This is great - had no idea you could have this level of control with Ceph authentication.
On Wed, Feb 1, 2017 at 12:29 PM, John Spray <[email protected]> wrote: > On Wed, Feb 1, 2017 at 8:55 AM, Michael Hartz <[email protected]> > wrote: >> I am running ceph as part of a Proxmox Virtualization cluster, which is >> doing great. >> >> However for monitoring purpose I would like to periodically check with 'ceph >> health' as a non-root user. >> This fails with the following message: >>> su -c 'ceph health' -s /bin/bash nagios >> Error initializing cluster client: PermissionDeniedError('error calling >> conf_read_file',) >> >> Please note: running the command as root user works as intended. >> >> Someone else suggested to allow group permissions on the admin keyring, i.e. >> chmod 660 /etc/ceph/ceph.client.admin.keyring >> Link: https://github.com/thelan/ceph-zabbix/issues/12 >> This didn't work. > > Nobody should ever need to give their unprivileged users sudo access > to the ceph CLI or access to the the ceph admin key, just to run the > status command. > > Ceph's own authentication system has fine grained control over > execution of mon commands. You can create a special user that can > only run the status command like this: > ceph auth get-or-create client.status mon 'allow command "status"' > > ./status.keyring > > ...and then invoke status as that user like this: > ceph --name client.status --keyring ./status.keyring status > > You can then make sure your unprivileged user has read access to > status.keyring and to ceph.conf (or give it its own copy of > ceph.conf). > > John > > >> >> Has anyone hints on this? >> _______________________________________________ >> ceph-users mailing list >> [email protected] >> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > _______________________________________________ > ceph-users mailing list > [email protected] > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com _______________________________________________ ceph-users mailing list [email protected] http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
