Hi every one,
I did not get any answer to my basic cephx question last week, so
let me ask it one more time here, before I completely give up on
Ceph and move on.
So, my issue is:
When all authentication settings are "none":
* The cluster works fine
* The file "/etc/ceph/ceph.client.admin.keyring
" exists
Then I set "auth_cluster_required" to "cephx". When I try to connect
to the cluster, it detects "client.admin" and denies access with
"operation not supported", even for commands like "ceph health".
Finally, after I explicitly set the "keyring" parameter in the
config (to the default value, because the keyring file was already
in the default location), the cluster works fine again. So the
behavior changes when I add those 2 default lines to the config:
[client.admin]
keyring = /etc/ceph/ceph.client.admin.keyring
From the ceph.com documentation [1], about this "keyring" parameter:
| Description: |
The path to the keyring file. |
| Type: |
String |
| Required: |
No |
| Default: |
/etc/ceph/$cluster.$name.keyring |
... so, I need help:
* maybe this is a real bug? (was it already reported ?)
* maybe I am deeply stupid, and I don't understand what "required"
and "default" means? (can anyone send me a good dictionary ?)
* maybe obi-wan kenobi?
Thanks to anyone who will respond anything (at that point, even a
three-letter e-mail reading "ACK" would make me feel better). Best
wishes for the future of Ceph, and best regards.
Nicolas Canceill
Scalable Storage Systems
SURFsara (Amsterdam, NL)
[1]
http://ceph.com/docs/master/rados/configuration/auth-config-ref/#keys
On 11/29/2013 03:09 PM, nicolasc wrote:
An
update on this issue:
Explicitly setting the "keyring" parameter to its default value,
in the client section, like this:
[client.admin]
keyring = /etc/ceph/ceph.client.admin.keyring
solves the problem in the particular case when ONLY
"auth_cluster_required" is set to "cephx", and the two remaining
auth parameters are set to "none".
The documentation clearly states that
"/etc/ceph/ceph.client.admin.keyring" is the default value of the
"keyring" setting [1], so this looks like a bug. Should I report
it on the tracker? (BTW, all of this is on v0.72.1.)
Also, does anyone have any idea about why this is not enough to
enable the "auth_service_required" setting? That one still gives
me the error:
client.admin authentication error (95) Operation not supported
Best regards,
Nicolas Canceill
Scalable Storage Systems
SURFsara (Amsterdam, NL)
[1]
http://ceph.com/docs/master/rados/configuration/auth-config-ref/#keys
On 11/29/2013 10:22 AM, nicolasc wrote:
Hello every one,
Just ran a fresh install of version Emperor on an empty cluster,
and I am left clueless, trying to troubleshoot cephx. After
ceph-deploy created the keys, I used ceph-authtool to generate
the client.admin keyring and the monitor keyring, as indicated
in the doc. The configuration is really out-of-the-box: 3
monitors, each with the keyring in
/var/lib/ceph/mon/ceph-???/keyring, all keyrings have umask 644
and are owned by ceph.
However, no matter which combination of "auth_cluster_",
"auth_service_", or "auth_client_required", is set to cephx; no
matter either the keyring options like "-k" and "--id" on the
command line. Authentication fails every time with:
client.admin authentication error (95) Operation not supported
Error connecting to cluster: Error
A big thanks to any one who gives me a hint about what it means.
(This message carries so little information, I feel it could be
simply replaced by the "!" character.) I have looked in every
ceph and system log file, nothing more.
Best regards,
Nicolas Canceill
Scalable Storage Systems
SURFsara (Amsterdam, NL)
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
|
