CEPH-AUTHTOOL(8) Ceph CEPH-AUTHTOOL(8)NAME
ceph-authtool - ceph keyring manipulation tool
SYNOPSIS
ceph-authtool keyringfile [ -l | --list ] [ -C | --create-keyring
] [ -p | --print ] [ -n | --name entityname ] [ --gen-key ] [ -a |
--add-key base64_key ] [ --caps capfils ] [ -b | --bin ]
DESCRIPTION
ceph-authtool is a utility to create, view, and modify a Ceph keyring
file. A keyring file stores one or more Ceph authentication keys and
possibly an associated capability specification. Each key is associated
with an entity name, of the form {client,mon,mds,osd}.name.
OPTIONS-l, --list
will list all keys and capabilities present in the keyring
-p, --print
will print an encoded key for the specified entityname. This is
suitable for the mount -o secret= argument
-C, --create-keyring
will create a new keyring, overwriting any existing keyringfile
--gen-key
will generate a new secret key for the specified entityname
--add-key
will add an encoded key to the keyring
--cap subsystem capability
will set the capability for given subsystem
--caps capsfile
will set all of capabilities associated with a given key, for
all subsystems
-b, --bin
will create a binary formatted keyring
CAPABILITIES
The subsystem is the name of a Ceph subsystem: mon, mds, or osd.
The capability is a string describing what the given user is allowed to
do. This takes the form of a comma separated list of allow, deny
clauses with a permission specifier containing one or more of rwx for
read, write, and execute permission. The allow * grants full superuser
permissions for the given subsystem.
For example:
# can read, write, and execute objects
osd = "allow rwx [pool=foo[,bar]]|[uid=baz[,bay]]"
# can access mds server
mds = "allow"
# can modify cluster state (i.e., is a server daemon)
mon = "allow rwx"
A librados user restricted to a single pool might look like:
osd = "allow rw pool foo"
A client mounting the file system with minimal permissions would need
caps like:
mds = "allow"
osd = "allow rw pool=data"
mon = "allow r"
CAPS FILE FORMAT
The caps file format consists of zero or more key/value pairs, one per
line. The key and value are separated by an =, and the value must be
quoted (with ' or ") if it contains any whitespace. The key is the name
of the Ceph subsystem (osd, mds, mon), and the value is the capability
string (see above).
EXAMPLE
To create a new keyring containing a key for client.foo:
ceph-authtool -c -n client.foo --gen-key keyring
To associate some capabilities with the key (namely, the ability to
mount a Ceph filesystem):
ceph-authtool -n client.foo --cap mds 'allow' --cap osd 'allow rw pool=data' --cap mon 'allow r' keyring
To display the contents of the keyring:
ceph-authtool -l keyring
When mount a Ceph file system, you can grab the appropriately encoded
secret key with:
mount -t ceph serverhost:/ mountpoint -o name=foo,secret=`ceph-authtool -p -n client.foo keyring`
AVAILABILITY
ceph-authtool is part of the Ceph distributed file system. Please refer
to the Ceph wiki at http://ceph.newdream.net/wiki for more information.
SEE ALSOceph(8)COPYRIGHT
2011, New Dream Network
dev September 22, 2011 CEPH-AUTHTOOL(8)