惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

宝玉的分享
宝玉的分享
酷 壳 – CoolShell
酷 壳 – CoolShell
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
S
Security @ Cisco Blogs
小众软件
小众软件
D
Docker
博客园_首页
A
About on SuperTechFans
P
Privacy International News Feed
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
A
Arctic Wolf
Spread Privacy
Spread Privacy
有赞技术团队
有赞技术团队
T
Tailwind CSS Blog
Latest news
Latest news
WordPress大学
WordPress大学
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
T
The Exploit Database - CXSecurity.com
C
Cybersecurity and Infrastructure Security Agency CISA
大猫的无限游戏
大猫的无限游戏
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
K
Kaspersky official blog
V2EX - 技术
V2EX - 技术
SecWiki News
SecWiki News
U
Unit 42
GbyAI
GbyAI
H
Hackread – Cybersecurity News, Data Breaches, AI and More
L
LINUX DO - 热门话题
S
Security Affairs
Y
Y Combinator Blog
aimingoo的专栏
aimingoo的专栏
Blog — PlanetScale
Blog — PlanetScale
MongoDB | Blog
MongoDB | Blog
博客园 - 【当耐特】
The GitHub Blog
The GitHub Blog
T
Tenable Blog
W
WeLiveSecurity
Cloudbric
Cloudbric
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
G
Google Developers Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
N
Netflix TechBlog - Medium
F
Full Disclosure
N
News and Events Feed by Topic
D
DataBreaches.Net
P
Proofpoint News Feed
B
Blog RSS Feed
B
Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org

OneUptime Blog

How to Monitor Azure App Services (PaaS) with OpenTelemetry Grafana Stack vs OneUptime: DIY Observability or Unified Platform? Your AI Workloads Are About to Blow Up Your Observability Bill The Great Observability Consolidation Is Here How to Write Custom Object Classes for Ceph How to Write Custom Ceph Manager Modules How to Write a ceph.conf Configuration File How to Use Rook-Ceph with OpenShift How to Use Rook-Ceph with Longhorn for Comparison How to Configure Volume Snapshot Class for RBD in Rook How to Configure VolumeReplicationClass Scheduling Intervals in Rook How to Set Up Volume Replication with Rook-Ceph How to Create Volume Group Snapshots with Rook CSI How to Visualize Ceph Network Performance in Grafana How to Enable Virtual Host-Style Bucket Access in Rook How to View Runtime Configuration via Admin Socket How to View Quota Settings and Update Stats in Ceph RGW How to View PG Scaling Recommendations with autoscale-status How to View PG Distribution via Admin Socket How to View Performance Metrics in the Ceph Dashboard How to View OSD Performance Counters in Ceph How to View Connection Status via Admin Socket How to View Ceph Cluster Summary Dashboard via CLI How to Version Control Rook-Ceph Configuration How to Version Control Ceph Infrastructure with Terraform How to Verify Kubernetes Node Requirements for Rook-Ceph Deployment How to Verify Health Before and After Rook Upgrades How to Verify Data Integrity with Deep Scrubbing How to Verify Complete Rook-Ceph Cleanup How to Verify Backup Integrity from Ceph Snapshots How to Use Rook-Ceph with Velero for Kubernetes Backup How to Integrate HashiCorp Vault with Rook-Ceph (Token Auth) How to Configure TLS for Vault Integration in Rook How to Integrate HashiCorp Vault with Rook-Ceph (Kubernetes Auth) How to Validate Ceph Cluster Configuration After Deployment How to Understand User Type and ID Notation (TYPE.ID) in Ceph How to Configure User Management in the Ceph Dashboard How to Use Rook-Ceph with Kubernetes Operators How to Use Rook-Ceph with Helm Chart Deployments How to Use the Swift API with Ceph RGW How to Use SQLite Databases Stored on Ceph How to Use s3cmd with Ceph RGW How to Use the S3 API with Ceph RGW How to Use Red Hat Ceph with RHEL Virtualization How to Use RBD with QEMU How to Use RBD with Nomad How to Use RBD with CloudStack How to Use RBD Snapshot Rollback How to Use rados bench for Object Storage Benchmarking How to Secure Rook-Ceph with Pod Security Admission How to Use pg-upmap for PG Mapping in Ceph How to Use Multipath Devices with Ceph OSDs How to Use MinIO Client (mc) with Ceph RGW How to Use fs swap for CephFS How to Use fio for Ceph Block Storage Benchmarking How to Use the CephFS Shell How to Use Ceph RGW for Media Asset Management How to Use Ceph RGW for Log Storage and Archival How to Use Ceph RGW for Data Lake Storage How to Use Ceph RGW for Backup Repository Storage How to Use boto3 (Python) with Ceph RGW S3 How to Use AWS CLI with Ceph RGW S3 How to Use the Admin Ops API with Ceph RGW How to Configure Usage Log Key Transition in Ceph RGW How to Handle Rook-Ceph Upgrades in GitOps Pipelines How to Upgrade Rook-Ceph with Zero Downtime How to Create a Ceph Upgrade Runbook How to Upgrade the Rook Operator from v1.18 to v1.19 How to Upgrade the Rook Operator on Kubernetes How to Upgrade External Cluster Connections in Rook How to Upgrade the Ceph Version in Rook How to Upgrade from Ceph Reef to Squid How to Upgrade from Ceph Quincy to Reef How to Upgrade Ceph Clusters in Stretch Mode How to Update Kernel for CephFS Feature Compatibility How to Update Ceph Configuration on a Running Rook Cluster How to Create Unique Kubernetes Services per NFS Server in Rook How to Understand When Compression Helps vs Hurts in Ceph How to Understand User Types (Individual vs System) in Ceph How to Understand the undersized PG State in Ceph How to Understand the stale PG State in Ceph How to Understand the repair PG State in Ceph How to Understand the remapped PG State in Ceph How to Understand Red Hat Ceph Storage vs Upstream Ceph How to Understand Placement Groups in Ceph How to Understand PG Splitting in Ceph How to Understand the peering PG State in Ceph How to Understand OSD Recovery Process in Ceph How to Understand the OSD Map in Ceph How to Understand New Features in Each Ceph Release How to Understand Monitor Leadership in Ceph How to Understand MDS States in CephFS How to Understand Deprecated Features in Ceph Reef How to Understand the degraded PG State in Ceph How to Understand D3N in Ceph How to Understand the creating PG State in Ceph How to Understand the clean PG State in Ceph How to Understand CephX Authentication Protocol How to Understand CephX Authentication Flow How to Understand What Data Ceph Telemetry Collects
How to Use the ceph-authtool Utility
Nawaz Dhandala · 2026-03-31 · via OneUptime Blog

What Is ceph-authtool

ceph-authtool is a command-line tool for managing CephX keyring files locally, without needing a running Ceph cluster or network connectivity. It allows you to create new keyrings, generate keys, add entities, and print keyring contents. This is useful for pre-provisioning credentials, disaster recovery, and offline key management.

Installing ceph-authtool

On Debian/Ubuntu:

apt-get install ceph-common

On RHEL/CentOS:

dnf install ceph-common

In Rook environments, ceph-authtool is available inside the toolbox pod:

kubectl -n rook-ceph exec -it deploy/rook-ceph-tools -- bash

Creating a New Keyring

Create a keyring file with a new entity and randomly generated key:

ceph-authtool /tmp/myapp.keyring --create-keyring --gen-key -n client.myapp

This creates a new file /tmp/myapp.keyring with a random key for client.myapp but no capabilities yet.

Generating and Printing a Key

Generate a new random key and print it to stdout without creating a file:

ceph-authtool --gen-print-key

Output:

AQBzm7dg...==

This is useful when you need a key value to inject into existing scripts or templates.

Adding Capabilities to a Keyring

After creating the keyring, add capability strings:

ceph-authtool /tmp/myapp.keyring -n client.myapp \
  --cap mon 'allow r' \
  --cap osd 'allow rw pool=appdata'

Inspecting a Keyring

Print the contents of an existing keyring:

ceph-authtool -l /tmp/myapp.keyring

Sample output:

[client.myapp]
    key = AQBzm7dg...==
    caps mon = "allow r"
    caps osd = "allow rw pool=appdata"

Printing Only the Key Value

Extract just the base64 key value:

ceph-authtool -p -n client.myapp /tmp/myapp.keyring

Output:

AQBzm7dg...==

Adding Multiple Entities to One Keyring

A single keyring file can hold multiple entities. Add additional users:

# Create initial keyring
ceph-authtool /tmp/multi.keyring --create-keyring --gen-key -n client.user1

# Add second entity
ceph-authtool /tmp/multi.keyring --gen-key -n client.user2

# Add caps to each
ceph-authtool /tmp/multi.keyring -n client.user1 \
  --cap mon 'allow r' --cap osd 'allow rw pool=pool1'

ceph-authtool /tmp/multi.keyring -n client.user2 \
  --cap mon 'allow r' --cap osd 'allow rw pool=pool2'

Importing an authtool-Created Keyring to Ceph

Once you have created a keyring with ceph-authtool, register it with the cluster:

ceph auth import -i /tmp/myapp.keyring

Verify:

ceph auth get client.myapp

Use Case: Offline Keyring Pre-Provisioning

In air-gapped or regulated environments, you may need to pre-generate keys and register them before deploying applications:

# Step 1: Generate key offline
ceph-authtool /tmp/preprovisioned.keyring --create-keyring --gen-key -n client.app

# Step 2: Transfer keyring to cluster node
scp /tmp/preprovisioned.keyring admin@ceph-node:/tmp/

# Step 3: Import into cluster
ceph auth import -i /tmp/preprovisioned.keyring

# Step 4: Set caps
ceph auth caps client.app mon 'allow r' osd 'allow rw pool=appdata'

Summary

ceph-authtool manages Ceph keyring files offline. Use --create-keyring --gen-key to create new keyrings, --cap to add capabilities, -l to list keyring contents, -p to print just the key value, and --gen-print-key to generate standalone key values. After offline creation, import keyrings into the cluster with ceph auth import. This tool is essential for disaster recovery and air-gapped deployment scenarios in Rook environments.