Poster of Linux kernelThe best gift for a Linux geek
CAUTHTOOL

CAUTHTOOL

Section: Maintenance Commands (8) Local index Up
 

NAME

cauthtool - ceph keyring manipulation tool  

SYNOPSIS

cauthtool keyringfile [ -l | --list ] [ -c | --create-keyring ] [ -p | --print ] [ -n | --name entityname ] [ --gen-key ] [ -a | --add-key base64_key ] [ --caps capfils ]  

DESCRIPTION

cauthtool is a utility to create, view, and modify a Ceph keyring file. A keyring file stores one or more Ceph authentication keys and possibly an associated capability specification. Each key is associated with an entity name, of the form {client,mon,mds,osd}.name.  

OPTIONS

-l, --list
will list all keys and capabilities present in the keyring.
-p, --print
will print an encoded key for the specified entityname. This is suitable for the mount -o secret= argument.
-c, --create-keyring
will create a new keyring, overwriting any existing keyringfile.
--gen-key
will generate a new secret key for the specified entityname:
--add-key
will add an encoded key to the keyring.
--cap subsystem capability
will set the capability for given subsystem.
--caps capsfile
will set all of capabilities associated with a given key, for all subsystems.

 

CAPABILITIES

The subsystem is the name of a Ceph subsystem: mon, mds, or osd.

The capability is a string describing what the given user is allowed to do. This takes the form of a comma separated list of allow, deny clauses with a permission specifier containing one or more of rwx for read, write, and execute permission. The "allow *" grants full superuser permissions for the given subsystem.

For example,

osd = "allow rwx [pool=foo[,bar]]|[uid=baz[,bay]]" # can read, write, and execute objects
mds = "allow" # can access mds server
mon = "allow rwx" # can modify cluster state (i.e., is a server daemon)

A librados user restricted to a single pool might look like

osd = "allow rw pool foo"

A client mounting the file system with minimal permissions would need caps like

mds = "allow"
osd = "allow rw pool=data"
mon = "allow r"

 

CAPS FILE FORMAT

The caps file format consists of zero or more key/value pairs, one per line. The key and value are separated by an '=', and the value must be quoted (with ' or ") if it contains any whitespace. The key is the name of the Ceph subsystem (osd, mds, mon), and the value is the capability string (see above).

 

EXAMPLE

To create a new keyring containing a key for client.foo:
cauthtool -c -n client.foo --gen-key keyring.bin

To associate some capabilities with the key (namely, the ability to mount a Ceph filesystem):

cauthtool -n client.foo --cap mds 'allow' --cap osd 'allow rw pool=data' --cap mon 'allow r' keyring.bin

To display the contents of the keyring:

cauthtool -l keyring.bin

When mount a Ceph file system, you can grab the appropriately encoded secret key with

mount -t ceph serverhost:/ mountpoint -o name=foo,secret=`cauthtool -p -n client.foo keyring.bin`

 

AVAILABILITY

cauthtool is part of the Ceph distributed file system. Please refer to the Ceph wiki at http://ceph.newdream.net/wiki for more information.  

SEE ALSO

ceph(8)

 

Index

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
CAPABILITIES
CAPS FILE FORMAT
EXAMPLE
AVAILABILITY
SEE ALSO
This document was created by man2html, using the manual pages.
Time: 22:01:23 GMT, April 16, 2011