Creating client users for a Ceph File System

Edit online

IBM Storage Ceph uses cephx for authentication, which is enabled by default. To use cephx with the Ceph File System, create a user with the correct authorization capabilities on a Ceph Monitor node. Also, make its key available on the node where the Ceph File System will be mounted.

About this task

For more information, see Ceph user management.

Before you begin

Be sure that you have the following before creating client users for a Ceph File System:
  • A running IBM Storage Ceph cluster.
  • The Ceph Metadata Server daemon (ceph-mds) installed and configured.
  • Root-level access to a Ceph Monitor node.
  • Root-level access to a Ceph client node.

Procedure

  1. Log in to the Cephadm shell on the monitor node. 
    [root@host01 ~]# cephadm shell
  2. Create a client user on a Ceph Monitor node. 
    ceph fs authorize FILE_SYSTEM_NAME client.CLIENT_NAME /DIRECTORYCAPABILITY [/DIRECTORYCAPABILITY] PERMISSIONS ...
    • To restrict the client to only writing in the temp directory of filesystem cephfs_a. For example:
      [ceph: root@host01 ~]# ceph fs authorize cephfs_a client.1 / r /temp rw

client.1
  key = AQBSdFhcGZFUDRAAcKhG9Cl2HPiDMMRv4DC43A==
    • To completely restrict the client to the temp directory, remove the root (/) directory. For example:
      [ceph: root@host01 ~]# ceph fs authorize cephfs_a client.1 /temp rw
    Note: Supplying all or asterisk (*) as the file system name grants access to every file system. Typically, it is necessary to put the asterisk in quotations to protect it from the shell.
  3. Verify the created key. 
    ceph auth get client.ID
    For example:
    [ceph: root@host01 ~]# ceph auth get client.1

client.1
  key = AQBSdFhcGZFUDRAAcKhG9Cl2HPiDMMRv4DC43A==
  caps mds = "allow r, allow rw path=/temp"
  caps mon = "allow r"
  caps osd = "allow rw tag cephfs data=cephfs_a"
  4. Copy the keyring to the client.
    1. On the Ceph Monitor node, export the keyring to a file. 
      ceph auth get client.ID -o ceph.client.ID.keyring
      For example:
      [ceph: root@host01 ~]# ceph auth get client.1 -o ceph.client.1.keyring
exported keyring for client.1
    2. Copy the client keyring from the Ceph Monitor node to the /etc/ceph/ directory on the client node.
      Replace CLIENT_NODE_NAME with the Ceph client node name or IP. For example:
      [ceph: root@host01 ~]# scp /ceph.client.1.keyring root@client01:/etc/ceph/ceph.client.1.keyring
  5. From the client node, set the appropriate permissions for the keyring file. 
    chmod 644 ceph.client.ID.keyring
    For example:
    [root@client01 ~]# chmod 644 /etc/ceph/ceph.client.1.keyring