Ceph

It would be desirable to have a read-only, status-view-only key that is able to run trivial operations like "ceph -s". It would be nice to isolate client.admin to be only available for root.

The keyring side change is trivial: prepend /etc/ceph/$cluster.$name.keyring to OPTION. That's done in the wip-create-admin-key branch commit 3b0e2a2d98489e023cfe6d9253149c3c7cfb1a68. That lets the non-root users avoid even trying to open the root-only keyring file.

However, even with that change, the non-root "ceph -s" invocation will try to use client.admin, and you need to explicitly do something like "ceph -i status -s". I wish the cli was smarter.

I don't have a suggestion I'd be completely happy with, but imagine something like

- try to get the key for client.admin
- if that worked, you're client.admin
- if not, you're client.$YOUR_UNIX_USERNAME; any failure to find a key for that is fatal

And add ~/.ceph.keyring in the keyring search path too?