control service independently of the default TCP/mTLS listener.
The TLS certificates configuration values do not apply to this
unix socket based listener.
+keybridge
+ Optional object. This object configures an SMB cluster to deploy an extra
+ ``keybridge`` service. This service acts as a bridge between the Samba file
+ server and external cryptographic and key management services. This can
+ then be used to unlock CephFS subvolumes protected with FSCrypt. The
+ configuration of the keybridge is based on ``scopes``. Each scope maps to
+ a different mechanism for fetching keys.
+ Fields:
+
+ enabled
+ Optional boolean. If explicitly set to ``true`` or ``false`` this
+ field will enable or disable the keybridge service. If left
+ unset the ``scopes`` fields will be checked - if scopes are defined
+ this will automatically enable the service.
+ scopes
+ Optional list of objects. Each object in the list defines and configures
+ a new keybridge scope. A scope of the type ``mem`` stores keys in
+ memory and is only for testing and debugging. A scope of the type
+ ``kmip`` proxies requests to KMIP servers.
+ Fields:
+
+ name
+ String. The name of the scope defines the type and identification
+ of the scope. The name takes the form ``<type>[.<sub_name>]``.
+ Each name must be unique. Current types are ``mem`` and ``kmip``.
+ Sub-names are only supported for ``kmip`` scope. The ``mem``
+ scope is unique per cluster. If the sub-name is left off the
+ system will implicitly name the scope. This can be done only once
+ per-type.
+ kmip_hosts
+ Optional list of strings. Required for type ``kmip``.
+ Specify the hosts the ``kmip`` scope will proxy to. The host values
+ may be DNS names or IPv4 or IPv6 addresses. An optional port value
+ following a colon (``:``) is supported. For IPv6 addresses only:
+ surround the address with square brackets before specifying the
+ port (example: ``[2001:db8::cafe]:9999``).
+ kmip_port
+ Optional integer. Required for type ``kmip`` unless all host
+ values include ports. Specify the port used for KMIP connections
+ for host entries that do not specify a port.
+ kmip_cert
+ Optional object. Required for type ``kmip``.
+ The fields are described in :ref:`tls source fields<tls-source-fields>`.
+ kmip_key
+ Optional object. Required for type ``kmip``.
+ The fields are described in :ref:`tls source fields<tls-source-fields>`.
+ kmip_ca_cert
+ Optional object. Required for type ``kmip``.
+ The fields are described in :ref:`tls source fields<tls-source-fields>`.
+ peer_policy
+ Optional, one of ``restricted`` or ``unrestricted``.
+ Used to control what processes the keybridge server will permit
+ for access. This option is meant for testing and development only.
+ If left unspecified the default behavior is ``restricted``.
external_ceph_cluster:
Optional object. The fields are described in :ref:`external Ceph cluster
source fields<external-ceph-cluster-source-fields>`. This is an
Optional integer. Burst multiplier for write operations (value รท 10 = multiplier),
allowing temporary bursts above the configured limit. Example: ``20`` = 2* the configured limit.
Default: 15 (1.5*).
+ fscrypt_key
+ Optional object. Configures the CephFS storage used by the share to
+ enable FSCrypt. The FSCrypt key will be acquired using the keybridge
+ service. The fields select the keybridge scope to use and the name
+ of the key.
+ Fields:
+
+ scope
+ String. A value matching one of the keybridge scopes defined for
+ the cluster this share belongs to.
+ name
+ String. A value indicating what FSCrypt key to fetch. The specific
+ value of the name depends on the scope being used.
restrict_access
Optional boolean, defaulting to false. If true the share will only permit
access by users explicitly listed in ``login_control``.
projects / ceph.git / commitdiff