Ceph authentication
To identify users and protect against man-in-the-middle attacks, Ceph provides its
cephx authentication system, which authenticates users and daemons.
cephx protocol does not address data encryption for data transported over
the network or data stored in OSDs.Cephx uses shared secret keys for authentication, meaning both the client and the monitor cluster have a copy of the client’s secret key. The authentication protocol enables both parties to prove to each other that they have a copy of the key without actually revealing it. This provides mutual authentication, which means the cluster is sure the user possesses the secret key, and the user is sure that the cluster has a copy of the secret key.
Cephx
The cephx authentication protocol operates in a manner similar to Kerberos.
A user/actor invokes a Ceph client to contact a monitor. Unlike Kerberos, each monitor can
authenticate users and distribute keys, so there is no single point of failure or bottleneck when
using cephx. The monitor returns an authentication data structure similar to a
Kerberos ticket that contains a session key for use in obtaining Ceph services. This session key is
itself encrypted with the user’s permanent secret key, so that only the user can request services
from the Ceph monitors. The client then uses the session key to request its desired services from
the monitor, and the monitor provides the client with a ticket that will authenticate the client to
the OSDs that actually handle data. Ceph monitors and OSDs share a secret, so the client can use the
ticket provided by the monitor with any OSD or metadata server in the cluster. Like Kerberos,
cephx tickets expire, so an attacker cannot use an expired ticket or session key
obtained surreptitiously. This form of authentication will prevent attackers with access to the
communications medium from either creating bogus messages under another user’s identity or altering
another user’s legitimate messages, as long as the user’s secret key is not divulged before it
expires.
cephx, an administrator must set up users first. In the following
diagram, the client.admin user invokes ceph auth get-or-create-key
from the command line to generate a username and secret key. Ceph’s auth subsystem
generates the username and key, stores a copy with the monitor(s) and transmits the user’s secret
back to the client.admin user. This means that the client and the monitor share a
secret key.client.admin user must provide the user ID and secret key to
the user in a secure manner.