cephx认证及启用和禁用实战

简介: 这篇文章介绍了如何在Ceph集群中禁用和启用cephx认证协议,包括修改配置文件、重启服务以及验证配置更改的效果。

一.cephx概述

1.cephx简介

为了识别用户并防止中间人攻击,Ceph提供了cephx身份验证系统来验证用户和守护进程。

注意cephx协议不解决传输中的数据加密(例如SSL/TLS)或静止时的加密问题。


参考链接:
    https://docs.ceph.com/en/nautilus/rados/configuration/auth-config-ref/
    https://docs.ceph.com/en/nautilus/rados/operations/operating/
    https://docs.ceph.com/en/nautilus/architecture/#high-availability-authentication


温馨提示:
    生产环境中,不建议关闭cephx认证,因为没有认证则集群任意节点都可以直接操作,除非内环环境相对安全。

2.cephx相关参数说明

- auth_cluster_required 
    如果启用,Ceph存储群集守护进程(即Ceph-mon、Ceph-osd、Ceph-mds和Ceph-mgr)必须相互进行身份验证。
    有效设置为cephx或none,默认值为"cephx"。

- auth_service_required 
    如果启用,则Ceph存储群集守护进程要求Ceph客户端向Ceph存储集群进行身份验证,以便访问Ceph服务。
    有效设置为cephx或none,默认值为"cephx"。

- auth_client_required
    如果启用,Ceph客户端需要Ceph存储群集向Ceph客户端进行身份验证。
    有效设置为cephx或none,默认值为"cephx"。


温馨提示:
    如下所示,Cephx使用共享密钥进行身份验证,这意味着客户端和监控集群都有客户端密钥的副本。 
[root@ceph141 ~]# cat /etc/ceph/ceph.client.admin.keyring 
[client.admin]
    key = AQDjFrplyvFCDhAApJg111YMIGQ6/F/x/Y+qpQ==  # 注意,这就是admin用户的秘钥。
    caps mds = "allow *"
    caps mgr = "allow *"
    caps mon = "allow *"
    caps osd = "allow *"
[root@ceph141 ~]#

二.ceph集群禁用cephx协议实战

1.ceph141节点操作

[root@ceph141 ~]# cat /etc/ceph/ceph.conf 
[global]
fsid = 5821e29c-326d-434d-a5b6-c492527eeaad
public_network = 10.0.0.0/24
mon_initial_members = ceph141, ceph142, ceph143
mon_host = 10.0.0.141,10.0.0.142,10.0.0.143
# auth_cluster_required = cephx
# auth_service_required = cephx
# auth_client_required = cephx
auth_cluster_required = none
auth_service_required = none
auth_client_required = none
[root@ceph141 ~]#

2.ceph142节点操作

[root@ceph142 ~]# cat /etc/ceph/ceph.conf 
[global]
fsid = 5821e29c-326d-434d-a5b6-c492527eeaad
public_network = 10.0.0.0/24
mon_initial_members = ceph141, ceph142, ceph143
mon_host = 10.0.0.141,10.0.0.142,10.0.0.143
# auth_cluster_required = cephx
# auth_service_required = cephx
# auth_client_required = cephx
auth_cluster_required = none
auth_service_required = none
auth_client_required = none
[root@ceph142 ~]#

3.ceph143节点操作

[root@ceph143 ~]# cat /etc/ceph/ceph.conf 
[global]
fsid = 5821e29c-326d-434d-a5b6-c492527eeaad
public_network = 10.0.0.0/24
mon_initial_members = ceph141, ceph142, ceph143
mon_host = 10.0.0.141,10.0.0.142,10.0.0.143
# auth_cluster_required = cephx
# auth_service_required = cephx
# auth_client_required = cephx
auth_cluster_required = none
auth_service_required = none
auth_client_required = none
[root@ceph143 ~]#

4.重启所有的服务器即可。

reboot

5.客户端验证,没有秘钥文件依旧可以访问集群,说明关闭cephx成功啦

[root@ceph144 ~]# ll /etc/ceph/  # 注意,此处我没有认证的相关文件哟!
total 8
-rw-r--r-- 1 root root 260 Feb  2 10:44 ceph.conf
-rw-r--r-- 1 root root  92 Jun 30  2021 rbdmap
-rw------- 1 root root   0 Feb  1 16:50 tmpEYwKWU
[root@ceph144 ~]# 
[root@ceph144 ~]# ceph  -s  # 尽管没有认证文件,我们发现依旧是可以查看集群状态的
  cluster:
    id:     5821e29c-326d-434d-a5b6-c492527eeaad
    health: HEALTH_OK

  services:
    mon: 3 daemons, quorum ceph141,ceph142,ceph143 (age 25m)
    mgr: ceph142(active, since 25m), standbys: ceph141, ceph143
    osd: 7 osds: 7 up (since 25m), 7 in (since 18h)

  data:
    pools:   3 pools, 96 pgs
    objects: 60 objects, 100 MiB
    usage:   7.8 GiB used, 1.9 TiB / 2.0 TiB avail
    pgs:     96 active+clean

[root@ceph144 ~]#

三.ceph集群启用cephx协议实战

1.ceph141节点操作

[root@ceph141 ~]# cat /etc/ceph/ceph.conf 
[global]
fsid = 5821e29c-326d-434d-a5b6-c492527eeaad
public_network = 10.0.0.0/24
mon_initial_members = ceph141, ceph142, ceph143
mon_host = 10.0.0.141,10.0.0.142,10.0.0.143
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx
[root@ceph141 ~]#

2.ceph142节点操作

[root@ceph142 ~]# cat /etc/ceph/ceph.conf 
[global]
fsid = 5821e29c-326d-434d-a5b6-c492527eeaad
public_network = 10.0.0.0/24
mon_initial_members = ceph141, ceph142, ceph143
mon_host = 10.0.0.141,10.0.0.142,10.0.0.143
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx
[root@ceph142 ~]#

3.ceph143节点操作

[root@ceph143 ~]# cat /etc/ceph/ceph.conf 
[global]
fsid = 5821e29c-326d-434d-a5b6-c492527eeaad
public_network = 10.0.0.0/24
mon_initial_members = ceph141, ceph142, ceph143
mon_host = 10.0.0.141,10.0.0.142,10.0.0.143
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx
[root@ceph143 ~]#

4.除了重启服务器外,也可以直接重启服务(注意各节点的osd编号)

[root@ceph143 ~]# ceph osd tree
ID CLASS WEIGHT  TYPE NAME        STATUS REWEIGHT PRI-AFF 
-1       1.95319 root default                             
-3       0.48830     host ceph141                         
 0   hdd 0.19530         osd.0        up  1.00000 1.00000 
 1   hdd 0.29300         osd.1        up  1.00000 1.00000 
-5       0.97659     host ceph142                         
 2   hdd 0.19530         osd.2        up  1.00000 1.00000 
 3   hdd 0.29300         osd.3        up  1.00000 1.00000 
 4   hdd 0.48830         osd.4        up  1.00000 1.00000 
-7       0.48830     host ceph143                         
 5   hdd 0.19530         osd.5        up  1.00000 1.00000 
 6   hdd 0.29300         osd.6        up  1.00000 1.00000 
[root@ceph143 ~]# 
ceph141节点重启服务:
    systemctl restart ceph.target
    systemctl restart ceph-mon.target
    systemctl restart ceph-mon.target
    systemctl restart ceph-osd@0
    systemctl restart ceph-osd@1

ceph142节点重启服务:
    systemctl restart ceph.target
    systemctl restart ceph-mon.target
    systemctl restart ceph-mon.target
    systemctl restart ceph-osd@2
    systemctl restart ceph-osd@3
    systemctl restart ceph-osd@4


ceph143节点重启服务:
    systemctl restart ceph.target
    systemctl restart ceph-mon.target
    systemctl restart ceph-mon.target
    systemctl restart ceph-osd@5
    systemctl restart ceph-osd@6

