Chapter 4. Managing users on the Ceph dashboard

As a storage administrator, you can create, edit, and delete users with specific roles on the Red Hat Ceph Storage dashboard. Role-based access control is given to each user based on their roles and the requirements.

You can also create, edit, import, export, and delete Ceph client authentication keys on the dashboard. Once you create the authentication keys, you can rotate keys using command-line interface (CLI). Key rotation meets the current industry and security compliance requirements.

This section covers the following administrative tasks:

4.1. Creating users on the Ceph dashboard

You can create users on the Red Hat Ceph Storage dashboard with adequate roles and permissions based on their roles. For example, if you want the user to manage Ceph object gateway operations, then you can give rgw-manager role to the user.

Prerequisites

  • A running Red Hat Ceph Storage cluster.
  • Dashboard is installed.
  • Admin-level access to the dashboard.
Note

The Red Hat Ceph Storage Dashboard does not support any email verification when changing a users password. This behavior is intentional, because the Dashboard supports Single Sign-On (SSO) and this feature can be delegated to the SSO provider.

Procedure

  1. Log in to the Dashboard.

  2. Click the Dashboard Settings icon and then click User management.

    user management
  3. On Users tab, click Create.

  4. In the Create User window, set the Username and other parameters including the roles, and then click Create User.

    Create user window
  5. You get a notification that the user was created successfully.

Additional Resources

4.2. Editing users on the Ceph dashboard

You can edit the users on the Red Hat Ceph Storage dashboard. You can modify the user’s password and roles based on the requirements.

Prerequisites

  • A running Red Hat Ceph Storage cluster.
  • Dashboard is installed.
  • Admin-level access to the dashboard.
  • User created on the dashboard.

Procedure

  1. Log in to the Dashboard.

  2. Click the Dashboard Settings icon and then click User management.

    user management
  3. To edit the user, click the row.
  4. On Users tab, select Edit from the Edit drop-down menu.

  5. In the Edit User window, edit parameters like password and roles, and then click Edit User.

    Edit user window
    Note

    If you want to disable any user’s access to the Ceph dashboard, you can uncheck Enabled option in the Edit User window.

  6. You get a notification that the user was created successfully.

Additional Resources

4.3. Deleting users on the Ceph dashboard

You can delete users on the Ceph dashboard. Some users might be removed from the system. The access to such users can be deleted from the Ceph dashboard.

Prerequisites

  • A running Red Hat Ceph Storage cluster.
  • Dashboard is installed.
  • Admin-level access to the dashboard.
  • User created on the dashboard.

Procedure

  1. Log in to the Dashboard.

  2. Click the Dashboard Settings icon and then click User management.

    user management
  3. On Users tab, click the user you want to delete.
  4. select Delete from the Edit drop-down menu.

  5. In the Delete User dialog box, Click the Yes, I am sure box and then Click Delete User to save the settings.

    Delete user window

Additional Resources

4.4. User capabilities

Ceph stores data RADOS objects within pools irrespective of the Ceph client used. Ceph users must have access to a given pool to read and write data, and must have executable permissions to use Ceph administrative’s commands. Creating users allows you to control their access to your Red Hat Ceph Storage cluster, its pools, and the data within the pools.

Ceph has a concept of type of user which is always client. You need to define the user with the TYPE.ID where ID is the user ID, for example, client.admin. This user typing is because the Cephx protocol is used not only by clients but also non-clients, such as Ceph Monitors, OSDs, and Metadata Servers. Distinguishing the user type helps to distinguish between client users and other users. This distinction streamlines access control, user monitoring, and traceability.

4.4.1. Capabilities

Ceph uses capabilities (caps) to describe the permissions granted to an authenticated user to exercise the functionality of the monitors, OSDs, and metadata servers. The capabilities restrict access to data within a pool, a namespace within a pool, or a set of pools based on their applications tags. A Ceph administrative user specifies the capabilities of a user when creating or updating the user.

You can set the capabilities to monitors, managers, OSDs, and metadata servers.

  • The Ceph Monitor capabilities include r, w, and x access settings. These can be applied in aggregate from pre-defined profiles with profile NAME.
  • The OSD capabilities include r, w, x, class-read, and class-write access settings. These can be applied in aggregate from pre-defined profiles with profile NAME.
  • The Ceph Manager capabilities include r, w, and x access settings. These can be applied in aggregate from pre-defined profiles with profile NAME.
  • For administrators, the metadata server (MDS) capabilities include allow *.
Note

The Ceph Object Gateway daemon (radosgw) is a client of the Red Hat Ceph Storage cluster and is not represented as a Ceph storage cluster daemon type.

