3 =================================================
4 ceph-authtool -- ceph keyring manipulation tool
5 =================================================
7 .. program:: ceph-authtool
12 | **ceph-authtool** *keyringfile*
15 [ -C | --create-keyring ]
18 [ --import-keyring *otherkeyringfile* ]
19 [ -n | --name *entityname* ]
20 [ -u | --set-uid *auid* ]
21 [ -a | --add-key *base64_key* ]
22 [ --cap *subsystem* *capability* ]
30 **ceph-authtool** is a utility to create, view, and modify a Ceph keyring
31 file. A keyring file stores one or more Ceph authentication keys and
32 possibly an associated capability specification. Each key is
33 associated with an entity name, of the form
34 ``{client,mon,mds,osd}.name``.
36 **WARNING** Ceph provides authentication and protection against
37 man-in-the-middle attacks once secret keys are in place. However,
38 data over the wire is not encrypted, which may include the messages
39 used to configure said keys. The system is primarily intended to be
40 used in trusted environments.
45 .. option:: -l, --list
47 will list all keys and capabilities present in the keyring
49 .. option:: -p, --print-key
51 will print an encoded key for the specified entityname. This is
52 suitable for the ``mount -o secret=`` argument
54 .. option:: -C, --create-keyring
56 will create a new keyring, overwriting any existing keyringfile
58 .. option:: -g, --gen-key
60 will generate a new secret key for the specified entityname
62 .. option:: --gen-print-key
64 will generate a new secret key for the specified entityname,
65 without altering the keyringfile, printing the secret to stdout
67 .. option:: --import-keyring *secondkeyringfile*
69 will import the content of a given keyring to the keyringfile
71 .. option:: -n, --name *name*
73 specify entityname to operate on
75 .. option:: -u, --set-uid *auid*
77 sets the auid (authenticated user id) for the specified entityname
79 .. option:: -a, --add-key *base64_key*
81 will add an encoded key to the keyring
83 .. option:: --cap *subsystem* *capability*
85 will set the capability for given subsystem
87 .. option:: --caps *capsfile*
89 will set all of capabilities associated with a given key, for all subsystems
91 .. option:: --mode *mode*
93 will set the desired file mode to the keyring e.g: 0644, defaults to 0600
99 The subsystem is the name of a Ceph subsystem: ``mon``, ``mds``, or
102 The capability is a string describing what the given user is allowed
103 to do. This takes the form of a comma separated list of allow
104 clauses with a permission specifier containing one or more of rwx for
105 read, write, and execute permission. The ``allow *`` grants full
106 superuser permissions for the given subsystem.
110 # can read, write, and execute objects
113 # can access mds server
116 # can modify cluster state (i.e., is a server daemon)
119 A librados user restricted to a single pool might look like::
123 osd = "allow rw pool foo"
125 A client using rbd with read access to one pool and read/write access to another::
129 osd = "allow class-read object_prefix rbd_children, allow pool templates r class-read, allow pool vms rwx"
131 A client mounting the file system with minimal permissions would need caps like::
135 osd = "allow rw pool data"
143 In general, an osd capability follows the grammar::
145 osdcap := grant[,grant...]
146 grant := allow (match capspec | capspec match)
147 match := [pool[=]<poolname> | object_prefix <prefix>]
148 capspec := * | [r][w][x] [class-read] [class-write]
150 The capspec determines what kind of operations the entity can perform::
152 r = read access to objects
153 w = write access to objects
154 x = can call any class method (same as class-read class-write)
155 class-read = can call class methods that are reads
156 class-write = can call class methods that are writes
157 * = equivalent to rwx, plus the ability to run osd admin commands,
158 i.e. ceph osd tell ...
160 The match criteria restrict a grant based on the pool being accessed.
161 Grants are additive if the client fulfills the match condition. For
162 example, if a client has the osd capabilities: "allow r object_prefix
163 prefix, allow w pool foo, allow x pool bar", then it has rw access to
164 pool foo, rx access to pool bar, and r access to objects whose
165 names begin with 'prefix' in any pool.
170 The caps file format consists of zero or more key/value pairs, one per
171 line. The key and value are separated by an ``=``, and the value must
172 be quoted (with ``'`` or ``"``) if it contains any whitespace. The key
173 is the name of the Ceph subsystem (``osd``, ``mds``, ``mon``), and the
174 value is the capability string (see above).
180 To create a new keyring containing a key for client.foo with a 0644 file mode::
182 ceph-authtool -C -n client.foo --gen-key keyring --mode 0644
184 To associate some capabilities with the key (namely, the ability to
185 mount a Ceph filesystem)::
187 ceph-authtool -n client.foo --cap mds 'allow' --cap osd 'allow rw pool=data' --cap mon 'allow r' keyring
189 To display the contents of the keyring::
191 ceph-authtool -l keyring
193 When mounting a Ceph file system, you can grab the appropriately encoded secret key with::
195 mount -t ceph serverhost:/ mountpoint -o name=foo,secret=`ceph-authtool -p -n client.foo keyring`
201 **ceph-authtool** is part of Ceph, a massively scalable, open-source, distributed storage system. Please
202 refer to the Ceph documentation at http://ceph.com/docs for more
209 :doc:`ceph <ceph>`\(8)