cephx认证及启用和禁用实战

目录

• 一.cephx概述
  • 1.cephx简介
  • 2.cephx相关参数说明
• 二.ceph集群禁用cephx协议实战
  • 1.ceph141节点操作
  • 2.ceph142节点操作
  • 3.ceph143节点操作
  • 4.重启所有的服务器即可。
  • 5.客户端验证，没有秘钥文件依旧可以访问集群，说明关闭cephx成功啦
• 三.ceph集群启用cephx协议实战
  • 1.ceph141节点操作
  • 2.ceph142节点操作
  • 3.ceph143节点操作
  • 4.除了重启服务器外，也可以直接重启服务(注意各节点的osd编号)
  • 5.再次验证

一.cephx概述

1.cephx简介

为了识别用户并防止中间人攻击，Ceph提供了cephx身份验证系统来验证用户和守护进程。

注意cephx协议不解决传输中的数据加密（例如SSL/TLS）或静止时的加密问题。


参考链接:
	https://docs.ceph.com/en/nautilus/rados/configuration/auth-config-ref/
	https://docs.ceph.com/en/nautilus/rados/operations/operating/
	https://docs.ceph.com/en/nautilus/architecture/#high-availability-authentication


温馨提示:
	生产环境中，不建议关闭cephx认证，因为没有认证则集群任意节点都可以直接操作，除非内环环境相对安全。

2.cephx相关参数说明

- auth_cluster_required 
	如果启用，Ceph存储群集守护进程（即Ceph-mon、Ceph-osd、Ceph-mds和Ceph-mgr）必须相互进行身份验证。
	有效设置为cephx或none，默认值为"cephx"。

- auth_service_required 
	如果启用，则Ceph存储群集守护进程要求Ceph客户端向Ceph存储集群进行身份验证，以便访问Ceph服务。
	有效设置为cephx或none，默认值为"cephx"。

- auth_client_required
	如果启用，Ceph客户端需要Ceph存储群集向Ceph客户端进行身份验证。
	有效设置为cephx或none，默认值为"cephx"。
	
	
温馨提示:
	如下所示，Cephx使用共享密钥进行身份验证，这意味着客户端和监控集群都有客户端密钥的副本。 
[root@ceph141 ~]# cat /etc/ceph/ceph.client.admin.keyring 
[client.admin]
	key = AQDjFrplyvFCDhAApJg111YMIGQ6/F/x/Y+qpQ==  # 注意，这就是admin用户的秘钥。
	caps mds = "allow *"
	caps mgr = "allow *"
	caps mon = "allow *"
	caps osd = "allow *"
[root@ceph141 ~]# 

二.ceph集群禁用cephx协议实战

1.ceph141节点操作

[root@ceph141 ~]# cat /etc/ceph/ceph.conf 
[global]
fsid = 5821e29c-326d-434d-a5b6-c492527eeaad
public_network = 10.0.0.0/24
mon_initial_members = ceph141, ceph142, ceph143
mon_host = 10.0.0.141,10.0.0.142,10.0.0.143
# auth_cluster_required = cephx
# auth_service_required = cephx
# auth_client_required = cephx
auth_cluster_required = none
auth_service_required = none
auth_client_required = none
[root@ceph141 ~]# 

2.ceph142节点操作

[root@ceph142 ~]# cat /etc/ceph/ceph.conf 
[global]
fsid = 5821e29c-326d-434d-a5b6-c492527eeaad
public_network = 10.0.0.0/24
mon_initial_members = ceph141, ceph142, ceph143
mon_host = 10.0.0.141,10.0.0.142,10.0.0.143
# auth_cluster_required = cephx
# auth_service_required = cephx
# auth_client_required = cephx
auth_cluster_required = none
auth_service_required = none
auth_client_required = none
[root@ceph142 ~]# 

3.ceph143节点操作

[root@ceph143 ~]# cat /etc/ceph/ceph.conf 
[global]
fsid = 5821e29c-326d-434d-a5b6-c492527eeaad
public_network = 10.0.0.0/24
mon_initial_members = ceph141, ceph142, ceph143
mon_host = 10.0.0.141,10.0.0.142,10.0.0.143
# auth_cluster_required = cephx
# auth_service_required = cephx
# auth_client_required = cephx
auth_cluster_required = none
auth_service_required = none
auth_client_required = none
[root@ceph143 ~]# 

4.重启所有的服务器即可。

reboot

5.客户端验证，没有秘钥文件依旧可以访问集群，说明关闭cephx成功啦

[root@ceph144 ~]# ll /etc/ceph/  # 注意，此处我没有认证的相关文件哟！
total 8
-rw-r--r-- 1 root root 260 Feb  2 10:44 ceph.conf
-rw-r--r-- 1 root root  92 Jun 30  2021 rbdmap
-rw------- 1 root root   0 Feb  1 16:50 tmpEYwKWU
[root@ceph144 ~]# 
[root@ceph144 ~]# ceph  -s  # 尽管没有认证文件，我们发现依旧是可以查看集群状态的
  cluster:
    id:     5821e29c-326d-434d-a5b6-c492527eeaad
    health: HEALTH_OK
 
  services:
    mon: 3 daemons, quorum ceph141,ceph142,ceph143 (age 25m)
    mgr: ceph142(active, since 25m), standbys: ceph141, ceph143
    osd: 7 osds: 7 up (since 25m), 7 in (since 18h)
 
  data:
    pools:   3 pools, 96 pgs
    objects: 60 objects, 100 MiB
    usage:   7.8 GiB used, 1.9 TiB / 2.0 TiB avail
    pgs:     96 active+clean
 
