Configuring Ceph client authentication

Configure Ceph authentication so that OpenStack services can securely access Ceph Block Devices.

Before you begin

Before you begin, make sure that you have the following prerequisites in place:

  1. Prerequisites defined in Installing and configuring Ceph for OpenStack.
  2. Root access to a Ceph Monitor node.
  3. Root access to specific OpenStack service nodes (Nova, Cinder, Cinder Backup, Glance).

About this task

Ceph uses authenticated clients to control access to storage pools. Before OpenStack services can use Ceph Block Devices, you must create Ceph users, distribute keyrings, and configure the libvirt secret used by Nova.

Procedure

  1. Create Ceph users for OpenStack services.

    Run the following commands on a Ceph Monitor node:

    ceph auth get-or-create client.cinder \
  mon 'allow r' \
  osd 'allow class-read object_prefix rbd_children, allow rwx pool=volumes, allow rwx pool=vms, allow rx pool=images'
    ceph auth get-or-create client.cinder-backup \
  mon 'allow r' \
  osd 'allow class-read object_prefix rbd_children, allow rwx pool=backups'
    ceph auth get-or-create client.glance \
  mon 'allow r' \
  osd 'allow class-read object_prefix rbd_children, allow rwx pool=images'
  2. Copy the keyrings to the appropriate OpenStack nodes and set ownership.

    For the Cinder volume service, run

    ceph auth get-or-create client.cinder | \
  ssh CINDER_VOLUME_NODE sudo tee /etc/ceph/ceph.client.cinder.keyring

ssh CINDER_VOLUME_NODE sudo chown cinder:cinder \
  /etc/ceph/ceph.client.cinder.keyring

    Repeat this step for client.cinder-backup and client.glance on their respective OpenStack nodes.

  3. Copy the Cinder keyring to each Nova compute node. 
    ceph auth get-or-create client.cinder | \
  ssh NOVA_NODE sudo tee /etc/ceph/ceph.client.cinder.keyring
  4. Retrieve the Cinder secret key on a Nova compute node. 
    ceph auth get-key client.cinder > client.cinder.key
  5. Generate a UUID for the libvirt secret. 
    uuidgen > uuid-secret.txt
  6. Define and set the Ceph secret in libvirt. 
    cat > secret.xml <<EOF
<secret ephemeral='no' private='no'>
  <uuid>$(cat uuid-secret.txt)</uuid>
  <usage type='ceph'>
    <name>client.cinder secret</name>
  </usage>
</secret>
EOF
    virsh secret-define --file secret.xml

virsh secret-set-value \
  --secret $(cat uuid-secret.txt) \
  --base64 $(cat client.cinder.key)
  7. Remove the temporary files. 
    rm -f client.cinder.key secret.xml

Results

Ceph client authentication is configured for OpenStack services. OpenStack components can now authenticate securely and access Ceph Block Devices.