cephx client key rotation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



this question has come up once in the past[0] afaict, but it was kind of inconclusive so I'm taking the liberty of bringing it up again.

I'm looking into implementing a key rotation scheme for Ceph client keys. As it potentially takes some non-zero amount of time to update key material there might be a situation where keys have changed on the MON side but, still one of N clients might not have updated key material and try to auth with an obsolete key which naturally would fail. 

It would be great if we could have two keys active for an entity at the same time, but aiui that's not really possible, is that right?

I'm wondering about ceph auth get-or-create-pending. Per the docs a pending key would become active on first use, so that if one of N clients uses it, this still leaves room for another client to race.

What do people do to deal with this situation?

[0] https://ceph-users.ceph.narkive.com/ObSMdmxX/rotating-cephx-keys
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx

[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux