-
Language:
English
-
Language:
English
Red Hat Training
A Red Hat training course is available for Red Hat Ceph Storage
Chapter 13. Configuration Settings
13.1. Enablement
auth_cluster_required
- Description
-
If enabled, the Red Hat Ceph Storage cluster daemons (i.e.,
ceph-mon
andceph-osd
) must authenticate with each other. Valid settings arecephx
ornone
. - Type
- String
- Required
- No
- Default
-
cephx
.
auth_service_required
- Description
-
If enabled, the Red Hat Ceph Storage cluster daemons require Ceph clients to authenticate with the Red Hat Ceph Storage cluster in order to access Ceph services. Valid settings are
cephx
ornone
. - Type
- String
- Required
- No
- Default
-
cephx
.
auth_client_required
- Description
-
If enabled, the Ceph client requires the Red Hat Ceph Storage cluster to authenticate with the Ceph client. Valid settings are
cephx
ornone
. - Type
- String
- Required
- No
- Default
-
cephx
.
13.2. Keys
When you run Ceph with authentication enabled, ceph
administrative commands and Ceph clients require authentication keys to access the Ceph Storage Cluster.
The most common way to provide these keys to the ceph
administrative commands and clients is to include a Ceph keyring under the /etc/ceph
directory. The filename is usually ceph.client.admin.keyring
(or $cluster.client.admin.keyring
). If you include the keyring under the /etc/ceph
directory, you don’t need to specify a keyring
entry in your Ceph configuration file.
We recommend copying the Red Hat Ceph Storage cluster’s keyring file to nodes where you will run administrative commands, because it contains the client.admin
key.
You may use ceph-deploy admin
to perform this task. To perform this step manually, execute the following:
sudo scp {user}@{ceph-cluster-host}:/etc/ceph/ceph.client.admin.keyring /etc/ceph/ceph.client.admin.keyring
Ensure the ceph.keyring
file has appropriate permissions set on your client machine.
You may specify the key itself in the Ceph configuration file using the key
setting (not recommended), or a path to a keyfile using the keyfile
setting.
keyring
- Description
- The path to the keyring file.
- Type
- String
- Required
- No
- Default
-
/etc/ceph/$cluster.$name.keyring,/etc/ceph/$cluster.keyring,/etc/ceph/keyring,/etc/ceph/keyring.bin
keyfile
- Description
- The path to a key file (i.e,. a file containing only the key).
- Type
- String
- Required
- No
- Default
- None
key
- Description
- The key (i.e., the text string of the key itself). Not recommended.
- Type
- String
- Required
- No
- Default
- None
13.3. Daemon Keyrings
Administrative users or deployment tools (e.g., ceph-deploy
) may generate daemon keyrings in the same way as generating user keyrings. By default, Ceph stores daemons keyrings inside their data directory. The default keyring locations, and the capabilities necessary for the daemon to function, are shown below.
ceph-mon
- Location
-
$mon_data/keyring
- Capabilities
-
mon 'allow *'
ceph-osd
- Location
-
$osd_data/keyring
- Capabilities
-
mon 'allow profile osd' osd 'allow *'
radosgw
- Location
-
$rgw_data/keyring
- Capabilities
-
mon 'allow rwx' osd 'allow rwx'
The monitor keyring (i.e., mon.
) contains a key but no capabilities, and is not part of the cluster auth
database.
The daemon data directory locations default to directories of the form:
/var/lib/ceph/$type/$cluster-$id
For example, osd.12
would be:
/var/lib/ceph/osd/ceph-12
You can override these locations, but it is not recommended.
13.4. Signatures
We prefer that Ceph authenticate all ongoing messages between the entities using the session key set up for that initial authentication.
Like other parts of Ceph authentication, Ceph provides fine-grained control so you can enable/disable signatures for service messages between the client and Ceph, and you can enable/disable signatures for messages between Ceph daemons.
cephx_require_signatures
- Description
-
If set to
true
, Ceph requires signatures on all message traffic between the Ceph client and the Red Hat Ceph Storage cluster, and between daemons comprising the Red Hat Ceph Storage cluster. - Type
- Boolean
- Required
- No
- Default
-
false
cephx_cluster_require_signatures
- Description
-
If set to
true
, Ceph requires signatures on all message traffic between Ceph daemons comprising the Red Hat Ceph Storage cluster. - Type
- Boolean
- Required
- No
- Default
-
false
cephx_service_require_signatures
- Description
-
If set to
true
, Ceph requires signatures on all message traffic between Ceph clients and the Red Hat Ceph Storage cluster. - Type
- Boolean
- Required
- No
- Default
-
false
cephx_sign_messages
- Description
- If the Ceph version supports message signing, Ceph will sign all messages so they cannot be spoofed.
- Type
- Boolean
- Default
-
true
Ceph kernel modules do not support signatures yet.
13.5. Time to Live
auth_service_ticket_ttl
- Description
- When the Red Hat Ceph Storage cluster sends a Ceph client a ticket for authentication, the Red Hat Ceph Storage cluster assigns the ticket a time to live.
- Type
- Double
- Default
-
60*60