From: Anthony D'Atri Date: Thu, 19 Nov 2020 06:22:44 +0000 (-0800) Subject: doc/rados/operations: Add description of new auth profiles X-Git-Tag: v16.1.0~504^2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=3e2e3e3735e9e12ab3af9b39e5af68692b026339;p=ceph.git doc/rados/operations: Add description of new auth profiles --- diff --git a/doc/rados/operations/user-management.rst b/doc/rados/operations/user-management.rst index 739ddf4f71d..d8695effbfb 100644 --- a/doc/rados/operations/user-management.rst +++ b/doc/rados/operations/user-management.rst @@ -45,7 +45,6 @@ For details on configuring the Ceph Storage Cluster to use authentication, see `Cephx Config Reference`_. For details on the architecture of Cephx, see `Architecture - High Availability Authentication`_. - Background ========== @@ -56,7 +55,6 @@ Additionally, Ceph users must have execute permissions to use Ceph's administrative commands. The following concepts will help you understand Ceph user management. - User ---- @@ -292,6 +290,29 @@ The following entries describe valid capability profiles: cap supports optional ``pool`` and ``namespace`` keyword arguments. +``profile simple-rados-client`` (Monitor only) + +:Description: Gives a user read-only permissions for monitor, OSD, and PG data. + Intended for use by direct librados client applications. + +``profile fs-client`` (Monitor only) + +:Description: Gives a user read-only permissions for monitor, OSD, PG, and MDS + data. Intended for CephFS clients. + +``profile role-definer`` (Monitor and Auth) + +:Description: Gives a user **all** permissions for the auth subsystem, read-only + access to monitors, and nothing else. Useful for automation + tools. Do not assign this unless you really, **really** know what + you're doing as the security ramifications are substantial and + pervasive. + +``profile crash`` (Monitor only) + +:Description: Gives a user read-only access to monitors, used in conjunction + with the manager ``crash`` module when collecting daemon crash + dumps for later analysis. Pool ---- @@ -339,7 +360,6 @@ capability. Limited globbing of namespaces is supported; if the last character of the specified namespace is ``*``, then access is granted to any namespace starting with the provided argument. - Managing Users ============== @@ -351,7 +371,6 @@ When you create or delete users in the Ceph Storage Cluster, you may need to distribute keys to clients so that they can be added to keyrings. See `Keyring Management`_ for details. - List Users ---------- @@ -415,8 +434,6 @@ save the output to a file. Developers may also execute the following:: The ``auth export`` command is identical to ``auth get``. - - Add a User ---------- @@ -486,7 +503,6 @@ For example:: See `Authorization (Capabilities)`_ for additional details on capabilities. - Delete a User ------------- @@ -513,7 +529,6 @@ software with a user's key (e.g., libvirt). :: mount -t ceph serverhost:/ mountpoint -o name=client.user,secret=`ceph auth print-key client.user` - Import a User(s) ---------------- @@ -527,11 +542,10 @@ For example:: sudo ceph auth import -i /etc/ceph/ceph.keyring -.. note:: The ceph storage cluster will add new users, their keys and their +.. note:: The Ceph storage cluster will add new users, their keys and their capabilities and will update existing users, their keys and their capabilities. - Keyring Management ================== @@ -561,7 +575,6 @@ The `User Management`_ section details how to list, get, add, modify and delete users directly in the Ceph Storage Cluster. However, Ceph also provides the ``ceph-authtool`` utility to allow you to manage keyrings from a Ceph client. - Create a Keyring ---------------- @@ -596,7 +609,6 @@ intend to use the keyring for a particular user or group of users, ensure that you execute ``chown`` or ``chmod`` to establish appropriate keyring ownership and access. - Add a User to a Keyring ----------------------- @@ -618,7 +630,6 @@ For example:: sudo ceph-authtool /etc/ceph/ceph.keyring --import-keyring /etc/ceph/ceph.client.admin.keyring - Create a User ------------- @@ -642,7 +653,6 @@ the new user to the Ceph Storage Cluster. :: sudo ceph auth add client.ringo -i /etc/ceph/ceph.keyring - Modify a User ------------- @@ -663,7 +673,6 @@ You may also `Modify User Capabilities`_ directly in the cluster, store the results to a keyring file; then, import the keyring into your main ``ceph.keyring`` file. - Command Line Usage ================== @@ -709,7 +718,6 @@ Ceph supports the following usage for user name and secret: .. _pools: ../pools - Limitations ===========