1、首先贴出来帮助信息
auth add <entity> {<caps> [<caps>...]} add auth info for <entity> from input file, or random key if no input is given, and/or any caps specified in the command
auth caps <entity> <caps> [<caps>...] update caps for <name> from caps specified in the command
auth del <entity> delete all caps for <name>
auth export {<entity>} write keyring for requested entity, or master keyring if none given
auth get <entity> write keyring file with requested key
auth get-key <entity> display requested key
auth get-or-create <entity> {<caps> [<caps>...]} add auth info for <entity> from input file, or random key if no input given, and/or any caps specified in the command
auth get-or-create-key <entity> {<caps> [<caps>...]} get, or add, key for <name> from system/caps pairs specified in the command. If key already exists, any given caps must match the existing caps for that key.
auth import auth import: read keyring file from -i <file>
auth ls list authentication state
auth print-key <entity> display requested key
auth rm <entity> remove all caps for <name>
注意
下述所有命令都可以指定用户
--name mon. --keyring /var/lib/ceph/mon/ceph-node2/keyring
--name client.admin --keyring /etc/ceph/ceph.client.admin.keyring
ceph auth add
含义:给指定用户添加秘钥
举例:
添加mon秘钥
ceph auth add client.admin
添加mgr秘钥
ceph auth add mgr.node2
ceph auth caps
含义:变更用户权限
举例:
修改client.admin权限(-n --name相同)
ceph auth caps client.admin mds 'allow *' osd 'allow *' mon 'allow *'
ceph auth del/rm
含义:删除用户秘钥
举例:
删除osd.4用户秘钥
ceph auth del osd.4
ceph auth export
含义:导出用户秘钥到指定文件
举例:
将osd.1的用户秘钥导出到aaa中
ceph auth export osd.1 -o aaa
ceph auth get
含义:获取用户秘钥
举例:
获取osd.1的秘钥
ceph auth get osd.1
ceph auth get-key
含义:仅获取秘钥的key
举例:
仅获取osd.1秘钥的key
ceph auth get-key osd.1
ceph auth get-or-create
含义:类似于add,如果有则打印,如果没有则创建。并且可以顺便设置用户访问权限,返回用户名和秘钥
举例:
如果osd.1有秘钥则打印出来,如果没有则添加一个并打印出来
ceph auth get-or-create osd.1
ceph --cluster ceph --name client.bootstrap-mds --keyring /var/lib/ceph/bootstrap-mds/ceph.keyring auth get-or-create mds.node3 osd allow rwx mds allow mon allow profile mds -o /var/lib/ceph/mds/ceph-node3/keyring
ceph auth get-or-create-key
含义:类似于add,如果有则打印,如果没有则创建。并且可以顺便设置用户访问权限,仅返回秘钥
举例:
如果osd.1有秘钥则打印出来,如果没有则添加一个并打印出来
ceph auth get-or-create-key osd.1
ceph auth import
含义:导入一个用户
举例:
ceph auth import –i /path/to/keyring
ceph auth ls
含义:列出当前集群秘钥
举例:
ceph auth ls
ceph auth print-key
含义:列出指定key名称
举例:
ceph auth print-key osd.1
命令总结:
1、创建用户(可以同时指定权限)
如果赋予用户osd的capability,但是没有指定特定的pool,则该用户对集群中所有的pool有访问权限
ceph auth add client.john mon 'allow r' osd 'allow rw pool=liverpool'
ceph auth get-or-create client.paul mon 'allow r' osd 'allow rw pool=liverpool'
ceph auth get-or-create client.george mon 'allow r' osd 'allow rw pool=liverpool' -o george.keyring
ceph auth get-or-create-key client.ringo mon 'allow r' osd 'allow rw pool=liverpool' -o ringo.key
2、修改用户权限
ceph auth caps client.john mon 'allow r' osd 'allow rw pool=liverpool'
ceph auth caps client.paul mon 'allow rw' osd 'allow rwx pool=liverpool'
ceph auth caps client.brian-manager mon 'allow *' osd 'allow *'