用户权限概述
用户格式
参考链接:
权限:https://docs.ceph.com/en/latest/rados/operations/user-management/#authorization-capabilities
用户:https://docs.ceph.com/en/reef/rados/operations/user-management/
ceph的用户格式TYPEID.USERID
-
TYPEID也叫用户类型,有2用户类型;内置组件用户(mon,mds,rgw,osd,mgr)和普通用户(client)
-
USERID,就是用户名,可以是数字。
- 比如表示ods的第0块磁盘,对应的是ods.0
- 也可以是字符串,比如管理员用户,对应的是client.admin
- 用户可以自定义USERID,比如client.wzy,client.wenzhiyong
用户权限
每个用户都可以授权,使用caps字段关联。授权的格式allow 权限
-
r:读权限
-
w: 写权限
-
x:执行权限,可以调用方法(这些方法可能存在读写等操作),还可以执行mon的auth等相关命令
-
*:拥有rwx等权限
-
profile osd:可以获取OSD的状态信息
-
profile mds:可以获取mds的状态信息
举例ceph系统组件的权限就在授权文件中体现:
bash
[root@ceph141~]# cat /etc/ceph/ceph.client.admin.keyring
[client.admin]
key = AQAlsChnHubLJRAAH2s3vhyGrxgba8anloPDtg==
caps mds = "allow *"
caps mgr = "allow *"
caps mon = "allow *"
caps osd = "allow *"查看管理员权限
bash
[root@ceph141~]# ceph auth get client.admin
[client.admin]
key = AQAlsChnHubLJRAAH2s3vhyGrxgba8anloPDtg==
caps mds = "allow *"
caps mgr = "allow *"
caps mon = "allow *"
caps osd = "allow *"查看其他用户权限,可以发现osd也算用户
bash
[root@ceph141~]# ceph auth list
osd.0
key: AQAJ1Chn4kJoMxAAO/sYaCTyTyJE6TSclIxKsA==
caps: [mgr] allow profile osd
caps: [mon] allow profile osd
caps: [osd] allow *
osd.1
key: AQA21ChniKrACRAANYkBLMXK5BThtHgTrNVqNw==
caps: [mgr] allow profile osd
caps: [mon] allow profile osd
caps: [osd] allow *
...
client.admin
key: AQAlsChnHubLJRAAH2s3vhyGrxgba8anloPDtg==
caps: [mds] allow *
caps: [mgr] allow *
caps: [mon] allow *
caps: [osd] allow *
client.bootstrap-mds
key: AQAnsChncF9lOxAAGmqKpDlaOTzxCAX20uo6EA==
caps: [mon] allow profile bootstrap-mds
client.bootstrap-mgr
key: AQAnsChnx2VlOxAABgp0KiClbDnraMQ6ZGEpBQ==
caps: [mon] allow profile bootstrap-mgr
client.bootstrap-osd
key: AQAnsChnxGtlOxAAkCnj4ZlBhzIpr4vk6pcUdA==
caps: [mon] allow profile bootstrap-osd
client.bootstrap-rbd
key: AQAnsChnjnFlOxAAQUXJdflbTiKjW/ZbKGgE1w==
caps: [mon] allow profile bootstrap-rbd
client.bootstrap-rbd-mirror
key: AQAnsChni3dlOxAAb6TImPKkGrR1baZO8AdYGg==
caps: [mon] allow profile bootstrap-rbd-mirror
client.bootstrap-rgw
key: AQAnsChnm39lOxAAy6Qs5u3d5YidcT6cWaOH6A==
caps: [mon] allow profile bootstrap-rgw
client.ceph-exporter.ceph141
key: AQBgsChn0hbwGxAA6y6Op/+2zPirhwH4UqV5UQ==
caps: [mgr] allow r
caps: [mon] allow r
caps: [osd] allow r
client.ceph-exporter.ceph142
key: AQBMzyhnBYIxOxAAF4seBajmPKYWmzuM6XKqqQ==
caps: [mgr] allow r
caps: [mon] allow r
caps: [osd] allow r
client.ceph-exporter.ceph143
key: AQBjzyhnUbSSGRAAtt4r+evuoNE+ciwx/ymv1A==
caps: [mgr] allow r
caps: [mon] allow r
caps: [osd] allow r
client.crash.ceph141
key: AQBhsChngfrUIRAA2TjOYgDQQ4NENaU7p3EwHw==
caps: [mgr] profile crash
caps: [mon] profile crash
client.crash.ceph142
key: AQBPzyhnKwm4ExAAZ/0a6FVAWJFjSbRozum/PA==
