When creating a new monitor cluster, the keyring should also contain a ``client.admin`` key that can be used
to administer the system::
- ceph-authtool /path/to/keyring --gen-key -n client.admin --set-uid=0 --cap mon 'allow *' --cap osd 'allow *' --cap mds 'allow'
+ ceph-authtool /path/to/keyring --gen-key -n client.admin --cap mon 'allow *' --cap osd 'allow *' --cap mds 'allow'
The resulting keyring is fed to ``ceph-mon --mkfs`` with the ``--keyring <keyring>`` command-line argument.
#. Generate an administrator keyring, generate a ``client.admin`` user and add
the user to the keyring. ::
- sudo ceph-authtool --create-keyring /etc/ceph/ceph.client.admin.keyring --gen-key -n client.admin --set-uid=0 --cap mon 'allow *' --cap osd 'allow *' --cap mds 'allow *' --cap mgr 'allow *'
+ sudo ceph-authtool --create-keyring /etc/ceph/ceph.client.admin.keyring --gen-key -n client.admin --cap mon 'allow *' --cap osd 'allow *' --cap mds 'allow *' --cap mgr 'allow *'
#. Generate a bootstrap-osd keyring, generate a ``client.bootstrap-osd`` user and add
the user to the keyring. ::
#. Generate an administrator keyring, generate a ``client.admin`` user and add
the user to the keyring. ::
- sudo ceph-authtool --create-keyring /etc/ceph/ceph.client.admin.keyring --gen-key -n client.admin --set-uid=0 --cap mon 'allow *' --cap osd 'allow *' --cap mds 'allow *' --cap mgr 'allow *'
+ sudo ceph-authtool --create-keyring /etc/ceph/ceph.client.admin.keyring --gen-key -n client.admin --cap mon 'allow *' --cap osd 'allow *' --cap mds 'allow *' --cap mgr 'allow *'
#. Add the ``client.admin`` key to the ``ceph.mon.keyring``. ::
[ --gen-print-key ]
[ --import-keyring *otherkeyringfile* ]
[ -n | --name *entityname* ]
- [ -u | --set-uid *auid* ]
[ -a | --add-key *base64_key* ]
[ --cap *subsystem* *capability* ]
[ --caps *capfile* ]
specify entityname to operate on
-.. option:: -u, --set-uid *auid*
-
- sets the auid (authenticated user id) for the specified entityname
-
.. option:: -a, --add-key *base64_key*
will add an encoded key to the keyring
'ceph-authtool',
'--gen-key',
'--name=client.admin',
- '--set-uid=0',
'--cap', 'mon', 'allow *',
'--cap', 'osd', 'allow *',
'--cap', 'mds', 'allow *',
--import-keyring FILE will import the content of a given keyring
into the keyringfile
-n NAME, --name NAME specify entityname to operate on
- -u AUID, --set-uid AUID sets the auid (authenticated user id) for the
- specified entityname
-a BASE64, --add-key BASE64 will add an encoded key to the keyring
--cap SUBSYSTEM CAPABILITY will set the capability for given subsystem
--caps CAPSFILE will set all of capabilities associated with a
<< " --import-keyring FILE will import the content of a given keyring\n"
<< " into the keyringfile\n"
<< " -n NAME, --name NAME specify entityname to operate on\n"
- << " -u AUID, --set-uid AUID sets the auid (authenticated user id) for the\n"
- << " specified entityname\n"
<< " -a BASE64, --add-key BASE64 will add an encoded key to the keyring\n"
<< " --cap SUBSYSTEM CAPABILITY will set the capability for given subsystem\n"
<< " --caps CAPSFILE will set all of capabilities associated with a\n"
std::string add_key;
std::string caps_fn;
std::string import_keyring;
- uint64_t auid = CEPH_AUTH_UID_DEFAULT;
map<string,bufferlist> caps;
std::string fn;
bool list = false;
bool print_key = false;
bool create_keyring = false;
- bool set_auid = false;
int mode = 0600; // keyring file mode
std::vector<const char*>::iterator i;
create_keyring = true;
} else if (ceph_argparse_witharg(args, i, &val, "--import-keyring", (char*)NULL)) {
import_keyring = val;
- } else if (ceph_argparse_witharg(args, i, &val, "-u", "--set-uid", (char*)NULL)) {
- std::string err;
- auid = strict_strtoll(val.c_str(), 10, &err);
- if (!err.empty()) {
- cerr << "error parsing UID: " << err << std::endl;
- exit(1);
- }
- set_auid = true;
} else if (ceph_argparse_witharg(args, i, &val, "--mode", (char*)NULL)) {
std::string err;
mode = strict_strtoll(val.c_str(), 8, &err);
list ||
!caps_fn.empty() ||
!caps.empty() ||
- set_auid ||
print_key ||
create_keyring ||
!import_keyring.empty())) {
keyring.set_caps(ename, caps);
modified = true;
}
- if (set_auid) {
- keyring.set_uid(ename, auid);
- modified = true;
- }
// read commands
if (list) {
fi
prun $SUDO "$CEPH_BIN/ceph-authtool" --create-keyring --gen-key --name=mon. "$keyring_fn" --cap mon 'allow *'
- prun $SUDO "$CEPH_BIN/ceph-authtool" --gen-key --name=client.admin --set-uid=0 \
+ prun $SUDO "$CEPH_BIN/ceph-authtool" --gen-key --name=client.admin \
--cap mon 'allow *' \
--cap osd 'allow *' \
--cap mds 'allow *' \
--cap mgr 'allow *' \
"$keyring_fn"
- prun $SUDO "$CEPH_BIN/ceph-authtool" --gen-key --name=client.fs --set-uid=0 \
+ prun $SUDO "$CEPH_BIN/ceph-authtool" --gen-key --name=client.fs\
--cap mon 'allow r' \
--cap osd 'allow rw tag cephfs data=*' \
--cap mds 'allow rwp' \
projects / ceph.git / commitdiff