5.再次验证

[root@ceph144 ~]# ll /etc/ceph/  # 注意,此处我没有认证的相关文件哟!
total 8
-rw-r--r-- 1 root root 260 Feb  2 10:44 ceph.conf
-rw-r--r-- 1 root root  92 Jun 30  2021 rbdmap
-rw------- 1 root root   0 Feb  1 16:50 tmpEYwKWU
[root@ceph144 ~]# 
[root@ceph144 ~]# ceph -s  # 很明显,没有认证文件就会报错哟~
2024-02-02 09:44:38.983 7f82e96cc700 -1 auth: unable to find a keyring on /etc/ceph/ceph.client.admin.keyring,/etc/ceph/ceph.keyring,/etc/ceph/keyring,/etc/ceph/keyring.bin,: (2) No such file or directory
2024-02-02 09:44:38.983 7f82e96cc700 -1 AuthRegistry(0x7f82e40662b8) no keyring found at /etc/ceph/ceph.client.admin.keyring,/etc/ceph/ceph.keyring,/etc/ceph/keyring,/etc/ceph/keyring.bin,, disabling cephx
2024-02-02 09:44:39.010 7f82e96cc700 -1 auth: unable to find a keyring on /etc/ceph/ceph.client.admin.keyring,/etc/ceph/ceph.keyring,/etc/ceph/keyring,/etc/ceph/keyring.bin,: (2) No such file or directory
2024-02-02 09:44:39.010 7f82e96cc700 -1 AuthRegistry(0x7f82e40c7dc8) no keyring found at /etc/ceph/ceph.client.admin.keyring,/etc/ceph/ceph.keyring,/etc/ceph/keyring,/etc/ceph/keyring.bin,, disabling cephx
2024-02-02 09:44:39.011 7f82e96cc700 -1 auth: unable to find a keyring on /etc/ceph/ceph.client.admin.keyring,/etc/ceph/ceph.keyring,/etc/ceph/keyring,/etc/ceph/keyring.bin,: (2) No such file or directory
2024-02-02 09:44:39.011 7f82e96cc700 -1 AuthRegistry(0x7f82e96cae78) no keyring found at /etc/ceph/ceph.client.admin.keyring,/etc/ceph/ceph.keyring,/etc/ceph/keyring,/etc/ceph/keyring.bin,, disabling cephx
[errno 2] error connecting to the cluster
[root@ceph144 ~]#
目录
相关文章
|
存储 安全 应用服务中间件
你的ES还在裸奔吗?还不赶紧开启X-Pack权限认证
你的ES还在裸奔吗?还不赶紧开启X-Pack权限认证
1533 0
你的ES还在裸奔吗?还不赶紧开启X-Pack权限认证
|
5月前
|
Kubernetes API 网络架构
k8s学习-CKS真题-启用API Server认证,禁止匿名访问
k8s学习-CKS真题-启用API Server认证,禁止匿名访问
152 0
禁用与启用
禁用与启用
110 0
禁用与启用
|
Web App开发 网络协议 网络安全
启用ECH的配置
开启 Encrypted Client Hello (Secure SNI)
4757 0
|
安全 前端开发 架构师
阿里规定代码中禁用这个,为何?
在项目开发过程中经常遇到时间处理,但你真的用对了吗,理解阿里巴巴开发手册中禁用static修饰SimpleDateFormat吗?
Confluence 6 禁用或者重新启用一个任务
在默认的情况下,所有的 Confluence 计划任务都是默认启用的。 使用 启用(Disable )/ 禁用(Enable )连接操作来启用和禁用每一个计划任务。
976 0