Re: Running 'ceph health' as non-root user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is great - had no idea you could have this level of control with
Ceph authentication.


On Wed, Feb 1, 2017 at 12:29 PM, John Spray <jspray@xxxxxxxxxx> wrote:
> On Wed, Feb 1, 2017 at 8:55 AM, Michael Hartz <michael.hartz@xxxxxxxxxx> wrote:
>> I am running ceph as part of a Proxmox Virtualization cluster, which is doing great.
>>
>> However for monitoring purpose I would like to periodically check with 'ceph health' as a non-root user.
>> This fails with the following message:
>>> su -c 'ceph health' -s /bin/bash nagios
>> Error initializing cluster client: PermissionDeniedError('error calling conf_read_file',)
>>
>> Please note: running the command as root user works as intended.
>>
>> Someone else suggested to allow group permissions on the admin keyring, i.e. chmod 660 /etc/ceph/ceph.client.admin.keyring
>> Link: https://github.com/thelan/ceph-zabbix/issues/12
>> This didn't work.
>
> Nobody should ever need to give their unprivileged users sudo access
> to the ceph CLI or access to the the ceph admin key, just to run the
> status command.
>
> Ceph's own authentication system has fine grained control over
> execution of mon commands.  You can create a special user that can
> only run the status command like this:
> ceph auth get-or-create client.status mon 'allow command "status"' >
> ./status.keyring
>
> ...and then invoke status as that user like this:
> ceph --name client.status --keyring ./status.keyring status
>
> You can then make sure your unprivileged user has read access to
> status.keyring and to ceph.conf (or give it its own copy of
> ceph.conf).
>
> John
>
>
>>
>> Has anyone hints on this?
>> _______________________________________________
>> ceph-users mailing list
>> ceph-users@xxxxxxxxxxxxxx
>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
> _______________________________________________
> ceph-users mailing list
> ceph-users@xxxxxxxxxxxxxx
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux