您的位置:首页 > 娱乐 > 八卦 > 抖音推广外包公司_w永久99w乳液78_最新社会舆情信息_怎么让自己上百度

抖音推广外包公司_w永久99w乳液78_最新社会舆情信息_怎么让自己上百度

2024/12/29 0:19:10 来源:https://blog.csdn.net/qq_73797346/article/details/144148052  浏览:    关键词:抖音推广外包公司_w永久99w乳液78_最新社会舆情信息_怎么让自己上百度
抖音推广外包公司_w永久99w乳液78_最新社会舆情信息_怎么让自己上百度

用户权限概述

用户格式

参考链接:

权限:https://docs.ceph.com/en/latest/rados/operations/user-management/#authorization-capabilities
用户:https://docs.ceph.com/en/reef/rados/operations/user-management/

ceph的用户格式TYPEID.USERID

  • TYPEID也叫用户类型,有2用户类型;内置组件用户(mon,mds,rgw,osd,mgr)和普通用户(client)

  • USERID,就是用户名,可以是数字。

    • 比如表示ods的第0块磁盘,对应的是ods.0
    • 也可以是字符串,比如管理员用户,对应的是client.admin
    • 用户可以自定义USERID,比如client.wzy,client.wenzhiyong

用户权限

每个用户都可以授权,使用caps字段关联。授权的格式allow 权限

  • r:读权限

  • w: 写权限

  • x:执行权限,可以调用方法(这些方法可能存在读写等操作),还可以执行mon的auth等相关命令

  • *:拥有rwx等权限

  • profile osd:可以获取OSD的状态信息

  • profile mds:可以获取mds的状态信息

举例ceph系统组件的权限就在授权文件中体现:

[root@ceph141~]# cat /etc/ceph/ceph.client.admin.keyring
[client.admin]key = AQAlsChnHubLJRAAH2s3vhyGrxgba8anloPDtg==caps mds = "allow *"caps mgr = "allow *"caps mon = "allow *"caps osd = "allow *"

查看管理员权限

[root@ceph141~]# ceph auth get client.admin
[client.admin]key = AQAlsChnHubLJRAAH2s3vhyGrxgba8anloPDtg==caps mds = "allow *"caps mgr = "allow *"caps mon = "allow *"caps osd = "allow *"

查看其他用户权限,可以发现osd也算用户

[root@ceph141~]# ceph auth list
osd.0key: AQAJ1Chn4kJoMxAAO/sYaCTyTyJE6TSclIxKsA==caps: [mgr] allow profile osdcaps: [mon] allow profile osdcaps: [osd] allow *
osd.1key: AQA21ChniKrACRAANYkBLMXK5BThtHgTrNVqNw==caps: [mgr] allow profile osdcaps: [mon] allow profile osdcaps: [osd] allow *
...
client.adminkey: AQAlsChnHubLJRAAH2s3vhyGrxgba8anloPDtg==caps: [mds] allow *caps: [mgr] allow *caps: [mon] allow *caps: [osd] allow *
client.bootstrap-mdskey: AQAnsChncF9lOxAAGmqKpDlaOTzxCAX20uo6EA==caps: [mon] allow profile bootstrap-mds
client.bootstrap-mgrkey: AQAnsChnx2VlOxAABgp0KiClbDnraMQ6ZGEpBQ==caps: [mon] allow profile bootstrap-mgr
client.bootstrap-osdkey: AQAnsChnxGtlOxAAkCnj4ZlBhzIpr4vk6pcUdA==caps: [mon] allow profile bootstrap-osd
client.bootstrap-rbdkey: AQAnsChnjnFlOxAAQUXJdflbTiKjW/ZbKGgE1w==caps: [mon] allow profile bootstrap-rbd
client.bootstrap-rbd-mirrorkey: AQAnsChni3dlOxAAb6TImPKkGrR1baZO8AdYGg==caps: [mon] allow profile bootstrap-rbd-mirror
client.bootstrap-rgwkey: AQAnsChnm39lOxAAy6Qs5u3d5YidcT6cWaOH6A==caps: [mon] allow profile bootstrap-rgw
client.ceph-exporter.ceph141key: AQBgsChn0hbwGxAA6y6Op/+2zPirhwH4UqV5UQ==caps: [mgr] allow rcaps: [mon] allow rcaps: [osd] allow r
client.ceph-exporter.ceph142key: AQBMzyhnBYIxOxAAF4seBajmPKYWmzuM6XKqqQ==caps: [mgr] allow rcaps: [mon] allow rcaps: [osd] allow r
client.ceph-exporter.ceph143key: AQBjzyhnUbSSGRAAtt4r+evuoNE+ciwx/ymv1A==caps: [mgr] allow rcaps: [mon] allow rcaps: [osd] allow r
client.crash.ceph141key: AQBhsChngfrUIRAA2TjOYgDQQ4NENaU7p3EwHw==caps: [mgr] profile crashcaps: [mon] profile crash
client.crash.ceph142key: AQBPzyhnKwm4ExAAZ/0a6FVAWJFjSbRozum/PA==caps: [mgr] profile crashcaps: [mon] profile crash
client.crash.ceph143key: AQBlzyhn9+GPNBAA3NZddZGiXoyLrf9J9M7wQw==caps: [mgr] profile crashcaps: [mon] profile crash
mgr.ceph141.yvswvfkey: AQAlsChnJpeKMhAAsiyirSCpqTIgh3mB7o4V7g==caps: [mds] allow *caps: [mon] profile mgrcaps: [osd] allow *
mgr.ceph142.gtcikxkey: AQBRzyhnal2kLhAA4DvZbY7TiWIxWSg1Tw3ZQw==caps: [mds] allow *caps: [mon] profile mgrcaps: [osd] allow *

