PDA

View Full Version : Ceph authentication, secret key change



polezhaevdmi
24-Feb-2017, 16:58
Let's suppose the common Ceph cluster is just installed and running in an OK health. It has the administratirve user, which has a secret key.

[client.admin]
key = AQBar5RYl3mcARAA+axYUM0Y7nJazb2HEbsfIA==
The goal is: change the secret key to a given value, "AQBpUF1YPJ2eGRAAk1hBH2ETWAIhK2FqoayoJQ==", for example.
Is this goal achievable, at all?
If yes, how to achieve that?

- The direct keyring manipulation changes only 'client' key value, but not 'server'. As a result, cluster becomes unmanageable.

ceph-authtool ceph.client.admin.keyring --name client.admin --add-key AQBpUF1YPJ2eGRAAk1hBH2ETWAIhK2FqoayoJQ== --cap osd 'allow *' --cap mon 'allow profile osd' --cap mds 'allow *'
- The Ceph official documentation (http://docs.ceph.com/docs/master/rados/configuration/auth-config-ref/) says "Do not perform this step if a deployment tool has already done it for you. Be careful!"

ab
27-Feb-2017, 14:50
I do not know how to make this change, but while waiting for others do you
think you could explain the business case for this change to a particular
value? Also, could you help me understand why, with a newly-initialized
cluster, this was not setup to the value from the start?

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

polezhaevdmi
10-Mar-2017, 17:29
I agree the case will be rare, but that might happen in such way, possibly:
- The cluster was deployed by third-party group;
- Admin key is distributed across multiple clients (administration, automation, orchestration, metering collection or something like that) by customer;
- Customer used cluster for long years;
- Eventually the cluster was completely lost;
- Initial installers are unavailable;
- Customer forgot about cluster key importance;
- Someone new deployed the fresh cluster;
- Customer restored his data from backup and tries to go into production;
- Customer sees all his Ceph-oriented tools are inoperable;

What the installer should do?
1. Reinstall the cluster from scratch with restore data from backup again?
2. Investigate the debris of customer's tools to find the way for key change?

Where are guys from HOLLYWOOD?! This is the blockbuster scenario! :)