KB450404 – Creating Client Keyrings & Permissions for CephFS Shares

Last modified: May 28, 2021
You are here:
  • KB Home
  • Ceph
  • KB450404 – Creating Client Keyrings & Permissions for CephFS Shares
Estimated reading time: 2 min

Scope/Description:

This guide will show how to create a new user, set permissions, set quotas, mount the

share, and make them persistent on the client.

Assuming a cephfs directory setup with staging as a subdir, where cephx user:admin has

rights to everything and cephx user:staging only has access to staging dir

Prerequisites:

  • Ceph cluster running filesystem
  • Linux client to mount ceph shares

Creating the user:

The admin cephx user will have full access to all of the ceph filesystem. To allow another user to only access the “staging” dir.

First create the ceph x user and their keyring.

# Create the new users keyring
ceph-authtool –create-keyring /etc/ceph/ceph.client.staging.keyring –gen-key -n client.staging

After creating the user and keyring go to the new /etc/ceph/ceph.client.staging.keyring and edit the file to have the needed capabilities.

 

# Add the capabilities to the users keyring, the file should look like
the below when complete. Be sure to edit the file paths to the correct
location depending on environment.
# Also note the key will be different from the example below. This is
normal.
[client.staging]
key = AQDG1ypfl7roNBAAjPjUgpTNn93UB3jkTFEGjw==
caps mds = “allow r path=/, allow rwps path=/staging”
caps mon = “allow r”
caps osd = “allow *”

Note different permissions definitions:

r = read

w = write

p = Layout and Quota restriction (i.e data layouts like dir pinning, and quotas, essentially

you need this to set xattrs)

s = snapshots

More detail

https://docs.ceph.com/docs/mimic/cephfs/client-auth/

After adding the new capabilities we now need to import the new client into the ceph cluster

# Import new client keyring into the ceph cluster
ceph auth import -i /etc/ceph/ceph.client.staging.keyring
Once the keyring is created, we would run the following command to create a secret file
from the key to be used
# Creating a secretfile from the keyring
ceph auth get-key client.staging > staging.secret
# Copy the secretfile to the client
scp staging.secret root@clientIP:/etc/ceph

Creating the CephFS share:

Mount the CephFS somewhere in the system to be able to create directories, lets mount the
root directory now as admin user.
mkdir /mnt/cephfs
Next create the mount
mount -t ceph OSD1:/ /mnt/cephfs -o
name=admin,secretfile=/etc/ceph/admin.secret,noatime
And next create a subdirectory name staging
mkdir /mnt/cephfs/staging

Mount on Clients:

Make the directory for mounting on the client maching

mkdir /mnt/staging
And now add the mount to the client
mount -t ceph OSD1:/staging /mnt/staging -o
name=staging,secretfile=/etc/ceph/staging.secret,noatime

Verification:

To verify it is successful on the client create a new directory within the /mnt directory

mkdir /mnt/cephfs

now cd into the new dir

cd /mnt/cephfs

run an ls command and choose one to cd into.

cd /mnt/cephfs/*

now try to create a file with the touch command

touch test

if successful you should get a permission denied warning as the client only has access to the /mnt/cephfs/staging dir.

 

Troubleshooting:

Was this article helpful?
Dislike 0
Views: 54
Unboxing Racking Storage Drives Cable Setup Power UPS Sizing Remote Access