Re: msgr2/krb status

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Oops, adding ceph-devel!

On Wed, 18 Jul 2018, Sage Weil wrote:
> I'm going to miss the Friday call again (meetings... yay).  My main status 
> update is that I'm most of the way through changing the monmap to use 
> addrvecs and adjusting all of the bootstrap-related behaviors so that both 
> the old and new ports are initially probed.  Once monclient gets a "real" 
> monmap it'll then know the correct mon addresses and connect the "right" 
> way.
> 
> Also, I had a product kerberos requirements conversation with an initial 
> customer and I think that as a first plass simply authenticating a krb 
> user, then checking on the local (mon) host via OS calls to check group 
> membership ("is user bob in group ceph-admins") would be sufficient for 
> many users.  We're going to end up with several modes here, including
> 
>  - checking local group membership (requires that mons are part of the 
>    same kereros domain etc)
>  - use AD PAC
>  - query LDAP
> 
> but the local group membership is actually easiest to implement and 
> probably a good place to start?
> 
> The user stories I think we should initially target are:
> 
> User stories
> 
> 1. As a Ceph administrator, I can define roles and associated Ceph 
> caps/capabilities by defining a Ceph auth user (e.g., client.role.foo) for 
> each role in the Ceph auth database.
> 
> 2. As a Kerberos administrator, I can map Ceph administrators to Ceph 
> roles by adjusting AD credentials in the AD database, without registering 
> users in the Ceph auth database (or otherwise making any per-user changes 
> in Ceph).
> 
> 3. As a Ceph administrator, I can log into a host, authenticate with 
> kerberos (kinit user@DOMAIN), and then issue ceph or rbd CLI commands 
> based on my kerberos/AD credentials and associated role.
> 
> 4. As a Ceph administrator, I can examine the clusterʼs audit log and 
> determine the (kerberos) identity (as opposed to only the ceph role) of 
> any commands that were executed (see #3).
> 
> Daniel, does this make sense to you?  Do you have any update on your end?  
> I see that https://github.com/ceph/ceph/pull/22325 was closed..
> 
> Thanks!
> sage
[Index of Archives]     [CEPH Users]     [Ceph Large]     [Information on CEPH]     [Linux BTRFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux