From: Travis Nielsen <Travis.Nielsen@Quantum.com>
To: John Spray <jspray@redhat.com>
Cc: Ceph Development <ceph-devel@vger.kernel.org>
Subject: Re: Single MDS cephx key
Date: Wed, 27 Sep 2017 14:49:25 +0000 [thread overview]
Message-ID: <D5F1084A.9B7BC%travis.nielsen@quantum.com> (raw)
In-Reply-To: <CALe9h7cNg-6fq8pQSOzW+SYn0StV0R-NQtt3s5QjxoAjHxY9fg@mail.gmail.com>
Ok that makes sense to maintain the control over the teardown, thanks for
the perspective.
On 9/27/17, 3:01 AM, "John Spray" <jspray@redhat.com> wrote:
>On Wed, Sep 27, 2017 at 12:09 AM, Travis Nielsen
><Travis.Nielsen@quantum.com> wrote:
>> Is it possible to use the same cephx key for all instances of MDS or do
>> they each require their own? Mons require the same keyring so I tried
>> following the same pattern by creating a keyring with "mds.", but the
>>MDS
>> is complaining about not being authorized when it tries to start. Am I
>> missing something or is this not possible for MDS keys? If I create a
>> unique key for each MDS instance it works fine, but it would simplify my
>> scenario if I could use the same key. I'm running on Luminous.
>
>I've never heard of anyone trying to do this.
>
>It's probably not a great idea, because if all MDS daemons are using
>the same key then you lose the ability to simply remove an MDS's key
>to ensure that it can't talk to the system any more. This is useful
>when tearing something down, because it means you're not taking it on
>faith that the daemon is really physically stopped.
>
>John
>
>> The key was generated with this:
>> ceph auth get-or-create-key mds. osd allow * mds allow mon allow profile
>> mds
>>
>>
>>
>> The keyring contents are:
>> [mds.]
>> key = AQD62spZw3zRGhAAkHHVokP3BDf8PEy4+vXGMg==
>>
>>
>> I run the following with that keyring:
>> ceph-mds --foreground --name=mds.mymds -i mymds
>>
>> And I see the error:
>> 2017-09-26 22:55:55.973047 7fb004459200 -1 mds.mds81c2n ERROR: failed to
>> authenticate: (22) Invalid argument
>>
>>
>>
>> Thanks,
>> Travis
>>
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at
>>https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fvger.kern
>>el.org%2Fmajordomo-info.html&data=02%7C01%7CTravis.Nielsen%40quantum.com%
>>7C00d1db42478d48fa8c6508d5058ec254%7C322a135f14fb4d72aede122272134ae0%7C1
>>%7C0%7C636421033061815149&sdata=3Vu79xeZbnb1jwhGE85PACq6qByVE6vUlPjp8pjrv
>>hA%3D&reserved=0
next prev parent reply other threads:[~2017-09-27 14:49 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-26 23:09 Single MDS cephx key Travis Nielsen
2017-09-27 10:01 ` John Spray
2017-09-27 14:49 ` Travis Nielsen [this message]
2017-09-27 16:36 ` Travis Nielsen
2017-09-27 16:45 ` John Spray
2017-09-27 17:01 ` Travis Nielsen
2017-10-02 16:14 ` Xiaoxi Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D5F1084A.9B7BC%travis.nielsen@quantum.com \
--to=travis.nielsen@quantum.com \
--cc=ceph-devel@vger.kernel.org \
--cc=jspray@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.