Man Linux: Main Page and Category List


       cauthtool - ceph keyring manipulation tool


       cauthtool  keyringfile [ -l | --list ] [ -c | --create-keyring ] [ -p |
       --print ] [ -n | --name entityname ] [ --gen-key ]  [  -a  |  --add-key
       base64_key ] [ --caps capfils ]


       cauthtool is a utility to create, view, and modify a Ceph keyring file.
       A keyring file stores one or more Ceph authentication keys and possibly
       an associated capability specification.  Each key is associated with an
       entity name, of the form {client,mon,mds,osd}.name.


       -l, --list
              will list all keys and capabilities present in the keyring.

       -p, --print
              will print an encoded key for the specified entityname.  This is
              suitable for the mount -o secret= argument.

       -c, --create-keyring
              will create a new keyring, overwriting any existing keyringfile.

              will generate a new secret key for the specified entityname:

              will add an encoded key to the keyring.

       --caps capsfile
              will set the capabilities associated with a given key.


       The caps file format consists of zero or more key/value pairs.  The key
       is  the  name  of  the  Ceph subsystem (osd, mds, mon).  The value is a
       comma separated list of allow, deny clauses with a permission specifier
       containing one or more of rwx, for read, write, and execute permission.
       If you want to declare the key an administrator (with  full  privileges
       on everything), use the shorthand 'subsystem = "allow *"'. For example,

              osd = "allow rwx [pool=foo[,bar]]|[uid=baz[,bay]]"  # can  read,
              write, and execute objects

              mds = "allow"      # can access mds server

              mon = "allow rwx"  # can modify cluster state (i.e., is a server

       A librados user restricted to a single pool might look like

              osd = "allow rw pool foo"

       A client mounting the file system with minimal permissions  would  need
       caps like

              mds = "allow"

              osd = "allow rw; allow rw pool = data_pool_num"

              mon = "allow r"


       To create a new keyring containing a key for

              cauthtool -c -n --gen-key keyring.bin

       To associate some capabilities with the key:

              cauthtool -n --caps foocaps.conf keyring.bin

       To display the contents of the keyring:

              cauthtool -l keyring.bin

       When  mount  a Ceph file system, you can grab the appropriately encoded
       secret key with

              mount     -t      ceph      serverhost:/      mountpoint      -o
              name=foo,secret=`cauthtool -p -n keyring.bin`


       cauthtool is part of the Ceph distributed file system.  Please refer to
       the Ceph wiki at for more information.