caps: [mgr] profile crash
caps: [mon] profile crash
client.crash.ceph143
key: AQBlzyhn9+GPNBAA3NZddZGiXoyLrf9J9M7wQw==
caps: [mgr] profile crash
caps: [mon] profile crash
mgr.ceph141.yvswvf
key: AQAlsChnJpeKMhAAsiyirSCpqTIgh3mB7o4V7g==
caps: [mds] allow *
caps: [mon] profile mgr
caps: [osd] allow *
mgr.ceph142.gtcikx
key: AQBRzyhnal2kLhAA4DvZbY7TiWIxWSg1Tw3ZQw==
caps: [mds] allow *
caps: [mon] profile mgr
caps: [osd] allow *三种方式自定义普通用户
创建用户方式参考链接::https://docs.ceph.com/en/nautilus/rados/operations/user-management/#add-a-user
1 直接创建
bash
[root@ceph141~]# ceph auth add client.wzy666 mon 'allow r' osd 'allow * pool=zhiyong18-rbd'
added key for client.wzy666client.wzy666:这是客户端名称,表示要为此客户端添加权限。
mon 'allow r':为该客户端授予对 monitor(监视器)的读取权限 (r),意味着该客户端可以查看集群状态、查询信息等。
osd 'allow * pool=zhiyong18-rbd':为该客户端授予对 OSD(对象存储设备)上名为 zhiyong18-rbd 的池的所有权限。allow * 表示允许所有操作(如读写),但限制在 zhiyong18-rbd 这个特定的池上
验证用户wzy666的权限
bash
[root@ceph141~]# ceph auth get client.wzy666
[client.wzy666]
key = AQB+KypnuKsqDhAA1VYxg0qKjp4G3Lr+CUebHA==
caps mon = "allow r"
caps osd = "allow * pool=zhiyong18-rbd"2 查看若不存在则创建
1.查看用户是否存在
bash
[root@ceph141~]# ceph auth get client.wenzhiyong
Error ENOENT: failed to find client.wenzhiyong in keyring2.若用户不存在则创建
bash
[root@ceph141~]# ceph auth get-or-create client.wenzhiyong mon 'allow r' osd 'allow rwx'
[client.wenzhiyong]
key = AQBgLypnfvLQBxAApSe9WoyC5ys1mySFPzjTfw==再次查看用户信息
bash
[root@ceph141~]# ceph auth get client.wenzhiyong
[client.wenzhiyong]
key = AQBgLypnfvLQBxAApSe9WoyC5ys1mySFPzjTfw==
caps mon = "allow r"
caps osd = "allow rwx"4.如果用户存在,再去创建是会报错的
bash
[root@ceph141~]# ceph auth get-or-create client.wenzhiyong mon 'allow r' osd 'allow *'
Error EINVAL: key for client.wenzhiyong exists but cap osd does not match5.若用户存在且权限匹配则打印KEY
bash
[root@ceph141~]# ceph auth get-or-create client.wenzhiyong mon 'allow r' osd 'allow rwx'
[client.wenzhiyong]
key = AQBgLypnfvLQBxAApSe9WoyC5ys1mySFPzjTfw==6.查看最终的权限
bash
[root@ceph141~]# ceph auth get client.wenzhiyong
[client.wenzhiyong]
key = AQBgLypnfvLQBxAApSe9WoyC5ys1mySFPzjTfw==
caps mon = "allow r"
caps osd = "allow rwx"3 查看权限若没有就创建
1.查看用户k8s不存在
bash
[root@ceph141~]# ceph auth get client.k8s
Error ENOENT: failed to find client.k8s in keyring2.创建用户并返回KEY
bash
ceph auth get-or-create-key client.k8s mon 'allow r' osd 'allow rwx'再次查看用户信息
bash
[root@ceph141~]# ceph auth get client.k8s
[client.k8s]
key = AQCfMCpnrHrtJBAAoLnVptDFXrhIzZKWIp16nw==
caps mon = "allow r"
caps osd = "allow rwx"3.若用户存在则且权限不匹配则报错
bash
[root@ceph141~]# ceph auth get-or-create-key client.k8s mon 'allow r' osd 'allow *'
Error EINVAL: key for client.k8s exists but cap osd does not match若用户存在且权限匹配则打印KEY
bash
