The wip-auth branch has a revamp of the authentication settings.
Currently, there is a single option, 'auth supported', which is an ordered
list of authentication methods (cephx or none) to use. This is somewhat
limiting
This branch replaces that with 3 new settings:
auth cluster required -- authentication method(s) required between ceph
cluster daemons (e.g., mds to mds, mds to mon, etc.)
auth service required -- auth method(s) required by daemons of clients
auth client required -- what clients require of daemons
This lets you do a few things:
- Require the cluster to internally use authentication, so that nobody can
impersonate an osd or monitor. You could still leave auth off for clients
if you don't want to deal with distributing keys to users.
- Make the cluster require that clients authentication, but let the clients
connect to whatever.
For compatibility, the idea is that these are all blank by default, and in
that case default to the deprecated 'auth supported' option that many are
already using to enable cephx across the board.
There's also some preliminary docs on what cephx gets you and what it
doesn't, and on how to enable authentication on a cluster without it.
This gets us one step closer to enabling auth by default...
sage
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
