What if humans want to use the "cephadm" user to administer their Ceph cluster?

ceph / ceph-salt

Deploy Ceph clusters using cephadm

MIT License

31 stars 20 forks source link

What if humans want to use the "cephadm" user to administer their Ceph cluster? #365

Open smithfarm opened 4 years ago

smithfarm commented 4 years ago

At present, we know that:

mgr/cephadm (the "cephadm orchestrator"), running on a MGR node, uses SSH to run commands on other cluster nodes managed by it
ceph-salt is now configuring mgr/cephadm to SSH to other nodes as the user cephadm
the user cephadm can use sudo to run certain commands as root

It occurred to me that human administrators might not want to be logged in as root while administering their Ceph clusters. Such administrators might welcome the possiblity of using a non-root user for their day-to-day cluster admin work.

Therefore, I opened this issue to discuss whether it would make sense for ceph-salt (or, perhaps, cephadm itself) to set the ownership/permissions of the admin keyring file so that the file becomes readable by the user cephadm?

smithfarm commented 4 years ago

@Martin-Weiss Any thoughts on this?

Martin-Weiss commented 4 years ago

I see two things - on one hand we want a standardized user for cephadm and ceph-salt to be used (service user) and I would vote to call this user cephadm. Admins can also use this user with "su" and in this case - yes - the user cephadm should also be able to read the admin keyring.

On the other hand customers need personalized administration with auditing and logging so that someone can find out "who did what and when" - and for this we would have to use user-identities from the customers centralized identity store (ldap / active directory..).

But - so far there is no cephx <-> ldap/active-directory integration possible (AFAIK) the second point with personalized administration is basically only available in the dashboard (partially).

So for the moment I would vote for giving the user cephadm also access to the admin keyring in case the customer is not using root anyway.

smithfarm commented 4 years ago

If the admin keyring is to be readable by the user cephadm (and I agree with @Martin-Weiss that is should be), then the ownership/permissions would need to be set that way by cephadm itself when it creates the admin keyring file.

@sebastian-philipp Your thoughts on this?

smithfarm commented 4 years ago

What this boils down to is:

when users see a user called "cephadm" they will think "Ceph admin account" and want to use it for Ceph administration
yet, if admin keyring is owned by root with permissions 0600, they cannot
not being able to makes no sense and causes frustration

sebastian-philipp commented 4 years ago

would extending

https://github.com/ceph/ceph/blob/b5e47e7bfaa4717cee5b808546260b9484c585ae/src/cephadm/cephadm#L2840-L2845

with something like

if args.ssh_user:
    shutil.chown(f.name(), user=args.ssh_user, group=args.ssh_user)

work?

smithfarm commented 4 years ago

@sebastian-philipp To me it looks like that would do the trick. @ricardoasmarques ?

ricardoasmarques commented 4 years ago

I haven't tested, but I think so too.

smithfarm commented 4 years ago

https://github.com/ceph/ceph/pull/37393 is open to address the issue in cephadm as suggested by @sebastian-philipp