ceph-config-cephx

ceph 的配置文件/etc/ceph/ceph.conf
ansible部署时就是在all.yaml 中写的：

客户端到主osd 是publicnetwork

主osd 到从osd 是clusternetwork

osd 与osd 中是心跳检测

osd 和mon 是clusternetwork

mgr 获取集群信息是集群网络。

客户端到主osd只需要一份，但是osd到其他osd 可能需要几份，所有cluster网络带宽因大一点，在实体部署时

主要配置就是：
集群id
初识mon
publicnetwork
clusternetwork
osd_pool_default_size 默认副本数量
osd_pool_default_min_size 最小副本数量

osd
osd journal size osd 日志大小
osd mkfs opention xfs =-f -i size=2048 格式为xfs 文件系统

client
rbd_default_features=1支持快照

例：
无法删除pool 高危操作
编辑配置文件：
添加配置
mon_allow_pool_delete=true
重启mon所有节点
ceph osd pool delete < pool name > < pool name > --yes-i-really-really-mean-it

[ceph@serverb ~]$ ceph osd pool  delete emporer-erasure emporer-erasure --yes-i-really-really-mean-it
pool 'emporer-erasure' removed

cephx 身份验证，权限验证
创建：ceph auth get-or-create client.< username >
删除： ceph auth del client.user1

[ceph@serverb ceph]$ ceph auth  get-or-create client.user1
[client.user1]
        key = AQAlADVkdYfiDRAARADEH4lWnEhJhIerXxy0HA==
[ceph@serverb ceph]$ ceph auth del client.user1
updated
[ceph@serverb ceph]$ 

创建keyring

[ceph@serverb ceph]$ ceph auth  get-or-create client.user1 |tee /etc/ceph/ceph.client.user1.keyring
[client.user1]
        key = AQAxATVkccWxEhAAlr0ZdPVnfcDikDTBOTlS5w==
        
  [ceph@serverb ceph]$ ceph auth list  |grep client.user1 -A 2
installed auth entries:

client.user1
        key: AQAxATVkccWxEhAAlr0ZdPVnfcDikDTBOTlS5w==
        
        
        
[ceph@serverb ceph]$ ceph -s --id user1
2023-04-11T14:45:04.534+0800 7f78f27fc700 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [2,1]
2023-04-11T14:45:04.607+0800 7f78f37fe700 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [2,1]
2023-04-11T14:45:04.645+0800 7f78f2ffd700 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [2,1]
[errno 13] RADOS permission denied (error connecting to the cluster)

cephx 功能权限：
是对守护进程的一组权限的集合，上述是无法使用user1用户获取集群健康状态，
r 读取权限
w 写入权限
x 执行扩展对象的权限
“ * ” 完全权限

配置集，一组权限的集合，直接用。更为方便
rbd
mon

配置一个user2用户拥有查看集群的权限和osd 的读写权限
ceph auth get-or-create client.user2 mon ‘allow r’ osd ‘allow rw’ |tee /etc/ceph/ceph.client.user2.keyring

[ceph@serverb ceph]$ ceph auth  get-or-create client.user2 mon 'allow r'  osd 'allow rw'  |tee  /etc/ceph/ceph.client.user2.keyring
[client.user2]
        key = AQBLBDVkCGVFExAAo3b1F2aIrT7ywXwtjs53YA==
        
 [ceph@serverb ceph]$ ceph auth list  | grep -A 4 client.user2
installed auth entries:

client.user2
        key: AQBLBDVkCGVFExAAo3b1F2aIrT7ywXwtjs53YA==
        caps: [mon] allow r
        caps: [osd] allow rw
mgr.serverb



[ceph@serverb ceph]$ ceph -s --id user2
  cluster:
    id:     68190679-405e-4a94-afd4-c9414121c623
    health: HEALTH_WARN
            Reduced data availability: 1 pg inactive, 1 pg peering
            10 slow ops, oldest one blocked for 555 sec, mon.servera has slow ops
 
  services:
    mon: 3 daemons, quorum servera,serverb,serverc (age 51m)
    mgr: serverb(active, since 4h), standbys: serverc, serverd
    mds: cephfs:1 {0=serverb=up:active}
    osd: 12 osds: 12 up (since 4h), 12 in (since 3d)
 
  data:
    pools:   4 pools, 97 pgs
    objects: 22 objects, 3.3 KiB
    usage:   12 GiB used, 76 GiB / 88 GiB avail
    pgs:     1.031% pgs not active
             96 active+clean
             1  creating+peering
 
[ceph@serverb ceph]$ ceph osd  pool  create  test4 32 32 --id  user2
Error EACCES: access denied

虽然获取mon的读,但是还是不能创建pool 池
ceph auth get-or-create client.user2 mon ‘allow rwx’ osd ‘allow rwx’ |tee /etc/ceph/ceph.client.user2.keyring

[ceph@serverb ceph]$ ceph auth  get-or-create client.user2 mon 'allow rwx'  osd 'allow rwx'  |tee  /etc/ceph/ceph.client.user2.keyring
[client.user2]
        key = AQDsBTVkn2yyLRAAl9NzYqR+uB9E4GUpwsgq0w==
[ceph@serverb ceph]$ ceph osd  pool  create  test4 32 32 --id  user2
pool 'test4' created
[ceph@serverb ceph]$ 
[ceph@serverb ceph]$ ceph osd pool ls  --id user2
device_health_metrics
cephfs_data
cephfs_metadata
test
test4

细分，针对某个pool操作 这个rwx 就很大了，，都可以删除其他的pool 了。。。我不贴出来了
ceph auth get-or-create client.user2 mon ‘allow rwx’ osd 'allow rwx pool=test5 ’ |tee /etc/ceph/ceph.client.user2.keyring

ceph auth caps client.user1 mon ‘allow rw’ 直接更改权限
mon 的w权限 在整个集群内 创建某种资源类型。
数据操作时就是 osd的rwx
在ceph内用户需创建某种资源，需mon rw权限

[ceph@serverb ceph]$ ceph auth  caps  client.user1 mon 'allow rw'
updated caps for client.user1
[ceph@serverb ceph]$ ceph auth  list |grep -A 4 client.user1
installed auth entries:

client.user1
        key: AQCSCDVkWAJjGhAAY6grEauS7ag38d2lrWswPg==
        caps: [mon] allow rw

针对某一个pool做限制：

[ceph@serverb ceph]$ ceph auth caps  client.user1 mon 'allow r'   osd 'allow rwx pool=test'
updated caps for client.user1
[ceph@serverb ceph]$ ceph auth  list |grep -A 4 client.user1
installed auth entries:

client.user1
        key: AQCSCDVkWAJjGhAAY6grEauS7ag38d2lrWswPg==
        caps: [mon] allow r
        caps: [osd] allow rwx pool=test
mgr.serverb
[ceph@serverb ceph]$ rados -p test -N system put srv /etc/fstab  --id user1
[ceph@serverb ceph]$ rados -p test -N system ls --id user1
srv

cephx 针对集群和数据操作

mon 的r 权限基础权限一定要有。集群操作创建时 需有rw

数据操作就是说pool 内的细化操作rwx .