Cloud Storage with Red Hat Ceph Storage

Bookmark this page
P1234567891011121314
PreviousNext

Guided Exercise: Managing Ceph Authentication

In this exercise, you will configure user authentication by setting up users for an application that stores and retrieves documents as RADOS objects.

Outcomes

You should be able to configure user authentication and capabilities to store and retrieve objects in the cluster.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

[student@workstation ~]$ lab start component-auth

This command confirms that the hosts required for this exercise are accessible.

Procedure 4.3. Instructions

  1. Log in to clienta as the admin user and switch to the root user.

    [student@workstation ~]$ ssh admin@clienta
[admin@clienta ~]$ sudo -i
[root@clienta ~]$

  2. Configure two users for an application with the following capabilites. The first user, client.docedit, stores and retrieves documents in the docs namespace of the replpool1 pool. The second user, client.docget, only retrieves documents from the replpool1 pool.

    Note

    The tee command saves the output of the command, instead of using the -o option. This technique is used because the cephadm container does not retain standard output files after the command exits.

    1. Use the cephadm shell to create the client.docedit user with read and write capabilities in the docs namespace within the replpool1 pool. Save the associated key-ring file by using the appropriate directory and file name: /etc/ceph/ceph.client.docedit.keyring 

      [root@clienta ~]$ cephadm shell -- ceph auth get-or-create client.docedit \
 mon 'allow r' osd 'allow rw pool=replpool1 namespace=docs' | sudo tee \
 /etc/ceph/ceph.client.docedit.keyring

    2. Use the cephadm shell to create the client.docget user with read capabilities in the docs namespace within the repl1pool pool. Save the associated key-ring file using the appropriate directory and file name: /etc/ceph/ceph.client.docget.keyring 

      [root@clienta ~]$ cephadm shell -- ceph auth get-or-create client.docget \
 mon 'allow r' osd 'allow r pool=replpool1 namespace=docs' | sudo tee \
 /etc/ceph/ceph.client.docget.keyring

    3. Verify that you created both user names correctly.

      [root@clienta ~]$ cephadm shell -- ceph auth ls | grep -A3 -ie docedit \
 -ie docget
installed auth entries:

client.docedit
	key: AQARyFNhUVqjLxAAvD/00leu3V93+e9umSTBKQ==
	caps: [mon] allow r
	caps: [osd] allow rw pool=replpool1 namespace=docs
client.docget
	key: AQDByFNhac58MxAA/ukJXL52cpsQLw65zZ+WcQ==
	caps: [mon] allow r
	caps: [osd] allow r pool=replpool1 namespace=docs
installed auth entries:

  3. Your application is running on serverd. Copy the users' key-ring files to that server to allow the application to authenticate with the cluster.

    [root@clienta ~]$ rsync -v /etc/ceph/ceph.client.docedit.keyring \
 serverd:/etc/ceph/
ceph.client.docedit.keyring

sent 170 bytes  received 35 bytes  136.67 bytes/sec
total size is 65  speedup is 0.32
[root@clienta ~]$ rsync -v /etc/ceph/ceph.client.docget.keyring \
 serverd:/etc/ceph/
ceph.client.docget.keyring

sent 168 bytes  received 35 bytes  135.33 bytes/sec
total size is 64  speedup is 0.32

  4. Use the cephadm shell with the --mount option to mount the /etc/ceph directory. Store and retrieve an object to verify that the key-rings are working correctly. The two files should be identical as verified by the diff command showing no output.

    [root@clienta ~]$ cephadm shell --mount /etc/ceph/:/etc/ceph
[ceph: root@clienta /]# rados --id docedit -p replpool1 -N docs put \
 adoc /etc/hosts
[ceph: root@clienta /]# rados --id docget -p replpool1  -N docs get \
 adoc /tmp/test
[ceph: root@clienta /]# diff /etc/hosts /tmp/test

  5. Your application evolves over time and now the client.docget user also needs write access to the docs namespace within the replpool1 pool. This user also needs to store documents in the docarchive pool.

    Confirm that the client.docget user cannot store objects yet in the docs namespace within the replpool1 pool:

    [ceph: root@clienta /]# rados --id docget -p replpool1 -N docs put \
 mywritetest /etc/hosts
error putting mypool/mywritetest: (1) Operation not permitted

  6. Grant the client.docget user rw capabilities on the docs namespace within the replpool1 pool, and rw capabilities on the non-yet-created docarchive pool. Confirm that the client.docget user can now store objects in the docs namespace.

    [ceph: root@clienta /]# ceph auth caps client.docget mon 'allow r' \
 osd 'allow rw pool=replpool1 namespace=docs, allow rw pool=docarchive'
updated caps for client.docget
[ceph: root@clienta /]# rados --id docget -p replpool1 -N docs put \
 mywritetest /etc/hosts

    You must define the total user capabities with the ceph auth caps command because it overwrites previous definitions. You can define capabilities on pools that do not exist yet, such as the docarchive pool.

  7. Exit the cephadm shell and clean up by deleting the client.docedit and the client.docget users. Remove the associated key-ring files.

    [ceph: root@clienta /]# exit
[root@clienta ~]$ rm /etc/ceph/ceph.client.docedit.keyring
[root@clienta ~]$ ssh serverd rm /etc/ceph/ceph.client.docedit.keyring
[root@clienta ~]$ cephadm shell -- ceph auth del client.docedit
updated
[root@clienta ~]$ rm /etc/ceph/ceph.client.docget.keyring
[root@clienta ~]$ ssh serverd rm /etc/ceph/ceph.client.docget.keyring
[root@clienta ~]$ cephadm shell -- ceph auth del client.docget
updated

  8. Return to workstation as the student user.

    [root@clienta ~]$ exit
[admin@clienta ~]$ exit
[student@workstation ~]$

Finish

On the workstation machine, use the lab command to complete this exercise. This is important to ensure that resources from previous exercises do not impact upcoming exercises. 

[student@workstation ~]$ lab finish component-auth

This concludes the guided exercise.

PreviousNext
Revision: cl260-5.0-29d2128