Feature #9118
closed
ceph-deploy: Add pre-generated keys to a Monitor
Added by Neil Levine over 9 years ago.
Updated over 9 years ago.
Description
ceph-authtool can be used to generate a key and keyring before a Ceph cluster is running, if a user has access to the ceph-authtool binary.
ceph-deploy should add any keys/keyrings it finds in a certain directory (as generated by ceph-authtool) to a MON as part of the MON install process or at anytime afterwards to an already running cluster.
see http://tracker.ceph.com/issues/9083
Any keys (client.admin or otherwise) in the keyring file passed to "ceph-mon --mkfs --keyring <foo>" will get seeded into the initial mon quorum's auth database.
I think we should look for any $cluster.*.keyring files, compile them into a single keyring file, and pass that to the mon during 'mon create'. if we're forming the initial quorum, it will seed things (if not, only the mon. key is used for the new mon to authenticate and join.)
Note that it might be slightly annoying to merge them when the same entity exists twice. we can just cat them together and let the ceph mon do that, with a non-deterministic order. it might be nice to notice though and at least print a warning on the ceph-deploy side if that happens since the results are non-deterministic.
Can the precreated/populated keyring be propagated with the ceph-deploy command when the cluster is created?
Keith Schincke wrote:
Can the precreated/populated keyring be propagated with the ceph-deploy command when the cluster is created?
Yes, with some minor ceph-deploy changes...
- Target version set to sprint13
- Status changed from 12 to Fix Under Review
- Status changed from Fix Under Review to Resolved
merged commit b00d1fb into ceph:master
Also available in: Atom
PDF