三种方式自定义普通用户

创建用户方式参考链接::https://docs.ceph.com/en/nautilus/rados/operations/user-management/#add-a-user

1 直接创建

[root@ceph141~]# ceph auth add client.wzy666 mon 'allow r' osd 'allow * pool=zhiyong18-rbd'
added key for client.wzy666

client.wzy666:这是客户端名称,表示要为此客户端添加权限。

mon 'allow r':为该客户端授予对 monitor(监视器)的读取权限 (r),意味着该客户端可以查看集群状态、查询信息等。

osd 'allow * pool=zhiyong18-rbd':为该客户端授予对 OSD(对象存储设备)上名为 zhiyong18-rbd 的池的所有权限。allow * 表示允许所有操作(如读写),但限制在 zhiyong18-rbd 这个特定的池上

验证用户wzy666的权限

[root@ceph141~]# ceph auth get client.wzy666
[client.wzy666]key = AQB+KypnuKsqDhAA1VYxg0qKjp4G3Lr+CUebHA==caps mon = "allow r"caps osd = "allow * pool=zhiyong18-rbd"

2 查看若不存在则创建

1.查看用户是否存在

[root@ceph141~]# ceph auth get client.wenzhiyong
Error ENOENT: failed to find client.wenzhiyong in keyring

2.若用户不存在则创建

[root@ceph141~]# ceph auth get-or-create client.wenzhiyong mon 'allow r' osd 'allow rwx'
[client.wenzhiyong]key = AQBgLypnfvLQBxAApSe9WoyC5ys1mySFPzjTfw==

再次查看用户信息

[root@ceph141~]# ceph auth get client.wenzhiyong
[client.wenzhiyong]key = AQBgLypnfvLQBxAApSe9WoyC5ys1mySFPzjTfw==caps mon = "allow r"caps osd = "allow rwx"

4.如果用户存在,再去创建是会报错的

[root@ceph141~]# ceph auth get-or-create client.wenzhiyong mon 'allow r' osd 'allow *'
Error EINVAL: key for client.wenzhiyong exists but cap osd does not match

5.若用户存在且权限匹配则打印KEY

[root@ceph141~]# ceph auth get-or-create client.wenzhiyong mon 'allow r' osd 'allow rwx'
[client.wenzhiyong]key = AQBgLypnfvLQBxAApSe9WoyC5ys1mySFPzjTfw==

6.查看最终的权限

[root@ceph141~]# ceph auth get client.wenzhiyong
[client.wenzhiyong]key = AQBgLypnfvLQBxAApSe9WoyC5ys1mySFPzjTfw==caps mon = "allow r"caps osd = "allow rwx"

3 查看权限若没有就创建

1.查看用户k8s不存在

[root@ceph141~]# ceph auth get client.k8s
Error ENOENT: failed to find client.k8s in keyring

2.创建用户并返回KEY

ceph auth get-or-create-key client.k8s mon 'allow r' osd 'allow rwx'

再次查看用户信息

[root@ceph141~]# ceph auth get client.k8s
[client.k8s]key = AQCfMCpnrHrtJBAAoLnVptDFXrhIzZKWIp16nw==caps mon = "allow r"caps osd = "allow rwx"

3.若用户存在则且权限不匹配则报错

[root@ceph141~]# ceph auth get-or-create-key client.k8s mon 'allow r' osd 'allow *'
Error EINVAL: key for client.k8s exists but cap osd does not match

