On Wed, Feb 1, 2017 at 8:55 AM, Michael Hartz <michael.hartz@xxxxxxxxxx> wrote:
> I am running ceph as part of a Proxmox Virtualization cluster, which is doing great.
>
> However for monitoring purpose I would like to periodically check with 'ceph health' as a non-root user.
> This fails with the following message:
>> su -c 'ceph health' -s /bin/bash nagios
> Error initializing cluster client: PermissionDeniedError('error calling conf_read_file',)
>
> Please note: running the command as root user works as intended.
>
> Someone else suggested to allow group permissions on the admin keyring, i.e. chmod 660 /etc/ceph/ceph.client.admin.keyring
> Link: https://github.com/thelan/ceph-zabbix/issues/12
> This didn't work.
Nobody should ever need to give their unprivileged users sudo access
to the ceph CLI or access to the the ceph admin key, just to run the
status command.
Ceph's own authentication system has fine grained control over
execution of mon commands. You can create a special user that can
only run the status command like this:
ceph auth get-or-create client.status mon 'allow command "status"' >
./status.keyring
...and then invoke status as that user like this:
ceph --name client.status --keyring ./status.keyring status
You can then make sure your unprivileged user has read access to
status.keyring and to ceph.conf (or give it its own copy of
ceph.conf).
John
>
> Has anyone hints on this?
> _______________________________________________
> ceph-users mailing list
> ceph-users@xxxxxxxxxxxxxx
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
