If I want to rotate the keys for that I can simply do that ceph cluster side, but then I also need to do that on the client side (in my case virtual machine hypervisors). DUring this window (which might be tiny with decent tooling, but still non-zero) my clients can't do new connections to the ceph cluster, which I assume will cause issues.
It's depends on orchestrator. For example, oVirt maintain cephx keys by ovirt-engine. So, if key is changed we need to update key in oVirt, after this - every new client will use new key = zero downtime. Simple k,v storage.
Don't know how it looks in pure OpenStack, but oVirt hosts not need ceph.conf, keys always pushed by ovirt-engine.
k _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