[root@ceph141~]# ceph auth get-or-create-key client.k8s mon 'allow r' osd 'allow rwx'
AQCfMCpnrHrtJBAAoLnVptDFXrhIzZKWIp16nw==ceph auth print-key打印已经存在用户的KEY,如果用户不存在则报错,如果用户存在则打印该用户对应的KEY信息
bash
[root@ceph141~]# ceph auth print-key client.wzy666 | more
AQB+KypnuKsqDhAA1VYxg0qKjp4G3Lr+CUebHA==
[root@ceph141~]# ceph auth get client.wzy666
[client.wzy666]
key = AQB+KypnuKsqDhAA1VYxg0qKjp4G3Lr+CUebHA==
caps mon = "allow r"
caps osd = "allow * pool=zhiyong18-rbd"用户权限修改
修改权限参考链接:https://docs.ceph.com/en/nautilus/rados/operations/user-management/#modify-user-capabilities
1.查看权限后,进行修改
bash
[root@ceph141~]# ceph auth get client.wzy666
[client.wzy666]
key = AQB+KypnuKsqDhAA1VYxg0qKjp4G3Lr+CUebHA==
caps mon = "allow r"
caps osd = "allow * pool=zhiyong18-rbd"
[root@ceph141~]# ceph auth caps client.wzy666 mon 'allow rx' osd 'allow r pool=wenzhiyong18-rbd'
updated caps for client.wzy6662.查看修改权后的auth
bash
[root@ceph141~]# ceph auth get client.wzy666
[client.wzy666]
key = AQB+KypnuKsqDhAA1VYxg0qKjp4G3Lr+CUebHA==
caps mon = "allow rx"
caps osd = "allow r pool=wenzhiyong18-rbd"用户的删除
用户删除参考链接:https://docs.ceph.com/en/nautilus/rados/operations/user-management/#delete-a-user
1.直接删除用户wzy666
bash
[root@ceph141~]# ceph auth get client.wzy666
[client.wzy666]
key = AQB+KypnuKsqDhAA1VYxg0qKjp4G3Lr+CUebHA==
caps mon = "allow rx"
caps osd = "allow r pool=wenzhiyong18-rbd"
[root@ceph141~]# ceph auth del client.wzy666ceph用户的备份和恢复
用户数据备份
参考链接:
https://docs.ceph.com/en/nautilus/rados/operations/user-management/#get-a-user
https://docs.ceph.com/en/nautilus/rados/operations/user-management/#import-a-user-s
1.创建测试用户
bash
[root@ceph141~]# ceph auth add client.wzy666 mon 'allow r' osd 'allow * pool=zhiyong18-rbd'
added key for client.wzy666
[root@ceph141~]# ceph auth get client.wzy666
[client.wzy666]
key = AQB2NipneGZcCBAAqL6zGHCpU2uwM15R05uHzQ==
caps mon = "allow r"
caps osd = "allow * pool=zhiyong18-rbd"2.导出用户到文件,用于模拟备份。这一步只是创建文件并不会写入
bash
[root@ceph141~]# ceph-authtool --create-keyring ceph.client.wzy666.keyring
creating ceph.client.wzy666.keyring
[root@ceph141~]# ls
ceph.client.wzy666.keyring
[root@ceph141~]# cat ceph.client.wzy666.keyring
[root@ceph141~]# 3.将内容导出到指定文件
[root@ceph141~]# ceph auth get client.wzy666 -o ceph.client.wzy666.keyring4.查看文件内容
bash
[root@ceph141~]# cat ceph.client.wzy666.keyring
[client.wzy666]
key = AQB2NipneGZcCBAAqL6zGHCpU2uwM15R05uHzQ==
caps mon = "allow r"
caps osd = "allow * pool=zhiyong18-rbd"总结:不如ceph auth get client.wzy666 > ceph.client.wzy666.keyring
用户数据导入
1.删除用户
bash
ceph auth del client.wzy6662.导入用户文件信息
bash
[root@ceph141~]# ceph auth import -i ceph.client.wzy666.keyring 3.验证用户信息完整性
bash
[root@ceph141~]# ceph auth get client.wzy666
[client.wzy666]
key = AQB2NipneGZcCBAAqL6zGHCpU2uwM15R05uHzQ==
