3 =================================================
4 ceph-authtool -- ceph keyring manipulation tool
5 =================================================
7 .. program:: ceph-authtool
12 | **ceph-authtool** *keyringfile*
15 [ -C | --create-keyring ]
18 [ --import-keyring *otherkeyringfile* ]
19 [ -n | --name *entityname* ]
20 [ -a | --add-key *base64_key* ]
21 [ --cap *subsystem* *capability* ]
29 **ceph-authtool** is a utility to create, view, and modify a Ceph keyring
30 file. A keyring file stores one or more Ceph authentication keys and
31 possibly an associated capability specification. Each key is
32 associated with an entity name, of the form
33 ``{client,mon,mds,osd}.name``.
35 **WARNING** Ceph provides authentication and protection against
36 man-in-the-middle attacks once secret keys are in place. However,
37 data over the wire is not encrypted, which may include the messages
38 used to configure said keys. The system is primarily intended to be
39 used in trusted environments.
44 .. option:: -l, --list
46 will list all keys and capabilities present in the keyring
48 .. option:: -p, --print-key
50 will print an encoded key for the specified entityname. This is
51 suitable for the ``mount -o secret=`` argument
53 .. option:: -C, --create-keyring
55 will create a new keyring, overwriting any existing keyringfile
57 .. option:: -g, --gen-key
59 will generate a new secret key for the specified entityname
61 .. option:: --gen-print-key
63 will generate a new secret key for the specified entityname,
64 without altering the keyringfile, printing the secret to stdout
66 .. option:: --import-keyring *secondkeyringfile*
68 will import the content of a given keyring to the keyringfile
70 .. option:: -n, --name *name*
72 specify entityname to operate on
74 .. option:: -a, --add-key *base64_key*
76 will add an encoded key to the keyring
78 .. option:: --cap *subsystem* *capability*
80 will set the capability for given subsystem
82 .. option:: --caps *capsfile*
84 will set all of capabilities associated with a given key, for all subsystems
86 .. option:: --mode *mode*
88 will set the desired file mode to the keyring e.g: 0644, defaults to 0600
94 The subsystem is the name of a Ceph subsystem: ``mon``, ``mds``, or
97 The capability is a string describing what the given user is allowed
98 to do. This takes the form of a comma separated list of allow
99 clauses with a permission specifier containing one or more of rwx for
100 read, write, and execute permission. The ``allow *`` grants full
101 superuser permissions for the given subsystem.
105 # can read, write, and execute objects
108 # can access mds server
111 # can modify cluster state (i.e., is a server daemon)
114 A librados user restricted to a single pool might look like::
118 osd = "allow rw pool foo"
120 A client using rbd with read access to one pool and read/write access to another::
124 osd = "allow class-read object_prefix rbd_children, allow pool templates r class-read, allow pool vms rwx"
126 A client mounting the file system with minimal permissions would need caps like::
130 osd = "allow rw pool data"
138 In general, an osd capability follows the grammar::
140 osdcap := grant[,grant...]
141 grant := allow (match capspec | capspec match)
142 match := [ pool[=]<poolname> | object_prefix <prefix>
143 | namespace[=]<rados-namespace>
144 | tag <application-name> <key>=<value> ]
145 capspec := * | [r][w][x] [class-read] [class-write]
147 The capspec determines what kind of operations the entity can perform::
149 r = read access to objects
150 w = write access to objects
151 x = can call any class method (same as class-read class-write)
152 class-read = can call class methods that are reads
153 class-write = can call class methods that are writes
154 * or "all" = equivalent to rwx, plus the ability to run osd admin commands,
155 i.e. ceph osd tell ...
157 The match criteria restrict a grant based on the pool being accessed.
158 Grants are additive if the client fulfills the match condition. For
159 example, if a client has the osd capabilities: "allow r object_prefix
160 prefix, allow w pool foo, allow x pool bar", then it has rw access to
161 pool foo, rx access to pool bar, and r access to objects whose
162 names begin with 'prefix' in any pool.
167 The caps file format consists of zero or more key/value pairs, one per
168 line. The key and value are separated by an ``=``, and the value must
169 be quoted (with ``'`` or ``"``) if it contains any whitespace. The key
170 is the name of the Ceph subsystem (``osd``, ``mds``, ``mon``), and the
171 value is the capability string (see above).
177 To create a new keyring containing a key for client.foo with a 0644 file mode::
179 ceph-authtool -C -n client.foo --gen-key keyring --mode 0644
181 To associate some capabilities with the key (namely, the ability to
182 mount a Ceph file system)::
184 ceph-authtool -n client.foo --cap mds 'allow' --cap osd 'allow rw pool=data' --cap mon 'allow r' keyring
186 To display the contents of the keyring::
188 ceph-authtool -l keyring
190 When mounting a Ceph file system, you can grab the appropriately encoded secret key with::
192 mount -t ceph serverhost:/ mountpoint -o name=foo,secret=`ceph-authtool -p -n client.foo keyring`
198 **ceph-authtool** is part of Ceph, a massively scalable, open-source, distributed storage system. Please
199 refer to the Ceph documentation at http://ceph.com/docs for more
206 :doc:`ceph <ceph>`\(8)