[root@ceph144 ~]# 

三.ceph集群启用cephx协议实战

1.ceph141节点操作

[root@ceph141 ~]# cat /etc/ceph/ceph.conf 
[global]
fsid = 5821e29c-326d-434d-a5b6-c492527eeaad
public_network = 10.0.0.0/24
mon_initial_members = ceph141, ceph142, ceph143
mon_host = 10.0.0.141,10.0.0.142,10.0.0.143
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx
[root@ceph141 ~]# 

2.ceph142节点操作

[root@ceph142 ~]# cat /etc/ceph/ceph.conf 
[global]
fsid = 5821e29c-326d-434d-a5b6-c492527eeaad
public_network = 10.0.0.0/24
mon_initial_members = ceph141, ceph142, ceph143
mon_host = 10.0.0.141,10.0.0.142,10.0.0.143
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx
[root@ceph142 ~]# 

3.ceph143节点操作

[root@ceph143 ~]# cat /etc/ceph/ceph.conf 
[global]
fsid = 5821e29c-326d-434d-a5b6-c492527eeaad
public_network = 10.0.0.0/24
mon_initial_members = ceph141, ceph142, ceph143
mon_host = 10.0.0.141,10.0.0.142,10.0.0.143
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx
[root@ceph143 ~]# 

4.除了重启服务器外，也可以直接重启服务(注意各节点的osd编号)

[root@ceph143 ~]# ceph osd tree
ID CLASS WEIGHT  TYPE NAME        STATUS REWEIGHT PRI-AFF 
-1       1.95319 root default                             
-3       0.48830     host ceph141                         
 0   hdd 0.19530         osd.0        up  1.00000 1.00000 
 1   hdd 0.29300         osd.1        up  1.00000 1.00000 
-5       0.97659     host ceph142                         
 2   hdd 0.19530         osd.2        up  1.00000 1.00000 
 3   hdd 0.29300         osd.3        up  1.00000 1.00000 
 4   hdd 0.48830         osd.4        up  1.00000 1.00000 
-7       0.48830     host ceph143                         
 5   hdd 0.19530         osd.5        up  1.00000 1.00000 
 6   hdd 0.29300         osd.6        up  1.00000 1.00000 
[root@ceph143 ~]# 
ceph141节点重启服务:
	systemctl restart ceph.target
	systemctl restart ceph-mon.target
	systemctl restart ceph-mon.target
	systemctl restart ceph-osd@0
	systemctl restart ceph-osd@1

ceph142节点重启服务:
	systemctl restart ceph.target
	systemctl restart ceph-mon.target
	systemctl restart ceph-mon.target
	systemctl restart ceph-osd@2
	systemctl restart ceph-osd@3
	systemctl restart ceph-osd@4


ceph143节点重启服务:
	systemctl restart ceph.target
	systemctl restart ceph-mon.target
	systemctl restart ceph-mon.target
	systemctl restart ceph-osd@5
	systemctl restart ceph-osd@6

5.再次验证

[root@ceph144 ~]# ll /etc/ceph/  # 注意，此处我没有认证的相关文件哟！
total 8
-rw-r--r-- 1 root root 260 Feb  2 10:44 ceph.conf
-rw-r--r-- 1 root root  92 Jun 30  2021 rbdmap
-rw------- 1 root root   0 Feb  1 16:50 tmpEYwKWU
[root@ceph144 ~]# 
[root@ceph144 ~]# ceph -s  # 很明显，没有认证文件就会报错哟~
2024-02-02 09:44:38.983 7f82e96cc700 -1 auth: unable to find a keyring on /etc/ceph/ceph.client.admin.keyring,/etc/ceph/ceph.keyring,/etc/ceph/keyring,/etc/ceph/keyring.bin,: (2) No such file or directory
2024-02-02 09:44:38.983 7f82e96cc700 -1 AuthRegistry(0x7f82e40662b8) no keyring found at /etc/ceph/ceph.client.admin.keyring,/etc/ceph/ceph.keyring,/etc/ceph/keyring,/etc/ceph/keyring.bin,, disabling cephx
2024-02-02 09:44:39.010 7f82e96cc700 -1 auth: unable to find a keyring on /etc/ceph/ceph.client.admin.keyring,/etc/ceph/ceph.keyring,/etc/ceph/keyring,/etc/ceph/keyring.bin,: (2) No such file or directory
2024-02-02 09:44:39.010 7f82e96cc700 -1 AuthRegistry(0x7f82e40c7dc8) no keyring found at /etc/ceph/ceph.client.admin.keyring,/etc/ceph/ceph.keyring,/etc/ceph/keyring,/etc/ceph/keyring.bin,, disabling cephx
2024-02-02 09:44:39.011 7f82e96cc700 -1 auth: unable to find a keyring on /etc/ceph/ceph.client.admin.keyring,/etc/ceph/ceph.keyring,/etc/ceph/keyring,/etc/ceph/keyring.bin,: (2) No such file or directory
2024-02-02 09:44:39.011 7f82e96cc700 -1 AuthRegistry(0x7f82e96cae78) no keyring found at /etc/ceph/ceph.client.admin.keyring,/etc/ceph/ceph.keyring,/etc/ceph/keyring,/etc/ceph/keyring.bin,, disabling cephx
[errno 2] error connecting to the cluster
[root@ceph144 ~]#