From: John Wilkins Date: Fri, 7 Jun 2013 00:35:02 +0000 (-0700) Subject: doc: Updated with glossary terms. X-Git-Tag: v0.65~139 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=5c30844762e269b79160816fc05bfe9ec3cd72ea;p=ceph.git doc: Updated with glossary terms. Signed-off-by: John Wilkins --- diff --git a/doc/rados/configuration/auth-config-ref.rst b/doc/rados/configuration/auth-config-ref.rst index 5481ce4c8bf3..f38ad130ca31 100644 --- a/doc/rados/configuration/auth-config-ref.rst +++ b/doc/rados/configuration/auth-config-ref.rst @@ -2,8 +2,10 @@ Cephx Config Reference ======================== -To protect against man-in-the-middle attacks, Ceph provides its ``cephx`` -authentication system to authenticate users and daemons. See `Ceph +.. index:: cephx; authentication; cephx configuration + +To identify users and protect against man-in-the-middle attacks, Ceph provides +its ``cephx`` authentication system to authenticate users and daemons. See `Ceph Authentication & Authorization`_ for an introduction to ``cephx`` authentication. See the `Cephx Guide`_ for details on enabling/disabling, creating users and setting user capabilities. @@ -31,10 +33,10 @@ See `Ceph Authentication`_ for additional details. .. topic:: Authentication Granularity Ceph version 0.50 and earlier versions use ``auth supported`` to enable or - disable authentication between the Ceph client and the cluster. Ceph - authentication in earlier versions only authenticates users sending message - traffic between the client and the cluster, so it does not have fine-grained - control. + disable authentication between the :term:`Ceph Client` and the :term:`Ceph + Storage Cluster`. Ceph authentication in earlier versions only authenticates + users sending message traffic between the client and the cluster, so it does + not have fine-grained control. Ceph version 0.51 and later versions use fine-grained control, which allows you to require authentication of the client by the cluster @@ -60,9 +62,9 @@ See `Ceph Authentication`_ for additional details. .. versionadded:: 0.51 -:Description: If enabled, the cluster daemons (i.e., ``ceph-mon``, +:Description: If enabled, the Ceph Storage Cluster daemons (i.e., ``ceph-mon``, ``ceph-osd``, and ``ceph-mds``) must authenticate with - each other. Valid setting is ``cephx`` or ``none``. + each other. Valid settings are ``cephx`` or ``none``. :Type: String :Required: No @@ -73,9 +75,9 @@ See `Ceph Authentication`_ for additional details. .. versionadded:: 0.51 -:Description: If enabled, the cluster daemons require Ceph clients to - authenticate with the cluster in order to access Ceph services. - Valid setting is ``cephx`` or ``none``. +:Description: If enabled, the Ceph Storage Cluster daemons require Ceph Clients + to authenticate with the Ceph Storage Cluster in order to access + Ceph services. Valid settings are ``cephx`` or ``none``. :Type: String :Required: No @@ -87,31 +89,37 @@ See `Ceph Authentication`_ for additional details. .. versionadded:: 0.51 -:Description: If enabled, the client requires the Ceph cluster to authenticate - with the client. Valid setting is ``cephx`` or ``none``. +:Description: If enabled, the Ceph Client requires the Ceph Storage Cluster to + authenticate with the Ceph Client. Valid settings are ``cephx`` + or ``none``. :Type: String :Required: No :Default: Version 0.54 and earlier ``none``. Version 0.55 and later ``cephx``. +.. index:: keys; keyring + Keys ==== When you run Ceph with authentication enabled, ``ceph`` administrative commands -and Ceph clients require authentication keys to access the cluster. +and Ceph Clients require authentication keys to access the Ceph Storage Cluster. The most common way to provide these keys to the ``ceph`` administrative commands and clients is to include a Ceph keyring under the ``/etc/ceph`` -directory. The filename is usually ``ceph.keyring`` (or ``$cluster.keyring``) or -simply ``keyring``. If you include the keyring under the ``/etc/ceph`` -directory, you don't need to specify a ``keyring`` entry in your Ceph -configuration file. +directory. For Cuttlefish and later releases