Feature #9118
closedceph-deploy: Add pre-generated keys to a Monitor
0%
Description
ceph-authtool can be used to generate a key and keyring before a Ceph cluster is running, if a user has access to the ceph-authtool binary.
ceph-deploy should add any keys/keyrings it finds in a certain directory (as generated by ceph-authtool) to a MON as part of the MON install process or at anytime afterwards to an already running cluster.
Updated by Sage Weil over 9 years ago
Any keys (client.admin or otherwise) in the keyring file passed to "ceph-mon --mkfs --keyring <foo>" will get seeded into the initial mon quorum's auth database.
I think we should look for any $cluster.*.keyring files, compile them into a single keyring file, and pass that to the mon during 'mon create'. if we're forming the initial quorum, it will seed things (if not, only the mon. key is used for the new mon to authenticate and join.)
Note that it might be slightly annoying to merge them when the same entity exists twice. we can just cat them together and let the ceph mon do that, with a non-deterministic order. it might be nice to notice though and at least print a warning on the ceph-deploy side if that happens since the results are non-deterministic.
Updated by Keith Schincke over 9 years ago
Can the precreated/populated keyring be propagated with the ceph-deploy command when the cluster is created?
Updated by Sage Weil over 9 years ago
Keith Schincke wrote:
Can the precreated/populated keyring be propagated with the ceph-deploy command when the cluster is created?
Yes, with some minor ceph-deploy changes...
Updated by Alfredo Deza over 9 years ago
- Status changed from 12 to Fix Under Review
Pull request opened https://github.com/ceph/ceph-deploy/pull/235
Updated by Alfredo Deza over 9 years ago
- Status changed from Fix Under Review to Resolved
merged commit b00d1fb into ceph:master