Ok I think I have a better understanding now. I really don't want to setup a cluster using mkcephfs, it "feels" like that's something built for test setups. If I(and I do) want to automate the setup of OSDs, MONs and RGW it definitely makes it more complicated using key based auth. I've seen the chef recipes but I'm not sure they're complete in any way. I don't entirely understand if there is an order to the setup, if I have to partly setup the MON first, then OSDs, then configure the MON, then configure the OSDs and lastly configure RGW. If that's the case it's kind of complicated and adding keys into the mix doesn't help. I guess giving more time to my ceph-research will help me get a better understanding of the auth parts and the rest. I'll have to be less impatient ;-). Thanks for responding, John On Tue, Jun 12, 2012 at 11:52 AM, Wido den Hollander <wido@xxxxxxxxx> wrote: > Hi, > > > On 06/12/2012 11:31 AM, John Axel Eriksson wrote: >> >> I asked a similar question in a previous email but I didn't get any >> satisfying answers. What exactly does cephx auth secure? > > > I wanted to get back on your e-mail from yesterday, but you beat me to it! > :) > > >> From the wiki I just get "this makes your cluster more secure", well >> from what? If I run on an internal network accessible only >> by a few trusted people - what does cephx auth secure in such a scenario? >> > > Never ever trust anything, even in a local network. Security has more > aspects then just uninvited guests accessing or modifying your data. > > Like I said in the previous e-mail, it prevents you from having an old > machine or just a plain configuration error on a client disrupting cluster > service. > > >> In that previous email I got the answer that it secures the cluster >> from mistakenly connecting to wrong cluster with rados and >> accidentally deleting a pool... well, can rados really "accidentally" >> connect to the wrong cluster? Only if I have the wrong config >> file right? And if I have the wrong config-file won't it be possible >> that I also have the "wrong" key in that case? >> > > The "rados" command doesn't really need a config file, you can also specify > the monitor address manually. > > $ rados -p <mon address> rmpool data > > If you'd issue that with the wrong monitor address while playing in your > local network you could remove the pool on the wrong cluster. > > With cephx in place you also have to specify the correct key, it's just a > second layer in place from preventing something like this happening. > > >> Another scenario would be if I take down an OSD that just sits in >> storage for say 6 months and then someone starts that machine >> again - with key-based auth that OSD wouldn't be able to >> connect(somehow? but if it has a working key?) but without auth it >> could >> possibly connect and wreak havoc in the cluster (since it is so much >> behind perhaps in both version of software and what's stored on it). >> I thought marking and OSD as down or out would do that? >> > > If you mark an OSD out it will get marked as "in" again when you start up > the OSD, but that also depends on your settings like "noautoin". > > When you take an OSD out of production with cephx you would also remove the > corresponding OSD key from the cluster keyring. > > >> Are those the main reasons for having cephx auth? Is it to secure the >> cluster against people (myself included) making mistakes or from >> hacking, or is there some technical reason that I don't know of or >> understand? >> > > It can serve multiple purposes. In a bigger env you should never trust any > machine. So if you have a client which only has access to the "rbd" pool for > running Virtual Machines, it shouldn't get more permissions than that. > > So yes, it's again human error, but if a machine gets hacked, you can > prevent that machine from ruining your whole cluster. > > >> The reason I'm asking is because having cephx enabled makes cluster >> setup much more complicated... >> > > cephx might be complicated at first glance, but it isn't really that hard. > > It is up to you if you enable it, but take the recommendations above into > account when making your decision. > > Wido > >> >> Thanks, >> >> John >> -- >> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html > > -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
