Enabling Cephx

When cephx is enabled, Ceph will look for the keyring in the default search path, which includes /etc/ceph/$cluster.$name.keyring. You can override this location by adding a keyring option in the [global] section of the Ceph configuration file, but this is not recommended.

Run the following procedures to enable cephx on a cluster with authentication disabled. If you or your deployment utility have already generated the keys, you may skip the steps related to generating keys.

Prerequisites

  • A running IBM Storage Ceph cluster.

  • Root-level access to the Ceph Monitor node.

Procedure

  1. Create a client.admin key, and save a copy of the key for your client host:

    [root@mon ~]# ceph auth get-or-create client.admin mon 'allow *' osd 'allow *' -o /etc/ceph/ceph.client.admin.keyring
    Warning: This will erase the contents of any existing /etc/ceph/client.admin.keyring file. Do not perform this step if a deployment tool has already done it for you.

  2. Create a keyring for the monitor cluster and generate a monitor secret key:

     [root@mon ~]# ceph-authtool --create-keyring /tmp/ceph.mon.keyring --gen-key -n mon. --cap mon 'allow *'

  3. Copy the monitor keyring into a ceph.mon.keyring file in every monitor mon data directory. For example, to copy it to mon.a in cluster ceph, use the following:

     [root@mon ~]# cp /tmp/ceph.mon.keyring /var/lib/ceph/mon/ceph-a/keyring

  4. Generate a secret key for every OSD, where _ID_ is the OSD number:

     ceph auth get-or-create osd.ID mon allow rwx osd allow * -o /var/lib/ceph/osd/ceph-ID/keyring

  5. By default the cephx authentication protocol is enabled.

    Note: If the cephx authentication protocol was disabled previously by setting the authentication options to none, then by removing the following lines under the [global] section in the Ceph configuration file (/etc/ceph/ceph.conf) will reenable the cephx authentication protocol:
    auth_cluster_required = none
 auth_service_required = none
 auth_client_required = none

  6. Start or restart the Ceph storage cluster.

    Important:

    Enabling cephx requires downtime because the cluster needs to be completely restarted, or it needs to be shut down and then started while client I/O is disabled. These flags need to be set before restarting or shutting down the storage cluster:

    [root@mon ~]# ceph osd set noout
 [root@mon ~]# ceph osd set norecover
 [root@mon ~]# ceph osd set norebalance
 [root@mon ~]# ceph osd set nobackfill
 [root@mon ~]# ceph osd set nodown
 [root@mon ~]# ceph osd set pause

    Once cephx is enabled and all PGs are active and clean, unset the flags:

    [root@mon ~]# ceph osd unset noout
 [root@mon ~]# ceph osd unset norecover
 [root@mon ~]# ceph osd unset norebalance
 [root@mon ~]# ceph osd unset nobackfill
 [root@mon ~]# ceph osd unset nodown
 [root@mon ~]# ceph osd unset pause