Hi,
All of our clusters have this in ceph.conf:
[global]
auth cluster required = cephx
auth service required = cephx
auth client required = cephx
keyring = /etc/ceph/keyring
and the client.admin secret in /etc/ceph/keyring:
# cat /etc/ceph/keyring
[client.admin]
key = ...
With that you should be able to do "ceph health" without passing —id or
—keyring args. (this is with dumpling, not emperor, but I guess it didn’t
change.)
If it still doesn’t work, check the capabilities that client.admin has (with
ceph auth list). Should be
caps: [mds] allow
caps: [mon] allow *
caps: [osd] allow *
Cheers, Dan
On 06 Dec 2013, at 11:06, nicolasc <nicolas.cance...@surfsara.nl> wrote:
> Hi every one,
>
> I did not get any answer to my basic cephx question last week, so let me ask
> it one more time here, before I completely give up on Ceph and move on.
>
> So, my issue is:
>
> When all authentication settings are "none":
> * The cluster works fine
> * The file "/etc/ceph/ceph.client.admin.keyring " exists
>
> Then I set "auth_cluster_required" to "cephx". When I try to connect to the
> cluster, it detects "client.admin" and denies access with "operation not
> supported", even for commands like "ceph health".
>
> Finally, after I explicitly set the "keyring" parameter in the config (to the
> default value, because the keyring file was already in the default location),
> the cluster works fine again. So the behavior changes when I add those 2
> default lines to the config:
> [client.admin]
> keyring = /etc/ceph/ceph.client.admin.keyring
>
> From the ceph.com documentation [1], about this "keyring" parameter:
> Description: The path to the keyring file.
> Type: String
> Required: No
> Default: /etc/ceph/$cluster.$name.keyring
> ... so, I need help:
> * maybe this is a real bug? (was it already reported ?)
> * maybe I am deeply stupid, and I don't understand what "required" and
> "default" means? (can anyone send me a good dictionary ?)
> * maybe obi-wan kenobi?
>
> Thanks to anyone who will respond anything (at that point, even a
> three-letter e-mail reading "ACK" would make me feel better). Best wishes for
> the future of Ceph, and best regards.
>
> Nicolas Canceill
> Scalable Storage Systems
> SURFsara (Amsterdam, NL)
>
>
> [1] http://ceph.com/docs/master/rados/configuration/auth-config-ref/#keys
>
>
>
> On 11/29/2013 03:09 PM, nicolasc wrote:
>> An update on this issue:
>>
>> Explicitly setting the "keyring" parameter to its default value, in the
>> client section, like this:
>>
>> [client.admin]
>> keyring = /etc/ceph/ceph.client.admin.keyring
>>
>> solves the problem in the particular case when ONLY "auth_cluster_required"
>> is set to "cephx", and the two remaining auth parameters are set to "none".
>>
>> The documentation clearly states that "/etc/ceph/ceph.client.admin.keyring"
>> is the default value of the "keyring" setting [1], so this looks like a bug.
>> Should I report it on the tracker? (BTW, all of this is on v0.72.1.)
>>
>> Also, does anyone have any idea about why this is not enough to enable the
>> "auth_service_required" setting? That one still gives me the error:
>>
>> client.admin authentication error (95) Operation not supported
>>
>> Best regards,
>>
>> Nicolas Canceill
>> Scalable Storage Systems
>> SURFsara (Amsterdam, NL)
>>
>> [1] http://ceph.com/docs/master/rados/configuration/auth-config-ref/#keys
>>
>>
>>
>> On 11/29/2013 10:22 AM, nicolasc wrote:
>>> Hello every one,
>>>
>>> Just ran a fresh install of version Emperor on an empty cluster, and I am
>>> left clueless, trying to troubleshoot cephx. After ceph-deploy created the
>>> keys, I used ceph-authtool to generate the client.admin keyring and the
>>> monitor keyring, as indicated in the doc. The configuration is really
>>> out-of-the-box: 3 monitors, each with the keyring in
>>> /var/lib/ceph/mon/ceph-???/keyring, all keyrings have umask 644 and are
>>> owned by ceph.
>>>
>>> However, no matter which combination of "auth_cluster_", "auth_service_",
>>> or "auth_client_required", is set to cephx; no matter either the keyring
>>> options like "-k" and "--id" on the command line. Authentication fails
>>> every time with:
>>>
>>> client.admin authentication error (95) Operation not supported
>>> Error connecting to cluster: Error
>>>
>>> A big thanks to any one who gives me a hint about what it means. (This
>>> message carries so little information, I feel it could be simply replaced
>>> by the "!" character.) I have looked in every ceph and system log file,
>>> nothing more.
>>>
>>> Best regards,
>>>
>>> Nicolas Canceill
>>> Scalable Storage Systems
>>> SURFsara (Amsterdam, NL)
>>>
>>> _______________________________________________
>>> ceph-users mailing list
>>> ceph-users@lists.ceph.com
>>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>>
>
> _______________________________________________
> ceph-users mailing list
> ceph-users@lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
