diff options
Diffstat (limited to 'man/cauthtool.8')
-rw-r--r-- | man/cauthtool.8 | 233 |
1 files changed, 157 insertions, 76 deletions
diff --git a/man/cauthtool.8 b/man/cauthtool.8 index a2b4c174de6..3abbba34326 100644 --- a/man/cauthtool.8 +++ b/man/cauthtool.8 @@ -1,106 +1,187 @@ -.TH CAUTHTOOL 8 +.TH "CAUTHTOOL" "8" "September 09, 2011" "dev" "Ceph" .SH NAME cauthtool \- ceph keyring manipulation tool +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.\" Man page generated from reStructeredText. +. .SH SYNOPSIS -.B cauthtool -\fIkeyringfile\fP -[ \fB\-l\fR | \fB\-\-list\fR ] -[ \fB\-C\fR | \fB\-\-create-keyring\fR ] -[ \fB\-p\fR | \fB\-\-print\fR ] -[ \fB\-n\fR | \fB\-\-name\fR \fIentityname\fP ] -[ \fB\-\-gen-key\fR ] -[ \fB\-a\fR | \fB\-\-add-key \fIbase64_key\fP ] -[ \fB\-\-caps\fR \fIcapfils\fP ] -[ \fB\-b\fR | \fB\-\-bin\fR ] +.nf +\fBcauthtool\fP \fIkeyringfile\fP [ \-l | \-\-list ] [ \-C | \-\-create\-keyring +] [ \-p | \-\-print ] [ \-n | \-\-name \fIentityname\fP ] [ \-\-gen\-key ] [ \-a | +\-\-add\-key \fIbase64_key\fP ] [ \-\-caps \fIcapfils\fP ] [ \-b | \-\-bin ] +.fi +.sp .SH DESCRIPTION -.B cauthtool -is a utility to create, view, and modify a Ceph keyring file. A keyring -file stores one or more Ceph authentication keys and possibly an -associated capability specification. Each key is associated with an -entity name, of the form \fI{client,mon,mds,osd}.name\fP. +.sp +\fBcauthtool\fP is a utility to create, view, and modify a Ceph keyring +file. A keyring file stores one or more Ceph authentication keys and +possibly an associated capability specification. Each key is +associated with an entity name, of the form +\fB{client,mon,mds,osd}.name\fP. .SH OPTIONS +.INDENT 0.0 .TP -\fB\-l\fP, \fB\-\-list\fP +.B \-l, \-\-list will list all keys and capabilities present in the keyring +.UNINDENT +.INDENT 0.0 .TP -\fB\-p\fP, \fB\-\-print\fP -will print an encoded key for the specified \fIentityname\fP. This is suitable for the mount -o secret= argument +.B \-p, \-\-print +will print an encoded key for the specified entityname. This is +suitable for the \fBmount \-o secret=\fP argument +.UNINDENT +.INDENT 0.0 .TP -\fB\-C\fP, \fB\-\-create-keyring\fP -will create a new keyring, overwriting any existing \fIkeyringfile\fP +.B \-C, \-\-create\-keyring +will create a new keyring, overwriting any existing keyringfile +.UNINDENT +.INDENT 0.0 .TP -\fB\-\-gen\-key\fP -will generate a new secret key for the specified \fIentityname\fP +.B \-\-gen\-key +will generate a new secret key for the specified entityname +.UNINDENT +.INDENT 0.0 .TP -\fB\-\-add\-key\fP +.B \-\-add\-key will add an encoded key to the keyring +.UNINDENT +.INDENT 0.0 .TP -\fB\-\-cap\fI subsystem capability \fP +.B \-\-cap subsystem capability will set the capability for given subsystem +.UNINDENT +.INDENT 0.0 .TP -\fB\-\-caps\fI capsfile \fP +.B \-\-caps capsfile will set all of capabilities associated with a given key, for all subsystems +.UNINDENT +.INDENT 0.0 .TP -\fB\-b\fP, \fB\-\-bin\fP +.B \-b, \-\-bin will create a binary formatted keyring - +.UNINDENT .SH CAPABILITIES +.sp +The subsystem is the name of a Ceph subsystem: \fBmon\fP, \fBmds\fP, or +\fBosd\fP. +.sp +The capability is a string describing what the given user is allowed +to do. This takes the form of a comma separated list of allow, deny +clauses with a permission specifier containing one or more of rwx for +read, write, and execute permission. The \fBallow *\fP grants full +superuser permissions for the given subsystem. +.sp +For example: +.sp +.nf +.ft C +# can read, write, and execute objects +osd = "allow rwx [pool=foo[,bar]]|[uid=baz[,bay]]" -The \fIsubsystem\fP is