using ``ceph-deploy``, the filename +is usually ``ceph.client.admin.keyring`` (or ``$cluster.client.admin.keyring``). +If you include the keyring under the ``/etc/ceph`` directory, you don't need to +specify a ``keyring`` entry in your Ceph configuration file. -We recommend copying the cluster's keyring file to hosts where you'll run -administrative commands, because it contains the ``client.admin`` key. :: +We recommend copying the Ceph Storage Cluster's keyring file to nodes where you +will run administrative commands, because it contains the ``client.admin`` key. - sudo scp {user}@{ceph-cluster-host}:/etc/ceph/ceph.keyring /etc/ceph/ceph.keyring +You may use ``ceph-deploy admin`` to perform this task. See `Create an Admin +Host`_ for details. To perform this step manually, execute the following:: + + sudo scp {user}@{ceph-cluster-host}:/etc/ceph/ceph.client.admin.keyring /etc/ceph/ceph.client.admin.keyring .. tip:: Ensure the ``ceph.keyring`` file has appropriate permissions set (e.g., ``chmod 644``) on your client machine. @@ -144,16 +152,18 @@ setting (not recommended), or a path to a keyfile using the ``keyfile`` setting. :Default: None +.. index:: signatures + Signatures ========== In Ceph Bobtail and subsequent versions, we prefer that Ceph authenticate all ongoing messages between the entities using the session key set up for that -initial authentication. However, Argonaut and earlier Ceph daemons do not know how to perform -ongoing message authentication. To maintain backward compatibility (e.g., -running both Botbail and Argonaut daemons in the same cluster), message signing -is **off** by default. If you are running Bobtail or later daemons exclusively, -configure Ceph to require signatures. +initial authentication. However, Argonaut and earlier Ceph daemons do not know +how to perform ongoing message authentication. To maintain backward +compatibility (e.g., running both Botbail and Argonaut daemons in the same +cluster), message signing is **off** by default. If you are running Bobtail or +later daemons exclusively, configure Ceph to require signatures. Like other parts of Ceph authentication, Ceph provides fine-grained control so you can enable/disable signatures for service messages between the client and @@ -163,8 +173,8 @@ Ceph, and you can enable/disable signatures for messages between Ceph daemons. ``ceph require signatures`` :Description: If set to ``true``, Ceph requires signatures on all message - traffic between the client and the Ceph cluster, and between - daemons within the cluster. + traffic between the Ceph Client and the Ceph Storage Cluster, and + between daemons comprising the Ceph Storage Cluster. :Type: Boolean :Required: No @@ -174,7 +184,7 @@ Ceph, and you can enable/disable signatures for messages between Ceph daemons. ``cepxh cluster require signatures`` :Description: If set to ``true``, Ceph requires signatures on all message - traffic between Ceph daemons within the cluster. + traffic between Ceph daemons comprising the Ceph Storage Cluster. :Type: Boolean :Required: No @@ -184,7 +194,7 @@ Ceph, and you can enable/disable signatures for messages between Ceph daemons. ``cepxh service require signatures`` :Description: If set to ``true``, Ceph requires signatures on all message - traffic between Ceph clients and the Ceph cluster. + traffic between Ceph Clients and the Ceph Storage Cluster. :Type: Boolean :Required: No @@ -205,8 +215,9 @@ Time to Live ``auth service ticket ttl`` -:Description: When Ceph sends a client a ticket for authentication, the Ceph - cluster assigns the ticket a time to live. +:Description: When the Ceph Storage Cluster sends a Ceph Client a ticket for + authentication, the Ceph Storage Cluster assigns the ticket a + time to live. :Type: Double :Default: ``60*60`` @@ -215,3 +226,4 @@ Time to Live .. _Ceph Authentication & Authorization: ../../operations/auth-intro .. _Cephx Guide: ../../operations/authentication .. _Ceph Authentication: ../../operations/auth-intro#ceph-authentication-cephx +.. _Create an Admin Host: ../../deployment/ceph-deploy-admin#create-an-admin-host \ No newline at end of file