Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

What if humans want to use the "cephadm" user to administer their Ceph cluster? #365

Open
smithfarm opened this issue Sep 3, 2020 · 8 comments

Comments

@smithfarm
Copy link
Contributor

At present, we know that:

  1. mgr/cephadm (the "cephadm orchestrator"), running on a MGR node, uses SSH to run commands on other cluster nodes managed by it
  2. ceph-salt is now configuring mgr/cephadm to SSH to other nodes as the user cephadm
  3. the user cephadm can use sudo to run certain commands as root

It occurred to me that human administrators might not want to be logged in as root while administering their Ceph clusters. Such administrators might welcome the possiblity of using a non-root user for their day-to-day cluster admin work.

Therefore, I opened this issue to discuss whether it would make sense for ceph-salt (or, perhaps, cephadm itself) to set the ownership/permissions of the admin keyring file so that the file becomes readable by the user cephadm?

@smithfarm
Copy link
Contributor Author

@Martin-Weiss Any thoughts on this?

@Martin-Weiss
Copy link

I see two things - on one hand we want a standardized user for cephadm and ceph-salt to be used (service user) and I would vote to call this user cephadm. Admins can also use this user with "su" and in this case - yes - the user cephadm should also be able to read the admin keyring.

On the other hand customers need personalized administration with auditing and logging so that someone can find out "who did what and when" - and for this we would have to use user-identities from the customers centralized identity store (ldap / active directory..).

But - so far there is no cephx <-> ldap/active-directory integration possible (AFAIK) the second point with personalized administration is basically only available in the dashboard (partially).

So for the moment I would vote for giving the user cephadm also access to the admin keyring in case the customer is not using root anyway.

@smithfarm
Copy link
Contributor Author

If the admin keyring is to be readable by the user cephadm (and I agree with @Martin-Weiss that is should be), then the ownership/permissions would need to be set that way by cephadm itself when it creates the admin keyring file.

@sebastian-philipp Your thoughts on this?

@smithfarm
Copy link
Contributor Author

smithfarm commented Sep 4, 2020

What this boils down to is:

  1. when users see a user called "cephadm" they will think "Ceph admin account" and want to use it for Ceph administration
  2. yet, if admin keyring is owned by root with permissions 0600, they cannot
  3. not being able to makes no sense and causes frustration

@sebastian-philipp
Copy link
Contributor

would extending

https://github.com/ceph/ceph/blob/b5e47e7bfaa4717cee5b808546260b9484c585ae/src/cephadm/cephadm#L2840-L2845

with something like

if args.ssh_user:
    shutil.chown(f.name(), user=args.ssh_user, group=args.ssh_user)

work?

@smithfarm
Copy link
Contributor Author

@sebastian-philipp To me it looks like that would do the trick. @ricardoasmarques ?

@ricardoasmarques
Copy link
Contributor

I haven't tested, but I think so too.

@smithfarm
Copy link
Contributor Author

ceph/ceph#37393 is open to address the issue in cephadm as suggested by @sebastian-philipp

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants