-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What if humans want to use the "cephadm" user to administer their Ceph cluster? #365
Comments
@Martin-Weiss Any thoughts on this? |
I see two things - on one hand we want a standardized user for cephadm and ceph-salt to be used (service user) and I would vote to call this user cephadm. Admins can also use this user with "su" and in this case - yes - the user cephadm should also be able to read the admin keyring. On the other hand customers need personalized administration with auditing and logging so that someone can find out "who did what and when" - and for this we would have to use user-identities from the customers centralized identity store (ldap / active directory..). But - so far there is no cephx <-> ldap/active-directory integration possible (AFAIK) the second point with personalized administration is basically only available in the dashboard (partially). So for the moment I would vote for giving the user cephadm also access to the admin keyring in case the customer is not using root anyway. |
If the admin keyring is to be readable by the user @sebastian-philipp Your thoughts on this? |
What this boils down to is:
|
would extending with something like if args.ssh_user:
shutil.chown(f.name(), user=args.ssh_user, group=args.ssh_user) work? |
@sebastian-philipp To me it looks like that would do the trick. @ricardoasmarques ? |
I haven't tested, but I think so too. |
ceph/ceph#37393 is open to address the issue in cephadm as suggested by @sebastian-philipp |
At present, we know that:
cephadm
cephadm
can usesudo
to run certain commands asroot
It occurred to me that human administrators might not want to be logged in as
root
while administering their Ceph clusters. Such administrators might welcome the possiblity of using a non-root user for their day-to-day cluster admin work.Therefore, I opened this issue to discuss whether it would make sense for ceph-salt (or, perhaps, cephadm itself) to set the ownership/permissions of the admin keyring file so that the file becomes readable by the user
cephadm
?The text was updated successfully, but these errors were encountered: