Cephx Config Reference
========================
-To protect against man-in-the-middle attacks, Ceph provides its ``cephx``
-authentication system to authenticate users and daemons. See `Ceph
+.. index:: cephx; authentication; cephx configuration
+
+To identify users and protect against man-in-the-middle attacks, Ceph provides
+its ``cephx`` authentication system to authenticate users and daemons. See `Ceph
Authentication & Authorization`_ for an introduction to ``cephx``
authentication. See the `Cephx Guide`_ for details on enabling/disabling,
creating users and setting user capabilities.
.. topic:: Authentication Granularity
Ceph version 0.50 and earlier versions use ``auth supported`` to enable or
- disable authentication between the Ceph client and the cluster. Ceph
- authentication in earlier versions only authenticates users sending message
- traffic between the client and the cluster, so it does not have fine-grained
- control.
+ disable authentication between the :term:`Ceph Client` and the :term:`Ceph
+ Storage Cluster`. Ceph authentication in earlier versions only authenticates
+ users sending message traffic between the client and the cluster, so it does
+ not have fine-grained control.
Ceph version 0.51 and later versions use fine-grained control, which allows
you to require authentication of the client by the cluster
.. versionadded:: 0.51
-:Description: If enabled, the cluster daemons (i.e., ``ceph-mon``,
+:Description: If enabled, the Ceph Storage Cluster daemons (i.e., ``ceph-mon``,
``ceph-osd``, and ``ceph-mds``) must authenticate with
- each other. Valid setting is ``cephx`` or ``none``.
+ each other. Valid settings are ``cephx`` or ``none``.
:Type: String
:Required: No
.. versionadded:: 0.51
-:Description: If enabled, the cluster daemons require Ceph clients to
- authenticate with the cluster in order to access Ceph services.
- Valid setting is ``cephx`` or ``none``.
+:Description: If enabled, the Ceph Storage Cluster daemons require Ceph Clients
+ to authenticate with the Ceph Storage Cluster in order to access
+ Ceph services. Valid settings are ``cephx`` or ``none``.
:Type: String
:Required: No
.. versionadded:: 0.51
-:Description: If enabled, the client requires the Ceph cluster to authenticate
- with the client. Valid setting is ``cephx`` or ``none``.
+:Description: If enabled, the Ceph Client requires the Ceph Storage Cluster to
+ authenticate with the Ceph Client. Valid settings are ``cephx``
+ or ``none``.
:Type: String
:Required: No
:Default: Version 0.54 and earlier ``none``. Version 0.55 and later ``cephx``.
+.. index:: keys; keyring
+
Keys
====
When you run Ceph with authentication enabled, ``ceph`` administrative commands
-and Ceph clients require authentication keys to access the cluster.
+and Ceph Clients require authentication keys to access the Ceph Storage Cluster.
The most common way to provide these keys to the ``ceph`` administrative
commands and clients is to include a Ceph keyring under the ``/etc/ceph``
-directory. The filename is usually ``ceph.keyring`` (or ``$cluster.keyring``) or
-simply ``keyring``. If you include the keyring under the ``/etc/ceph``
-directory, you don't need to specify a ``keyring`` entry in your Ceph
-configuration file.
+directory. For Cuttlefish and later releases using ``ceph-deploy``, the filename
+is usually ``ceph.client.admin.keyring`` (or ``$cluster.client.admin.keyring``).
+If you include the keyring under the ``/etc/ceph`` directory, you don't need to
+specify a ``keyring`` entry in your Ceph configuration file.
-We recommend copying the cluster's keyring file to hosts where you'll run
-administrative commands, because it contains the ``client.admin`` key. ::
+We recommend copying the Ceph Storage Cluster's keyring file to nodes where you
+will run administrative commands, because it contains the ``client.admin`` key.
- sudo scp {user}@{ceph-cluster-host}:/etc/ceph/ceph.keyring /etc/ceph/ceph.keyring
+You may use ``ceph-deploy admin`` to perform this task. See `Create an Admin
+Host`_ for details. To perform this step manually, execute the following::
+
+ sudo scp {user}@{ceph-cluster-host}:/etc/ceph/ceph.client.admin.keyring /etc/ceph/ceph.client.admin.keyring
.. tip:: Ensure the ``ceph.keyring`` file has appropriate permissions set
(e.g., ``chmod 644``) on your client machine.
:Default: None
+.. index:: signatures
+
Signatures
==========
In Ceph Bobtail and subsequent versions, we prefer that Ceph authenticate all
ongoing messages between the entities using the session key set up for that
-initial authentication. However, Argonaut and earlier Ceph daemons do not know how to perform
-ongoing message authentication. To maintain backward compatibility (e.g.,
-running both Botbail and Argonaut daemons in the same cluster), message signing
-is **off** by default. If you are running Bobtail or later daemons exclusively,
-configure Ceph to require signatures.
+initial authentication. However, Argonaut and earlier Ceph daemons do not know
+how to perform ongoing message authentication. To maintain backward
+compatibility (e.g., running both Botbail and Argonaut daemons in the same
+cluster), message signing is **off** by default. If you are running Bobtail or
+later daemons exclusively, configure Ceph to require signatures.
Like other parts of Ceph authentication, Ceph provides fine-grained control so
you can enable/disable signatures for service messages between the client and
``ceph require signatures``
:Description: If set to ``true``, Ceph requires signatures on all message
- traffic between the client and the Ceph cluster, and between
- daemons within the cluster.
+ traffic between the Ceph Client and the Ceph Storage Cluster, and
+ between daemons comprising the Ceph Storage Cluster.
:Type: Boolean
:Required: No
``cepxh cluster require signatures``
:Description: If set to ``true``, Ceph requires signatures on all message
- traffic between Ceph daemons within the cluster.
+ traffic between Ceph daemons comprising the Ceph Storage Cluster.
:Type: Boolean
:Required: No
``cepxh service require signatures``
:Description: If set to ``true``, Ceph requires signatures on all message
- traffic between Ceph clients and the Ceph cluster.
+ traffic between Ceph Clients and the Ceph Storage Cluster.
:Type: Boolean
:Required: No
``auth service ticket ttl``
-:Description: When Ceph sends a client a ticket for authentication, the Ceph
- cluster assigns the ticket a time to live.
+:Description: When the Ceph Storage Cluster sends a Ceph Client a ticket for
+ authentication, the Ceph Storage Cluster assigns the ticket a
+ time to live.
:Type: Double
:Default: ``60*60``
.. _Ceph Authentication & Authorization: ../../operations/auth-intro
.. _Cephx Guide: ../../operations/authentication
.. _Ceph Authentication: ../../operations/auth-intro#ceph-authentication-cephx
+.. _Create an Admin Host: ../../deployment/ceph-deploy-admin#create-an-admin-host
\ No newline at end of file
projects / ceph.git / commitdiff