cauthtool - ceph keyring manipulation tool

NAME

       cauthtool - ceph keyring manipulation tool

SYNOPSIS

       cauthtool  keyringfile [ -l | --list ] [ -c | --create-keyring ] [ -p |
       --print ] [ -n | --name entityname ] [ --gen-key ]  [  -a  |  --add-key
       base64_key ] [ --caps capfils ]

DESCRIPTION

       cauthtool is a utility to create, view, and modify a Ceph keyring file.
       A keyring file stores one or more Ceph authentication keys and possibly
       an associated capability specification.  Each key is associated with an
       entity name, of the form {client,mon,mds,osd}.name.

OPTIONS

       -l, --list
              will list all keys and capabilities present in the keyring.

       -p, --print
              will print an encoded key for the specified entityname.  This is
              suitable for the mount -o secret= argument.

       -c, --create-keyring
              will create a new keyring, overwriting any existing keyringfile.

       --gen-key
              will generate a new secret key for the specified entityname:

       --add-key
              will add an encoded key to the keyring.

       --caps capsfile
              will set the capabilities associated with a given key.

CAPS FILE FORMAT

       The caps file format consists of zero or more key/value pairs.  The key
       is  the  name  of  the  Ceph subsystem (osd, mds, mon).  The value is a
       comma separated list of allow, deny clauses with a permission specifier
       containing one or more of rwx, for read, write, and execute permission.
       If you want to declare the key an administrator (with  full  privileges
       on everything), use the shorthand 'subsystem = "allow *"'. For example,

              osd = "allow rwx [pool=foo[,bar]]|[uid=baz[,bay]]"  # can  read,
              write, and execute objects

              mds = "allow"      # can access mds server

              mon = "allow rwx"  # can modify cluster state (i.e., is a server
              daemon)

       A librados user restricted to a single pool might look like

              osd = "allow rw pool foo"

       A client mounting the file system with minimal permissions  would  need
       caps like

              mds = "allow"

              osd = "allow rw; allow rw pool = data_pool_num"

              mon = "allow r"

EXAMPLE

       To create a new keyring containing a key for client.foo:

              cauthtool -c -n client.foo --gen-key keyring.bin

       To associate some capabilities with the key:

              cauthtool -n client.foo --caps foocaps.conf keyring.bin

       To display the contents of the keyring:

              cauthtool -l keyring.bin

       When  mount  a Ceph file system, you can grab the appropriately encoded
       secret key with

              mount     -t      ceph      serverhost:/      mountpoint      -o
              name=foo,secret=`cauthtool -p -n client.foo keyring.bin`

AVAILABILITY

       cauthtool is part of the Ceph distributed file system.  Please refer to
       the Ceph wiki at http://ceph.newdream.net/wiki for more information.

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

CAPS FILE FORMAT

EXAMPLE

AVAILABILITY

SEE ALSO