caps mon = "allow r"
caps osd = "allow * pool=zhiyong18-rbd"导出授权文件并验证用户权限
1.ceph141节点创建1个普通用户并保存到一个文件中
bash
[root@ceph141~]# ceph auth get-or-create client.k3s mon 'allow r' osd 'allow * pool=zhiyong18-rdb'
[client.k3s]
key = AQCzRSpn1SShChAAPmJUYIvCKsuAH47HDNWD0A==
[root@ceph141~]# ceph auth export client.k3s -o ceph.client.k3s.keyring
[root@ceph141~]# cat ceph.client.k3s.keyring
[client.k3s]
key = AQCzRSpn1SShChAAPmJUYIvCKsuAH47HDNWD0A==
caps mon = "allow r"
caps osd = "allow * pool=zhiyong18-rdb"2.ceph142节点删除原来的管理员授权文件,再次访问权限报错
bash
[root@ceph142~]# rm -f /etc/ceph/ceph.client.admin.keyring
[root@ceph142~]# ceph -s
2024-11-05T23:38:38.932+0800 7f7fe4d69640 -1 auth: unable to find a keyring on /etc/ceph/ceph.client.admin.keyring,/etc/ceph/ceph.keyring,/etc/ceph/keyring,/etc/ceph/keyring.bin: (2) No such file or directory
2024-11-05T23:38:38.932+0800 7f7fe4d69640 -1 AuthRegistry(0x7f7fe00672a0) no keyring found at /etc/ceph/ceph.client.admin.keyring,/etc/ceph/ceph.keyring,/etc/ceph/keyring,/etc/ceph/keyring.bin, disabling cephx
2024-11-05T23:38:38.936+0800 7f7fe4d69640 -1 auth: unable to find a keyring on /etc/ceph/ceph.client.admin.keyring,/etc/ceph/ceph.keyring,/etc/ceph/keyring,/etc/ceph/keyring.bin: (2) No such file or directory
2024-11-05T23:38:38.936+0800 7f7fe4d69640 -1 AuthRegistry(0x7f7fe4d67f60) no keyring found at /etc/ceph/ceph.client.admin.keyring,/etc/ceph/ceph.keyring,/etc/ceph/keyring,/etc/ceph/keyring.bin, disabling cephx
2024-11-05T23:38:38.936+0800 7f7fde59c640 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [1]
2024-11-05T23:38:38.936+0800 7f7fded9d640 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [1]
2024-11-05T23:38:38.936+0800 7f7fddd9b640 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [1]
2024-11-05T23:38:38.936+0800 7f7fe4d69640 -1 monclient: authenticate NOTE: no keyring found; disabled cephx authentication
[errno 13] RADOS permission denied (error connecting to the cluster)3.服务端将认证文件拷贝到客户端
bash
[root@ceph141~]# scp ceph.client.k3s.keyring ceph142:/etc/ceph/4.客户端验证权限
bash
[root@ceph142~]# ceph -s --user k3s
cluster:
id: 12fad866-9aa0-11ef-8656-6516a17ad6dd
health: HEALTH_WARN
...
[root@ceph142~]# cat /etc/ceph/ceph.client.k3s.keyring
[client.k3s]
key = AQCzRSpn1SShChAAPmJUYIvCKsuAH47HDNWD0A==
caps mon = "allow r"
caps osd = "allow * pool=zhiyong18-rdb"
bash
[root@ceph142~]# ceph --user k3s auth get client.k3s
Error EACCES: access denied这是因为对用户相关的操作还没有执行权限,不能调用相关函数。后期添加上去就可以了
5.服务端尝试修改k3s用户权限
bash
[root@ceph141~]# ceph auth caps client.k3s mon 'allow rx'
updated caps for client.k36.客户端再次验证权限。虽然客户端可以查看用户信息了,但是此时/etc/ceph/ceph.client.k3s.keyring是没有任何变化的;也就是说:本地的keyring文件的caps字段并没有作用,而是基于KEY访问集群进行验证的!