Additional Resources

4.5. Access capabilities

This section describes the different access or entity capabilities that can be given to a Ceph user or a Ceph client such as Block Device, Object Storage, File System, and native API.

Additionally, you can describe the capability profiles while assigning roles to clients.

allow, Description
Precedes access settings for a daemon. Implies rw for MDS only
r, Description
Gives the user read access. Required with monitors to retrieve the CRUSH map.
w, Description
Gives the user write access to objects.
x, Description
Gives the user the capability to call class methods, that is, both read and write, and to conduct auth operations on monitors.
class-read, Description
Gives the user the capability to call class read methods. Subset of x.
class-write, Description
Gives the user the capability to call class write methods. Subset of x.
*, all, Description
Gives the user read, write, and execute permissions for a particular daemon or a pool, as well as the ability to execute admin commands.

The following entries describe valid capability profile:

profile osd, Description
This is applicable to Ceph Monitor only. Gives a user permissions to connect as an OSD to other OSDs or monitors. Conferred on OSDs to enable OSDs to handle replication heartbeat traffic and status reporting.
profile mds, Description
This is applicable to Ceph Monitor only. Gives a user permissions to connect as an MDS to other MDSs or monitors.
profile bootstrap-osd, Description
This is applicable to Ceph Monitor only. Gives a user permissions to bootstrap an OSD. Conferred on deployment tools, such as ceph-volume and cephadm, so that they have permissions to add keys when bootstrapping an OSD.
profile bootstrap-mds, Description
This is applicable to Ceph Monitor only. Gives a user permissions to bootstrap a metadata server. Conferred on deployment tools, such as cephadm, so that they have permissions to add keys when bootstrapping a metadata server.
profile bootstrap-rbd, Description
This is applicable to Ceph Monitor only. Gives a user permissions to bootstrap an RBD user. Conferred on deployment tools, such as cephadm, so that they have permissions to add keys when bootstrapping an RBD user.
profile bootstrap-rbd-mirror, Description
This is applicable to Ceph Monitor only. Gives a user permissions to bootstrap an rbd-mirror daemon user. Conferred on deployment tools, such as cephadm, so that they have permissions to add keys when bootstrapping an rbd-mirror daemon.
profile rbd, Description
This is applicable to Ceph Monitor, Ceph Manager, and Ceph OSDs. Gives a user permissions to manipulate RBD images. When used as a Monitor cap, it provides the user with the minimal privileges required by an RBD client application; such privileges include the ability to blocklist other client users. When used as an OSD cap, it provides an RBD client application with read-write access to the specified pool. The Manager cap supports optional pool and namespace keyword arguments.
profile rbd-mirror, Description
This is applicable to Ceph Monitor only. Gives a user permissions to manipulate RBD images and retrieve RBD mirroring config-key secrets. It provides the minimal privileges required for the user to manipulate the rbd-mirror daemon.
profile rbd-read-only, Description
This is applicable to Ceph Monitor and Ceph OSDS. Gives a user read-only permissions to RBD images. The Manager cap supports optional pool and namespace keyword arguments.
profile simple-rados-client, Description
This is applicable to Ceph Monitor only. Gives a user read-only permissions for monitor, OSD, and PG data. Intended for use by direct librados client applications.
profile simple-rados-client-with-blocklist, Description
This is applicable to Ceph Monitor only. Gives a user read-only permissions for monitor, OSD, and PG data. Intended for use by direct librados client applications. Also includes permissions to add blocklist entries to build high-availability (HA) applications.
profile fs-client, Description
This is applicable to Ceph Monitor only. Gives a user read-only permissions for monitor, OSD, PG, and MDS data. Intended for CephFS clients.
profile role-definer, Description
This is applicable to Ceph Monitor and Auth. Gives user all permissions for the auth subsystem, read-only access to monitors, and nothing else. Useful for automation tools. WARNING: Do not assign this unless you really, know what you are doing, as the security ramifications are substantial and pervasive.
profile crash, Description
This is applicable to Ceph Monitor and Ceph Manager. Gives a user read-only access to monitors. Used in conjunction with the manager crash module to upload daemon crash dumps into monitor storage for later analysis.

