Re: Is there a command to update a client with a new generated key?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Pffff, I guess it is time to create issue feature request for 'ceph auth 
new-key <entity>' 

 

-----Original Message-----
From: Eugen Block [mailto:eblock@xxxxxx] 
Sent: 21 December 2020 10:20
To: ceph-users@xxxxxxx
Subject:  Re: Is there a command to update a client with a 
new generated key?

I played with ceph-authtool and this seems to work:

host1:/etc/ceph # ceph-authtool ceph.client.user1.keyring -g -n
client.user1 --cap mon "allow r" --cap mds "allow rw path=/dir1" --cap 
osd "allow rw tag cephfs data=cephfs"

where "ceph.client.user1.keyring" is obviously the client's keyring 
file.

host1:/etc/ceph # sdiff ceph.client.user1.keyring.old 
ceph.client.user1.keyring
[client.user1]                                                  
[client.user1]
         key = AQDd03Vf0moFLxAA1TPKfbAsxi+JLxju9+GP6w==        |        
   key = AQBEZuBfd5trDxAA2vxhcZARbOix5+Hnln8ZMQ==
         caps mds = "allow rw path=/dir1"                               
   caps mds = "allow rw path=/dir1"
         caps mon = "allow r"                                           
   caps mon = "allow r"
         caps osd = "allow rw tag cephfs data=cephfs"                   
   caps osd = "allow rw tag cephfs data=cephfs"


Then I import the new keyring file:

host1:/etc/ceph # ceph auth import -i ceph.client.user1.keyring imported 
keyring

Using the old key doesn't work anymore:

host1:/etc/ceph # mount -t ceph mon1:/dir1 /mnt -o 
name=user1,secret=AQDd03Vf0moFLxAA1TPKfbAsxi+JLxju9+GP6w==
mount error: no mds server is up or the cluster is laggy


But the new key works:

host1:/etc/ceph # mount -t ceph mon1:/dir1 /mnt -o 
name=user1,secret=AQBEZuBfd5trDxAA2vxhcZARbOix5+Hnln8ZMQ==
host1:/etc/ceph # touch /mnt/file2
host1:/etc/ceph # ls -l /mnt/
insgesamt 0
-rw-r--r-- 1 root root 0 21. Dez 10:14 file2


Zitat von Marc Roos <M.Roos@xxxxxxxxxxxxxxxxx>:

> Is there a command to update a client with a new generated key?
> Something like:
>
> ceph auth new-key client.rbd
>
> Could be usefull if you accidentaly did a ceph auth ls, because that 
> still displays keys ;) _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an 
> email to ceph-users-leave@xxxxxxx


_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an 
email to ceph-users-leave@xxxxxxx

_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux