph@ceph-mon1:~$ ceph auth get client.jerry -o ceph.client.user1.keyring
exported keyring for client.jerry
ceph@ceph-mon1:~$ ceph auth get client.admin -o ceph.client.user1.keyring
exported keyring for client.admin
如果怕被覆盖,直接追加也可以的,就不会被覆盖了
ceph@ceph-mon1:~$ ceph auth get client.peter >> ceph.client.user1.keyring
也可以先将一个用户导入另外一个用户的key,然后再导出
ceph@ceph-mon1:~$ ceph auth get-or-create-key client.tom mon "allow rw" osd "allow rwx"
ceph@ceph-mon1:~$ ceph-authtool --create-keyring ceph.client.tom.keyring
creating ceph.client.tom.keyring
ceph@ceph-mon1:~$ ceph-authtool --create-keyring ceph.client.peter.keyring
creating ceph.client.peter.keyring
ceph@ceph-mon1:~$ ceph-authtool --create-keyring ceph.client.bootstrap-mgr.keyring
creating ceph.client.bootstrap-mgr.keyring
ceph@ceph-mon1:~$ ceph auth get client.bootstrap-mgr -o ceph.client.bootstrap-mgr.keyring
exported keyring for client.bootstrap-mgr
ceph@ceph-mon1:~$ ceph auth get client.peter -o ceph.client.peter.keyring
exported keyring for client.peter
ceph@ceph-mon1:~$ ceph-authtool -l ./ceph.client.peter.keyring
[client.peter]
key = AQBm7CxhMVXjJxAA7aoY+cZcG9aK7qLoU4X2Rw==
caps mon = "allow rw"
caps osd = "allow rwx"
ceph@ceph-mon1:~$ ceph-authtool ./ceph.client.peter.keyring --import-keyring ./ceph.client.bootstrap-mgr.keyring
importing contents of ./ceph.client.bootstrap-mgr.keyring into ./ceph.client.peter.keyring
ceph@ceph-mon1:~$ ceph auth get client.tom -o ./ceph.client.tom.keyring
exported keyring for client.tom
ceph@ceph-mon1:~$ ceph-authtool ./ceph.client.peter.keyring --import-keyring ./ceph.client.tom.keyring
importing contents of ./ceph.client.tom.keyring into ./ceph.client.peter.keyring
ceph@ceph-mon1:~$ ceph-authtool -l ./ceph.client.peter.keyring
[client.bootstrap-mgr]
key = AQCnpyNh+uC4IRAAXOaV1+MzQYV/afCY3ty6LQ==
caps mon = "allow profile bootstrap-mgr"
[client.peter]
key = AQBm7CxhMVXjJxAA7aoY+cZcG9aK7qLoU4X2Rw==
caps mon = "allow rw"
caps osd = "allow rwx"
[client.tom]
key = AQDvky9hYFwgHRAAt3KpcdXHVRk7vnNCgPHnqg==
caps mon = "allow rw"
caps osd = "allow rwx"
恢复用户:
#为了演示效果先删除用户peter,再恢复用户peter
ceph@ceph-mon1:~$ ceph auth del client.peter
updated
ceph@ceph-mon1:~$ ceph auth list|grep peter
installed auth entries:
ceph@ceph-mon1:~$ ceph auth import -i ceph.client.user1.keyring
imported keyring
ceph@ceph-mon1:~$ ceph auth list|grep peter
client.peter
installed auth entries: