
























CephX is Ceph's built-in authentication protocol, similar in concept to Kerberos. It provides mutual authentication between clients and Ceph daemons, ensuring that only authorized entities can access the cluster. Understanding CephX is fundamental to securing and troubleshooting Ceph deployments.
CephX uses a shared-secret system with the following actors:
The authentication flow:
Each entity in Ceph has a keyring file. View a key:
kubectl -n rook-ceph exec -it deploy/rook-ceph-tools -- \
ceph auth get client.adminOutput format:
[client.admin]
key = AQBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
caps mds = "allow *"
caps mgr = "allow *"
caps mon = "allow *"
caps osd = "allow *"CephX capabilities control what authenticated entities can do. Common capability strings:
# Read-only access to a specific pool
"allow r pool=mypool"
# Read-write access to all pools
"allow rw"
# Full access
"allow *"
# OSD-specific capabilities
"allow class-read object_prefix rbd_children"List all existing authentication entries:
kubectl -n rook-ceph exec -it deploy/rook-ceph-tools -- \
ceph auth lsRook automatically creates and manages CephX keys for all Ceph components. Keys are stored as Kubernetes Secrets:
kubectl -n rook-ceph get secrets | grep cephView the admin key secret:
kubectl -n rook-ceph get secret rook-ceph-admin-keyring -o jsonpath='{.data.keyring}' | \
base64 -dCheck if a client can authenticate:
kubectl -n rook-ceph exec -it deploy/rook-ceph-tools -- \
ceph -n client.admin --keyring=/etc/ceph/keyring auth get client.adminCephX provides mutual authentication using shared secrets and a ticket-based system where the monitor acts as the authentication authority. Every Ceph entity - clients, OSDs, MDS, and RGW - has its own keyring with capability strings that define permitted operations. Rook manages these keys automatically as Kubernetes Secrets, but understanding the underlying protocol is essential for debugging authentication failures and designing secure access policies.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。