the name of a Ceph subsystem: mon, mds, or osd. -.PP -The \fIcapability\fP is a string describing what the given user is -allowed to do. This takes the form of a comma separated list of -allow, deny clauses with a permission specifier containing one or more -of \fIrwx\fP for read, write, and execute permission. The "allow *" grants -full superuser permissions for the given subsystem. -.PP -For example, +# can access mds server +mds = "allow" -.IP -osd = "allow rwx [pool=foo[,bar]]|[uid=baz[,bay]]" # can read, write, and execute objects -.IP -mds = "allow" # can access mds server -.IP -mon = "allow rwx" # can modify cluster state (i.e., is a server daemon) -.PP -A librados user restricted to a single pool might look like -.IP +# can modify cluster state (i.e., is a server daemon) +mon = "allow rwx" +.ft P +.fi +.sp +A librados user restricted to a single pool might look like: +.sp +.nf +.ft C osd = "allow rw pool foo" -.PP -A client mounting the file system with minimal permissions would need caps like -.IP +.ft P +.fi +.sp +A client mounting the file system with minimal permissions would need caps like: +.sp +.nf +.ft C mds = "allow" -.IP + osd = "allow rw pool=data" -.IP -mon = "allow r" -.PP +mon = "allow r" +.ft P +.fi .SH CAPS FILE FORMAT - -The caps file format consists of zero or more key/value pairs, one per line. The key and value are separated by an '=', and the value must be quoted (with ' or ") if it contains any whitespace. The key is the name of the Ceph -subsystem (osd, mds, mon), and the value is the capability string (see above). - +.sp +The caps file format consists of zero or more key/value pairs, one per +line. The key and value are separated by an \fB=\fP, and the value must +be quoted (with \fB\(aq\fP or \fB"\fP) if it contains any whitespace. The key +is the name of the Ceph subsystem (\fBosd\fP, \fBmds\fP, \fBmon\fP), and the +value is the capability string (see above). .SH EXAMPLE -To create a new keyring containing a key for \fIclient.foo\fP: -.IP -cauthtool -c -n client.foo --gen-key keyring -.PP -To associate some capabilities with the key (namely, the ability to mount a Ceph filesystem): -.IP -cauthtool -n client.foo --cap mds 'allow' --cap osd 'allow rw pool=data' --cap mon 'allow r' keyring -.PP +.sp +To create a new keyring containing a key for client.foo: +.sp +.nf +.ft C +cauthtool \-c \-n client.foo \-\-gen\-key keyring +.ft P +.fi +.sp +To associate some capabilities with the key (namely, the ability to +mount a Ceph filesystem): +.sp +.nf +.ft C +cauthtool \-n client.foo \-\-cap mds \(aqallow\(aq \-\-cap osd \(aqallow rw pool=data\(aq \-\-cap mon \(aqallow r\(aq keyring +.ft P +.fi +.sp To display the contents of the keyring: -.IP -cauthtool -l keyring -.PP -When mount a Ceph file system, you can grab the appropriately encoded secret key with -.IP -mount -t ceph serverhost:/ mountpoint -o name=foo,secret=`cauthtool -p -n client.foo keyring` -.PP +.sp +.nf +.ft C +cauthtool \-l keyring +.ft P +.fi +.sp +When mount a Ceph file system, you can grab the appropriately encoded secret key with: +.sp +.nf +.ft C +mount \-t ceph serverhost:/ mountpoint \-o name=foo,secret=\(gacauthtool \-p \-n client.foo keyring\(ga +.ft P +.fi .SH AVAILABILITY -.B cauthtool -is part of the Ceph distributed file system. Please refer to the Ceph wiki at -http://ceph.newdream.net/wiki for more information. +.sp +\fBcauthtool\fP is part of the Ceph distributed file system. Please +refer to the Ceph wiki at \fI\%http://ceph.newdream.net/wiki\fP for more +information. .SH SEE ALSO -.BR ceph (8) +.sp +\fBceph\fP(8) +.SH COPYRIGHT +2011, New Dream Network +.\" Generated by docutils manpage writer. +.\" +. |