Enabling and Securing the Ceph API module

The IBM Storage Ceph Dashboard module offers the RESTful API access to the storage cluster over an SSL-secured connection.

Important: If disabling SSL, then user names and passwords are sent unencrypted to the IBM Storage Ceph Dashboard.

Prerequisites

  • Root-level access to a Ceph Monitor node.

  • Ensure that you have at least one ceph-mgr daemon active.

  • If you use a firewall, ensure that TCP port 8443, for SSL, and TCP port 8080, without SSL, are open on the node with the active ceph-mgr daemon.

Procedure

  1. Log into the cephadm shell:

    Example 

    root@host01 ~]# cephadm shell

  2. Enable the RESTful plug-in:

    [ceph: root@host01 /]# ceph mgr module enable dashboard

  3. Configure an SSL certificate.

    1. If your organization’s certificate authority (CA) provides a certificate, then set using the certificate files:

      Syntax 

      ceph dashboard set-ssl-certificate HOST_NAME -i CERT_FILE
ceph dashboard set-ssl-certificate-key HOST_NAME -i KEY_FILE

      Example 

      [ceph: root@host01 /]# ceph dashboard set-ssl-certificate -i dashboard.crt
[ceph: root@host01 /]# ceph dashboard set-ssl-certificate-key -i dashboard.key

      If you want to set unique node-based certificates, then add a HOST_NAME to the commands:

      Example 

      [ceph: root@host01 /]# ceph dashboard set-ssl-certificate host01 -i dashboard.crt
[ceph: root@host01 /]# ceph dashboard set-ssl-certificate-key host01 -i dashboard.key

    2. Alternatively, you can generate a self-signed certificate. However, using a self-signed certificate does not provide full security benefits of the HTTPS protocol:

      [ceph: root@host01 /]# ceph dashboard create-self-signed-cert
      Warning: Most modern web browsers will complain about self-signed certificates, which require you to confirm before establishing a secure connection.

  4. Create a user, set the password, and set the role:

    Syntax 

    echo -n "PASSWORD" > PATH_TO_FILE/PASSWORDFILE
ceph dashboard ac-user-create USERNAME -i PASSWORDFILE ROLE

    Example 

    [ceph: root@host01 /]# echo -n "p@ssw0rd" > /root/dash-password.txt
[ceph: root@host01 /]# ceph dashboard ac-user-create user1 -i /root/dash-password.txt administrator

    This example creates a user named user1 with the administrator role.

  5. Connect to the RESTful plug-in web page. Open a web browser and enter the following URL:

    Syntax 

    https://HOST_NAME:8443

    Example 

    https://host01:8443

    If you used a self-signed certificate, confirm a security exception.

Reference

  • The ceph dashboard --help command.

  • The https://HOST_NAME:8443/doc page, where HOST_NAME is the IP address or name of the node with the running ceph-mgr instance.

  • The Security hardening guide for your Red Hat Enterprise Linux version on Red Hat Documentation.