Comments (8)
Update, look for the monstore metadata values and update it using the python script,
But we need to figure out how to autorize specific to k8s cluster
from rook.
So the new design will look like.
Installation:
-
Run the python script in the RHCS cluster as usual
-> It will update the ceph config/mon store with the JSON data
-> Secondly it will create the connection key which has the information about the ceph user and mon endpoints -
User has to add the connection key to the cephcluster CR
-> Once the key is added it will create the specific resources based on the values of the ceph mon store -
Cluter will be connected
Updation:
- The user just have to run the Python script in the RHCS cluster it will auto-update the mon store and the resources
from rook.
So the new design will look like.
Installation:
- Run the python script in the RHCS cluster as usual
-> It will update the ceph config/mon store with the JSON data
-> Secondly it will create the connection key which has the information about the ceph user and mon endpoints
I like this idea, it just requires a Ceph change to allow certain mon store data to be granted access for a specific keyring.
- User has to add the connection key to the cephcluster CR
-> Once the key is added it will create the specific resources based on the values of the ceph mon store
We don't want the key in the CR. Instead, the key should be directly stored in the rook-ceph-mon
secret to the values ceph-secret
and ceph-username
.
- Cluster will be connected
After Rook connects, it would need to load the JSON and apply it from Ceph and to the consumer cluster, right?
Updation:
- The user just have to run the Python script in the RHCS cluster it will auto-update the mon store and the resources
So Rook would need to check for changes to the mon store setting and apply any updates when the JSON changes?
from rook.
After Rook connects, it would need to load the JSON and apply it from Ceph and to the consumer cluster, right?
Yes, the cluster will watch for mon-config updates and will create the resources, somewhat like #14076
So Rook would need to check for changes to the mon store setting and apply any updates when the JSON changes?
Exactly it would watch for the changes in it
from rook.
I like this idea, it just requires a Ceph change to allow certain mon store data to be granted access for a specific keyring.
For ceph side changes thinking for a design,
The ceph config should have user authentication based on the user keys,
Currently, it looks like,
sh-4.4$ ceph config dump
WHO MASK LEVEL OPTION VALUE RO
global advanced bdev_flock_retry 20
global advanced bluefs_buffered_io false
global basic log_to_file false
global advanced mon_allow_pool_delete true
global advanced mon_allow_pool_size_one true
global advanced mon_cluster_log_file
global advanced mon_data_avail_warn 10
global advanced mon_warn_on_pool_no_redundancy false
global advanced osd_pool_default_size 1
mon advanced auth_allow_insecure_global_id_reclaim false
mon advanced rgw_zone 11 *
I believe RO
field can be used as permissions.
So,
- The set command currently is
config set <who> <name> <value> [--force] Set a configuration option for one or more entities
I should be updated like
config set <who> <whoKey> <name> <value> [--force]
- And secondly the get command looks like
config get <who> [<key>] Show configuration option(s) for an entity
I think the current key is optional which can be marked a non-optional field.
- and
ceph config dump
should also updated toceph osd dump key
and it should expects a admin key for authentication.
from rook.
Let's open a Ceph tracker with the feature request, and just summarize the requirement there. We won't gain much in trying to design it here, since the Ceph team would own the design. The feature request is just to have some mon store settings that are only available depending on the keyring.
from rook.
Added a ceph tracker https://tracker.ceph.com/issues/65583
from rook.
Offline discussion:
We had 2 new proposals for this feature,
-
Add the information of the JSON external data, on a radosnamesapce or a cephblockpool, and specific users can only access those details.
-
Secondly integrating these details with the mgr module and running a separate daemon.
from rook.
Related Issues (20)
- Dont create the Fencing CR when CSI is disabled
- How do I verify that my rook-ceph is using bluestore HOT 7
- Failed to start clean up jobs for SubvolumeGroup and Radosnamespace resource
- SVG cleanup jobs fails due to missing env variable.
- Failure to create OSD (obtaining uniq OSD.id) blocks further provisioning and possibly does not reach desired multiple OSDs per device HOT 12
- rook-ceph-exporter usage i would like to know HOT 2
- rook pressure tests underperform Ceph on bare metal HOT 3
- rook operator in panic state
- Propose: make the retry timeout on ceph osd remove be a configurable flag. HOT 7
- Broken link to network configurations in cephClusterSpec HOT 2
- Rook ceph mon: unable to stat setuser_match_path /var/lib/ceph/mon/ceph-a/store.db: (2) No such file or directory HOT 3
- Streamlining Consuming the Shared Filesystem across namespaces HOT 3
- Ceph monitoring doesn't work when ceph status goes to error state
- Integrate Rook with ceph-csi-operator HOT 1
- Allow configuration of the ceph osd full settings from the CephCluster CR HOT 1
- Is it compatible with rook-ceph-default when the name of cephblockpool is not replicapool ? HOT 1
- rook-ceph-exporters left unschedulable for deleted nodes HOT 1
- exporter Pods for external Ceph cluster fail to start due to missing Secret HOT 1
- Exporter pods for external Ceph cluster are stuck Initializing HOT 2
- After OSD Remove Cluster has unknonw pgs HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rook.