Red Hat Training

A Red Hat training course is available for Red Hat Ceph Storage

Chapter 13. Configuration Settings

13.1. Enablement

auth_cluster_required

Description
If enabled, the Red Hat Ceph Storage cluster daemons (i.e., ceph-mon and ceph-osd) must authenticate with each other. Valid settings are cephx or none.
Type
String
Required
No
Default
cephx.

auth_service_required

Description
If enabled, the Red Hat Ceph Storage cluster daemons require Ceph clients to authenticate with the Red Hat Ceph Storage cluster in order to access Ceph services. Valid settings are cephx or none.
Type
String
Required
No
Default
cephx.

auth_client_required

Description
If enabled, the Ceph client requires the Red Hat Ceph Storage cluster to authenticate with the Ceph client. Valid settings are cephx or none.
Type
String
Required
No
Default
cephx.

13.2. Keys

When you run Ceph with authentication enabled, ceph administrative commands and Ceph clients require authentication keys to access the Ceph Storage Cluster.

The most common way to provide these keys to the ceph administrative commands and clients is to include a Ceph keyring under the /etc/ceph directory. The filename is usually ceph.client.admin.keyring (or $cluster.client.admin.keyring). If you include the keyring under the /etc/ceph directory, you don’t need to specify a keyring entry in your Ceph configuration file.

We recommend copying the Red Hat Ceph Storage cluster’s keyring file to nodes where you will run administrative commands, because it contains the client.admin key.

You may use ceph-deploy admin to perform this task. To perform this step manually, execute the following: 

sudo scp {user}@{ceph-cluster-host}:/etc/ceph/ceph.client.admin.keyring /etc/ceph/ceph.client.admin.keyring
Tip

Ensure the ceph.keyring file has appropriate permissions set on your client machine.

You may specify the key itself in the Ceph configuration file using the key setting (not recommended), or a path to a keyfile using the keyfile setting.

keyring

Description
The path to the keyring file.
Type
String
Required
No
Default
/etc/ceph/$cluster.$name.keyring,/etc/ceph/$cluster.keyring,/etc/ceph/keyring,/etc/ceph/keyring.bin

keyfile

Description
The path to a key file (i.e,. a file containing only the key).
Type
String
Required
No
Default
None

key

Description
The key (i.e., the text string of the key itself). Not recommended.
Type
String
Required
No
Default
None

13.3. Daemon Keyrings

Administrative users or deployment tools (e.g., ceph-deploy) may generate daemon keyrings in the same way as generating user keyrings. By default, Ceph stores daemons keyrings inside their data directory. The default keyring locations, and the capabilities necessary for the daemon to function, are shown below.

ceph-mon

Location
$mon_data/keyring
Capabilities
mon 'allow *'

ceph-osd

Location
$osd_data/keyring
Capabilities
mon 'allow profile osd' osd 'allow *'

radosgw

Location
$rgw_data/keyring
Capabilities
mon 'allow rwx' osd 'allow rwx'
Note

The monitor keyring (i.e., mon.) contains a key but no capabilities, and is not part of the cluster auth database.

The daemon data directory locations default to directories of the form: 

/var/lib/ceph/$type/$cluster-$id

For example, osd.12 would be: 

/var/lib/ceph/osd/ceph-12

You can override these locations, but it is not recommended.

13.4. Signatures

We prefer that Ceph authenticate all ongoing messages between the entities using the session key set up for that initial authentication.

Like other parts of Ceph authentication, Ceph provides fine-grained control so you can enable/disable signatures for service messages between the client and Ceph, and you can enable/disable signatures for messages between Ceph daemons.

cephx_require_signatures

Description
If set to true, Ceph requires signatures on all message traffic between the Ceph client and the Red Hat Ceph Storage cluster, and between daemons comprising the Red Hat Ceph Storage cluster.
Type
Boolean
Required
No
Default
false

cephx_cluster_require_signatures

Description
If set to true, Ceph requires signatures on all message traffic between Ceph daemons comprising the Red Hat Ceph Storage cluster.
Type
Boolean
Required
No
Default
false

cephx_service_require_signatures

Description
If set to true, Ceph requires signatures on all message traffic between Ceph clients and the Red Hat Ceph Storage cluster.
Type
Boolean
Required
No
Default
false

cephx_sign_messages

Description
If the Ceph version supports message signing, Ceph will sign all messages so they cannot be spoofed.
Type
Boolean
Default
true
Note

Ceph kernel modules do not support signatures yet.

13.5. Time to Live

auth_service_ticket_ttl

Description
When the Red Hat Ceph Storage cluster sends a Ceph client a ticket for authentication, the Red Hat Ceph Storage cluster assigns the ticket a time to live.
Type
Double
Default
60*60