IBM
Storage Ceph uses cephx
for
authentication, which is enabled by default. To use cephx
with the Ceph File
System, create a user with the correct authorization capabilities on a Ceph Monitor node. Also, make
its key available on the node where the Ceph File System will be mounted.
About this task
For more information, see Ceph user management.
Before you begin
Be sure that you have the following before creating client users for a Ceph File System:
- A running IBM Storage Ceph cluster.
- The Ceph Metadata Server daemon (
ceph-mds
) installed and configured.
- Root-level access to a Ceph Monitor node.
- Root-level access to a Ceph client node.
Procedure
- Log in to the Cephadm shell on the monitor node.
[root@host01 ~]# cephadm shell
- Create a client user on a Ceph Monitor node.
ceph fs authorize FILE_SYSTEM_NAME client.CLIENT_NAME /DIRECTORYCAPABILITY [/DIRECTORYCAPABILITY] PERMISSIONS ...
Note: Supplying all
or asterisk (*
) as the file system name grants
access to every file system. Typically, it is necessary to put the asterisk in quotations to protect
it from the shell.
- Verify the created key.
For example:
[ceph: root@host01 ~]# ceph auth get client.1
client.1
key = AQBSdFhcGZFUDRAAcKhG9Cl2HPiDMMRv4DC43A==
caps mds = "allow r, allow rw path=/temp"
caps mon = "allow r"
caps osd = "allow rw tag cephfs data=cephfs_a"
- Copy the keyring to the client.
- On the Ceph Monitor node, export the keyring to a file.
ceph auth get client.ID -o ceph.client.ID.keyring
For
example:
[ceph: root@host01 ~]# ceph auth get client.1 -o ceph.client.1.keyring
exported keyring for client.1
- Copy the client keyring from the Ceph Monitor node to the
/etc/ceph/ directory on the client node.
Replace
CLIENT_NODE_NAME with the Ceph client node name or IP. For
example:
[ceph: root@host01 ~]# scp /ceph.client.1.keyring root@client01:/etc/ceph/ceph.client.1.keyring
- From the client node, set the appropriate permissions for the keyring file.
chmod 644 ceph.client.ID.keyring
For
example:
[root@client01 ~]# chmod 644 /etc/ceph/ceph.client.1.keyring