Open smithfarm opened 4 years ago
@Martin-Weiss Any thoughts on this?
I see two things - on one hand we want a standardized user for cephadm and ceph-salt to be used (service user) and I would vote to call this user cephadm. Admins can also use this user with "su" and in this case - yes - the user cephadm should also be able to read the admin keyring.
On the other hand customers need personalized administration with auditing and logging so that someone can find out "who did what and when" - and for this we would have to use user-identities from the customers centralized identity store (ldap / active directory..).
But - so far there is no cephx <-> ldap/active-directory integration possible (AFAIK) the second point with personalized administration is basically only available in the dashboard (partially).
So for the moment I would vote for giving the user cephadm also access to the admin keyring in case the customer is not using root anyway.
If the admin keyring is to be readable by the user cephadm
(and I agree with @Martin-Weiss that is should be), then the ownership/permissions would need to be set that way by cephadm
itself when it creates the admin keyring file.
@sebastian-philipp Your thoughts on this?
What this boils down to is:
would extending
with something like
if args.ssh_user:
shutil.chown(f.name(), user=args.ssh_user, group=args.ssh_user)
work?
@sebastian-philipp To me it looks like that would do the trick. @ricardoasmarques ?
I haven't tested, but I think so too.
https://github.com/ceph/ceph/pull/37393 is open to address the issue in cephadm as suggested by @sebastian-philipp
At present, we know that:
cephadm
cephadm
can usesudo
to run certain commands asroot
It occurred to me that human administrators might not want to be logged in as
root
while administering their Ceph clusters. Such administrators might welcome the possiblity of using a non-root user for their day-to-day cluster admin work.Therefore, I opened this issue to discuss whether it would make sense for ceph-salt (or, perhaps, cephadm itself) to set the ownership/permissions of the admin keyring file so that the file becomes readable by the user
cephadm
?