Additional Resources

4.6. Creating user capabilities

Create role-based access users with different capabilities on the Ceph dashboard.

For details on different user capabilities, see User capabilities and Access capabilities

Prerequisites

  • A running Red Hat Ceph Storage cluster.
  • Dashboard is installed.
  • Admin-level access to the dashboard.

Procedure

  1. Log in to the Dashboard.
  2. Under the Cluster drop-down menu, select Users.
  3. Click the + Create.

  4. In the Create User window, provide the following details:

    1. User entity - Provide this as TYPE.ID.
    2. Entity - This can be mon, mgr, osd, or mds.

    3. Entity capabilities - Provide details of the different capabilities that you can to provide to the user. For example, 'allow *' and profile crash are some of the capabilities that can be assigned to the client.

      Note

      You can add more entities to the user based on the requirement.

      Create user capabilities
  5. Click Create User.
  6. You get a notification that the user is created successfully.

4.7. Editing user capabilities

Edit the roles of users or clients on the dashboard.

For details on different user capabilities, see User capabilities and Access capabilities

Prerequisites

  • A running Red Hat Ceph Storage cluster.
  • Dashboard is installed.
  • Admin-level access to the dashboard.

Procedure

  1. Log in to the Dashboard.
  2. Under the Cluster drop-down menu, select Users.
  3. Select the user whose roles you want to edit.
  4. Click Edit.

  5. In the Edit User window, edit the entity and entity capabilities.

    Note

    You can add more entities to the user based on the requirement.

    Edit user capabilities
  6. Click Edit User.
  7. You get a notification that the user was edited successfully.

4.8. Importing user capabilities

Import the roles of users or clients from the the local host to the client on the dashboard.

For details on different user capabilities, see User capabilities and Access capabilities

Prerequisites

  • A running Red Hat Ceph Storage cluster.
  • Dashboard is installed.
  • Admin-level access to the dashboard.

Procedure

  1. Create a keyring file on the local host:

    Example

    [localhost:~]$ cat import.keyring

[client.test11]
	key = AQD9S29kmjgJFxAAkvhFar6Af3AWKDY2DsULRg==
	caps mds = "allow *"
	caps mgr = "allow *"
	caps mon = "allow *"
	caps osd = "allow r"

  2. Log in to the Dashboard.
  3. Under the Cluster drop-down menu, select Users.
  4. Select the user whose roles you want to import.
  5. From the Edit drop-down menu, select Import.
  6. In the Import User window, click Choose file, select the appropriate file.

  7. Click Import User

    Import user capabilities
  8. You get a notification that the keys are imported successfully.

4.9. Exporting user capabilities

Export the roles of the users or clients from the dashboard to a the local host.

For details on different user capabilities, see User capabilities and Access capabilities

Prerequisites

  • A running Red Hat Ceph Storage cluster.
  • Dashboard is installed.
  • Admin-level access to the dashboard.

Procedure

  1. Log in to the Dashboard.
  2. Under the Cluster drop-down menu, select Users.
  3. Select the user whose roles you want to export.
  4. From the Edit drop-down menu, select Export.

  5. In the Ceph user export data dialog box, click the Copy to Clipboard icon.

    Export user capabilities
  6. You get a notification that the keys are copied successfully.

  7. On your local system, create a keyring file and paste the keys:

    Example

    [localhost:~]$ cat exported.keyring

[client.test11]
	key = AQD9S29kmjgJFxAAkvhFar6Af3AWKDY2DsULRg==
	caps mds = "allow *"
	caps mgr = "allow *"
	caps mon = "allow *"
	caps osd = "allow r"

4.10. Deleting user capabilities

Delete the roles of users or clients on the dashboard.

Prerequisites

  • A running Red Hat Ceph Storage cluster.
  • Dashboard is installed.
  • Admin-level access to the dashboard.

Procedure

  1. Log in to the Dashboard.
  2. Under the Cluster drop-down menu, select Users.
  3. Select the user you want to delete.
  4. From the Edit drop-down menu, select Delete.

  5. In the Delete entity window, select Yes, I am sure.

    Delete user capabilities
  6. Click Delete entity.
  7. You get a notification that the user was deleted successfully.