[ceph-users] Re: Is there a command to update a client with a new generated key?

Mon, 21 Dec 2020 03:31:55 -0800 


Pffff, I guess it is time to create issue feature request for 'ceph auth 
new-key <entity>' 

 

-----Original Message-----
From: Eugen Block [mailto:[email protected]] 
Sent: 21 December 2020 10:20
To: [email protected]
Subject: [ceph-users] Re: Is there a command to update a client with a 
new generated key?

I played with ceph-authtool and this seems to work:

host1:/etc/ceph # ceph-authtool ceph.client.user1.keyring -g -n
client.user1 --cap mon "allow r" --cap mds "allow rw path=/dir1" --cap 
osd "allow rw tag cephfs data=cephfs"

where "ceph.client.user1.keyring" is obviously the client's keyring 
file.

host1:/etc/ceph # sdiff ceph.client.user1.keyring.old 
ceph.client.user1.keyring
[client.user1]                                                  
[client.user1]
         key = AQDd03Vf0moFLxAA1TPKfbAsxi+JLxju9+GP6w==        |        
   key = AQBEZuBfd5trDxAA2vxhcZARbOix5+Hnln8ZMQ==
         caps mds = "allow rw path=/dir1"                               
   caps mds = "allow rw path=/dir1"
         caps mon = "allow r"                                           
   caps mon = "allow r"
         caps osd = "allow rw tag cephfs data=cephfs"                   
   caps osd = "allow rw tag cephfs data=cephfs"


Then I import the new keyring file:

host1:/etc/ceph # ceph auth import -i ceph.client.user1.keyring imported 
keyring

Using the old key doesn't work anymore:

host1:/etc/ceph # mount -t ceph mon1:/dir1 /mnt -o 
name=user1,secret=AQDd03Vf0moFLxAA1TPKfbAsxi+JLxju9+GP6w==
mount error: no mds server is up or the cluster is laggy


But the new key works:

host1:/etc/ceph # mount -t ceph mon1:/dir1 /mnt -o 
name=user1,secret=AQBEZuBfd5trDxAA2vxhcZARbOix5+Hnln8ZMQ==
host1:/etc/ceph # touch /mnt/file2
host1:/etc/ceph # ls -l /mnt/
insgesamt 0
-rw-r--r-- 1 root root 0 21. Dez 10:14 file2


Zitat von Marc Roos <[email protected]>:

> Is there a command to update a client with a new generated key?
> Something like:
>
> ceph auth new-key client.rbd
>
> Could be usefull if you accidentaly did a ceph auth ls, because that 
> still displays keys ;) _______________________________________________
> ceph-users mailing list -- [email protected] To unsubscribe send an 
> email to [email protected]


_______________________________________________
ceph-users mailing list -- [email protected] To unsubscribe send an 
email to [email protected]

_______________________________________________
ceph-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]






















					Reply via email to