An update on this: I made some revised notes and put them in the etherpad at https://pad.ceph.com/p/kerberos Make takeaways: 1- I still like role.foo as a separate, first-class entity. 2- I think we can make the kerberos experience seamless (no extra command line arguments, no extra ceph.conf entries on the client) as long as the msgr2 protocol allows multiple auth attempts so that the client can attempt krb (if there is a tgt) and/or fall back to cephx. 3- I think we can populate EntityName with the kerberos ticket name (e.g., "user@xxxxxxxxxx") but I need to do a bit more diligence to be sure. The nice thing here is that the authenicated name will propagate throughout the system into any appropriate logs etc. sage On Fri, 10 Aug 2018, Sage Weil wrote: > On Fri, 10 Aug 2018, Sage Weil wrote: > > 4. Tell ceph client(s) to authenticate using kerberos instead of cephx. > > > > By default, the ceph CLI uses client.admin and grabs the cephx key out of > > /etc/ceph somewhere. Instead, we want to authenticate as user/FOO.COM. > > > > [Question: Should our EntityName be literally "user/FOO.COM", or > > "client.kerberos.user/FOO.COM", or something else?] > > > > $ ceph --auth-kerberos -s > > > > or probably actually > > > > $ echo 'CEPH_ARGS="--auth-kerberos"' >> .bashrc > > > > and then after logging in, > > > > $ ceph -s > > ... > > > > This would tell the ceph client to look for a kerberos credential in the > > environment/keytab/whatever and use that to authenticate with the cluster. > > One alternative thought there that might work. The auth method to use > between the client and mon is negotiated first during the connection > handshale (cephx vs krb), so if auth_supported=krb,cephx (say) on both > sides, it would negotiate krb. > > *Then* the krb client could ask the question "who am I?" and get that from > the keytab/environment/whatever (user/FOO.COM), and proceed from there. If > cephx is chosen, then it would default to client.admin (or whatever -n > client.foo was specified). > > That would make it Just Work. The caveat is that the user needs to set > auth supported = krb/cephx in /etc/ceph/ceph.conf on the host (or in the > user's private ceph.conf ($home/.ceph/ceph.conf I think?), or specify a > CLI arg to make the client try kerberos before cephx, like > > CEPH_ARGS="--auth-supported krb,cephx" > > in their .bashrc. > > We probably can't change the default to be kerberos anytime soon or else > we'd break existing environments where users use cephx but happen to be > authenticated via kerberos on the same host. > > Newbie question: is it possible to authenticate as multiple users in > multiple domains from within the same user/shell session? Is there > something more that we need to do to determine which kerberos user we > should authenticate to ceph as? > > sage > >
