On Fri, 10 Aug 2018, Sage Weil wrote: > 4. Tell ceph client(s) to authenticate using kerberos instead of cephx. > > By default, the ceph CLI uses client.admin and grabs the cephx key out of > /etc/ceph somewhere. Instead, we want to authenticate as user/FOO.COM. > > [Question: Should our EntityName be literally "user/FOO.COM", or > "client.kerberos.user/FOO.COM", or something else?] > > $ ceph --auth-kerberos -s > > or probably actually > > $ echo 'CEPH_ARGS="--auth-kerberos"' >> .bashrc > > and then after logging in, > > $ ceph -s > ... > > This would tell the ceph client to look for a kerberos credential in the > environment/keytab/whatever and use that to authenticate with the cluster. One alternative thought there that might work. The auth method to use between the client and mon is negotiated first during the connection handshale (cephx vs krb), so if auth_supported=krb,cephx (say) on both sides, it would negotiate krb. *Then* the krb client could ask the question "who am I?" and get that from the keytab/environment/whatever (user/FOO.COM), and proceed from there. If cephx is chosen, then it would default to client.admin (or whatever -n client.foo was specified). That would make it Just Work. The caveat is that the user needs to set auth supported = krb/cephx in /etc/ceph/ceph.conf on the host (or in the user's private ceph.conf ($home/.ceph/ceph.conf I think?), or specify a CLI arg to make the client try kerberos before cephx, like CEPH_ARGS="--auth-supported krb,cephx" in their .bashrc. We probably can't change the default to be kerberos anytime soon or else we'd break existing environments where users use cephx but happen to be authenticated via kerberos on the same host. Newbie question: is it possible to authenticate as multiple users in multiple domains from within the same user/shell session? Is there something more that we need to do to determine which kerberos user we should authenticate to ceph as? sage