bash
[root@ceph142~]# ceph --user k3s auth get client.k3s
[client.k3s]
key = AQCzRSpn1SShChAAPmJUYIvCKsuAH47HDNWD0A==
caps mon = "allow rx"
[root@ceph142~]# cat /etc/ceph/ceph.client.k3s.keyring
[client.k3s]
key = AQCzRSpn1SShChAAPmJUYIvCKsuAH47HDNWD0A==
caps mon = "allow r"
caps osd = "allow * pool=zhiyong18-rdb"7.进一步验证k3s用户的权限,可以查看池列表
bash
[root@ceph142~]# ceph --user k3s osd pool ls
.mgr
zhiyong-rbd
zhiyong18-rbd
zhiyong但是没有权限访问存储池下的镜像文件
bash
[root@ceph142~]# rbd --id k3s -p zhiyong ls -l
2024-11-05T23:47:24.820+0800 7f8de091de00 -1 librbd::api::Image: list_images: error listing v1 images: (1) Operation not permitted
rbd: listing images failed: (1) Operation not permitted
[root@ceph142~]# rbd --id k3s -p zhiyong18-rbd ls -l
2024-11-05T23:48:00.588+0800 7f38f923ce00 -1 librbd::api::Image: list_images: error listing v1 images: (1) Operation not permitted
rbd: listing images failed: (1) Operation not permitted8.服务端再次修改权限
bash
[root@ceph141~]# ceph auth get client.k3s
[client.k3s]
key = AQCzRSpn1SShChAAPmJUYIvCKsuAH47HDNWD0A==
caps mon = "allow rx"
[root@ceph141~]# ceph auth caps client.k3s mon 'allow *' osd 'allow *'
updated caps for client.k3s10.客户端再次验证权限
bash
[root@ceph142~]# rbd --id k3s -p zhiyong18-rbd ls -l
NAME SIZE PARENT FMT PROT LOCK
mysqld 5 GiB 2
rbd-snap 2 GiB 2
wordpress 2 GiB 2
zhiyong 5 GiB 2
zhiyong@v1 5 GiB 2
zhiyong@v2 5 GiB 2
zhiyong@v3 5 GiB 2
zhiyong@v4 5 GiB 2
zhiyong@v5 5 GiB 2
zhiyong@v6 5 GiB 2用户授权总结
1.如果使用"--user k3s"指定用户,则默认去找以下文件,找不到就报错:
- /etc/ceph/ceph.client.k3s.keyring
- /etc/ceph/ceph.keyring
- /etc/ceph/keyring
- /etc/ceph/keyring.bin
2.如果不使用"--user"选项,咱们可以立即为默认为"--user amdin"
- /etc/ceph/ceph.client.admin.keyring
- /etc/ceph/ceph.keyring
- /etc/ceph/keyring
- /etc/ceph/keyring.bin
3.对于认证文件不能随便起名字,而是需要遵循上述2条的规范文件命名,否则ceph不识别用户的配置文件
4 客户端在连接ceph集群时,仅需要读取keyring文件中的KEY值;其他caps字段会被忽视。也就是说,对于文件中只要保留key值依旧是有效的
cephx认证
01 cephx认证概述
参考链接:
https://docs.ceph.com/en/nautilus/rados/configuration/auth-config-ref/
https://docs.ceph.com/en/nautilus/rados/operations/operating/
https://docs.ceph.com/en/nautilus/architecture/#high-availability-authentication
-
为了识别用户并防止中间人攻击,Ceph提供了cephx身份验证系统来验证用户和守护进程。但是注意cephx协议不解决传输中的数据加密(例如SSL/TLS)或静止时的加密问题
-
不建议关闭cephx认证,因为没有认证则集群任意节点都可以直接操作,除非内环环境相对安全
02 cephx相关参数说明
- auth_cluster_required
- 如果启用,Ceph存储群集守护进程(即Ceph-mon、Ceph-osd、Ceph-mds和Ceph-mgr)必须相互进行身份验证
- 有效设置为cephx或none,默认值为cephx
- auth_service_required
- 如果启用,则Ceph存储群集守护进程要求Ceph客户端向Ceph存储集群进行身份验证,以便访问Ceph服务
- 有效设置为cephx或none,默认值为cephx
- 有效设置为cephx或none,默认值为cephx
- 如果启用,Ceph客户端需要Ceph存储群集向Ceph客户端进行身份验证
- 有效设置为cephx或none,默认值为cephx
03 cephx启动和关闭
1.找到mon组件的容器
bash
[root@ceph141~]# docker ps -a | grep mon
aa345967806c quay.io/ceph/ceph:v18 "/usr/bin/ceph-mon -..."2.进入容器,再关闭认证:在/etc/ceph/ceph.conf增加以下参数,修改后需重启集群
bash
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx关闭认证:在vim /etc/ceph/ceph.conf改为以下参数
bash
auth_cluster_required = none
auth_service_required = none
auth_client_required = none
- 有效设置为cephx或none,默认值为cephx
- 有效设置为cephx或none,默认值为cephx
- 如果启用,Ceph客户端需要Ceph存储群集向Ceph客户端进行身份验证
- 有效设置为cephx或none,默认值为cephx
## 03 cephx启动和关闭
1.找到mon组件的容器
```bash
[root@ceph141~]# docker ps -a | grep mon
aa345967806c quay.io/ceph/ceph:v18 "/usr/bin/ceph-mon -..."2.进入容器,再关闭认证:在/etc/ceph/ceph.conf增加以下参数,修改后需重启集群
bash
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx关闭认证:在vim /etc/ceph/ceph.conf改为以下参数
bash
auth_cluster_required = none
auth_service_required = none
auth_client_required = none