Hi Frédéric I haven't tested anything yet. On the ceph slack it was suggested that the overhead would scale as O(log(n)), and the suggestion was other things (e.g. cluster maps) would dominate (which I feel means it's not a major source of worry).
The use-case(s) are mainly focused on cephfs and giving outside-of-cluster clients (i.e. standard linux clients of various distros and versions, but also k8s clusters with pods that may or may not need to see specific subtrees, with some needing read/write and others which only need read-only) specific access to only what they need (with unix permissions/acls mixed in as needed). While we could give broader permissions and rely on mounts being configured correctly (e.g. only mounting specific subpaths which are going to vary across the clients), it would seem safer to be more precise with our cephx setup, which then implies not being able to reuse the same key across clients (which we probably wouldn't want to do anyway because we'd likely not have full control over all clients). Regards James ________________________________________ From: Frédéric Nass <frederic.n...@univ-lorraine.fr> Sent: Monday, 9 June 2025 8:21 PM To: James Tocknell Cc: ceph-users Subject: [ceph-users] Re: Limits on the number of cephx keys used Hi James, I don't recall reading anything related to performance degradation due to an excessive number of keyrings generated in a Ceph cluster. Could you elaborate on your use case? E.g. why you would have so many clients not able to share a common keyring. FWIW, the orchestrator can take care of pushing ceph.conf and keyrings on clients based on a host label [1]. This might help your case. Best regards, Frédéric. [1] https://docs.ceph.com/en/latest/cephadm/operations/#client-keyrings-and-configs<https://docs.ceph.com/en/latest/cephadm/operations/#client-keyrings-and-configs> ----- Le 6 Juin 25, à 5:28, James Tocknell james.tockn...@mq.edu.au a écrit : > Hi All > > As far as I can see, there is no guidance on the number of cephx keys that can > be in use at one time. > Is there a number at which ceph becomes much slower e.g. 100, 10000, 1000000? > I'm wondering how best to manage keys across many clients (let's say 1000s for > now), most of which won't actually be connected at the same time. > > Regards > James > _______________________________________________ > ceph-users mailing list -- ceph-users@ceph.io > To unsubscribe send an email to ceph-users-le...@ceph.io _______________________________________________ ceph-users mailing list -- ceph-users@ceph.io To unsubscribe send an email to ceph-users-le...@ceph.io _______________________________________________ ceph-users mailing list -- ceph-users@ceph.io To unsubscribe send an email to ceph-users-le...@ceph.io
