Ceph authentication and authorization

In this recipe, we will cover the authentication and authorization mechanism used by Ceph. Users are either individuals or system actors such as applications, which use Ceph clients to interact with the Ceph storage cluster daemons. The following diagram illustrates this flow:

Ceph provides two authentication modes. They are as follows:

  • none: With this mode, any user can access the Ceph cluster without authentication. This mode is disabled by default. Cryptographic authentication, which includes encrypting and decrypting user keys, has some computational costs. You can disable the Ceph authentication if you are very sure that your network infrastructure is secure, the clients/Ceph cluster nodes have established trust, and you want to save some computation by disabling authentication. However, this is not recommended, and you might be at risk of a man-in-the-middle attack. Still, if you are interested in disabling the Ceph authentication, you can do it by adding the following parameters in the global section of your Ceph configuration file on all the nodes, followed by the Ceph service restart:
       auth cluster required = none
       auth service required = none
       auth client required = none
  • cephx: Ceph provides its Cephx authentication system to authenticate users and daemons in order to identify users and protect against man-in-the-middle attacks. The Cephx protocol works similar to Kerberos to some extent and allows clients to access the Ceph cluster. It's worth knowing that the Cephx protocol does not do data encryption. In a Ceph cluster, the Cephx protocol is enabled by default. If you have disabled Cephx by adding the preceding auth options to your cluster configuration file, then you can enable Cephx in two ways. One is to simply remove all auth entries from the cluster configuration file, which are none, or you can explicitly enable Cephx by adding the following options in the cluster configuration file and restarting the Ceph services:
        auth cluster required = cephx
        auth service required = cephx
        auth client required = cephx

Now that we have covered the different authentication modes of Ceph, let's understand how authentication and authorization works within Ceph.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset