+++ /dev/null
- $ ceph-authtool
- ceph-authtool: must specify filename
- usage: ceph-authtool keyringfile [OPTIONS]...
- where the options are:
- -l, --list will list all keys and capabilities present in
- the keyring
- -p, --print-key will print an encoded key for the specified
- entityname. This is suitable for the
- 'mount -o secret=..' argument
- -C, --create-keyring will create a new keyring, overwriting any
- existing keyringfile
- -g, --gen-key will generate a new secret key for the
- specified entityname
- --gen-print-key will generate a new secret key without set it
- to the keyringfile, prints the secret to stdout
- --import-keyring FILE will import the content of a given keyring
- into the keyringfile
- -n NAME, --name NAME specify entityname to operate on
- -u AUID, --set-uid AUID sets the auid (authenticated user id) for the
- specified entityname
- -a BASE64, --add-key BASE64 will add an encoded key to the keyring
- --cap SUBSYSTEM CAPABILITY will set the capability for given subsystem
- --caps CAPSFILE will set all of capabilities associated with a
- given key, for all subsystems
- [1]
-
-# demonstrate that manpage examples fail without config
-# TODO fix the manpage
- $ ceph-authtool --create-keyring --name client.foo --gen-key keyring
- creating keyring
-
-# work around the above
- $ touch ceph.conf
-
-To create a new keyring containing a key for client.foo:
-
- $ ceph-authtool --create-keyring --id foo --gen-key keyring
- creating keyring
-
- $ ceph-authtool --create-keyring --name client.foo --gen-key keyring
- creating keyring
-
-To associate some capabilities with the key (namely, the ability to mount a Ceph filesystem):
-
- $ ceph-authtool -n client.foo --cap mds 'allow' --cap osd 'allow rw pool=data' --cap mon 'allow r' keyring
-
-To display the contents of the keyring:
-
- $ ceph-authtool -l keyring
- [client.foo]
- \\tkey = [a-zA-Z0-9+/]+=* \(esc\) (re)
- \tcaps mds = "allow" (esc)
- \tcaps mon = "allow r" (esc)
- \tcaps osd = "allow rw pool=data" (esc)