若用户存在且权限匹配则打印KEY

[root@ceph141~]# ceph auth get-or-create-key client.k8s mon 'allow r' osd 'allow rwx'
AQCfMCpnrHrtJBAAoLnVptDFXrhIzZKWIp16nw==

ceph auth print-key打印已经存在用户的KEY,如果用户不存在则报错,如果用户存在则打印该用户对应的KEY信息

[root@ceph141~]# ceph auth print-key client.wzy666 | more
AQB+KypnuKsqDhAA1VYxg0qKjp4G3Lr+CUebHA==
[root@ceph141~]# ceph auth get client.wzy666
[client.wzy666]key = AQB+KypnuKsqDhAA1VYxg0qKjp4G3Lr+CUebHA==caps mon = "allow r"caps osd = "allow * pool=zhiyong18-rbd"

用户权限修改

修改权限参考链接:https://docs.ceph.com/en/nautilus/rados/operations/user-management/#modify-user-capabilities

1.查看权限后,进行修改

[root@ceph141~]# ceph auth get client.wzy666
[client.wzy666]key = AQB+KypnuKsqDhAA1VYxg0qKjp4G3Lr+CUebHA==caps mon = "allow r"caps osd = "allow * pool=zhiyong18-rbd"
[root@ceph141~]# ceph auth caps client.wzy666 mon 'allow rx' osd 'allow r pool=wenzhiyong18-rbd'
updated caps for client.wzy666

2.查看修改权后的auth

[root@ceph141~]# ceph auth get client.wzy666
[client.wzy666]key = AQB+KypnuKsqDhAA1VYxg0qKjp4G3Lr+CUebHA==caps mon = "allow rx"caps osd = "allow r pool=wenzhiyong18-rbd"

用户的删除

用户删除参考链接:https://docs.ceph.com/en/nautilus/rados/operations/user-management/#delete-a-user

1.直接删除用户wzy666

[root@ceph141~]# ceph auth get client.wzy666
[client.wzy666]key = AQB+KypnuKsqDhAA1VYxg0qKjp4G3Lr+CUebHA==caps mon = "allow rx"caps osd = "allow r pool=wenzhiyong18-rbd"[root@ceph141~]# ceph auth del client.wzy666

ceph用户的备份和恢复

用户数据备份

参考链接:

https://docs.ceph.com/en/nautilus/rados/operations/user-management/#get-a-user
https://docs.ceph.com/en/nautilus/rados/operations/user-management/#import-a-user-s

1.创建测试用户

[root@ceph141~]# ceph auth add client.wzy666 mon 'allow r' osd 'allow * pool=zhiyong18-rbd'
added key for client.wzy666
[root@ceph141~]# ceph auth get client.wzy666
[client.wzy666]key = AQB2NipneGZcCBAAqL6zGHCpU2uwM15R05uHzQ==caps mon = "allow r"caps osd = "allow * pool=zhiyong18-rbd"

2.导出用户到文件,用于模拟备份。这一步只是创建文件并不会写入

[root@ceph141~]# ceph-authtool --create-keyring ceph.client.wzy666.keyring
creating ceph.client.wzy666.keyring
[root@ceph141~]# ls
ceph.client.wzy666.keyring
[root@ceph141~]# cat ceph.client.wzy666.keyring 
[root@ceph141~]# 

3.将内容导出到指定文件

[root@ceph141~]# ceph auth get client.wzy666 -o ceph.client.wzy666.keyring

4.查看文件内容

[root@ceph141~]# cat ceph.client.wzy666.keyring 
[client.wzy666]key = AQB2NipneGZcCBAAqL6zGHCpU2uwM15R05uHzQ==caps mon = "allow r"caps osd = "allow * pool=zhiyong18-rbd"

总结:不如ceph auth get client.wzy666 > ceph.client.wzy666.keyring

用户数据导入

1.删除用户

ceph auth del client.wzy666

2.导入用户文件信息

[root@ceph141~]# ceph auth import -i ceph.client.wzy666.keyring 

3.验证用户信息完整性

[root@ceph141~]# ceph auth get client.wzy666
[client.wzy666]key = AQB2NipneGZcCBAAqL6zGHCpU2uwM15R05uHzQ==caps mon = "allow r"caps osd = "allow * pool=zhiyong18-rbd"

导出授权文件并验证用户权限

1.ceph141节点创建1个普通用户并保存到一个文件中

[root@ceph141~]# ceph auth get-or-create client.k3s mon 'allow r' osd 'allow * pool=zhiyong18-rdb'
[client.k3s]key = AQCzRSpn1SShChAAPmJUYIvCKsuAH47HDNWD0A==[root@ceph141~]# ceph auth export client.k3s -o ceph.client.k3s.keyring
[root@ceph141~]# cat ceph.client.k3s.keyring
[client.k3s]key = AQCzRSpn1SShChAAPmJUYIvCKsuAH47HDNWD0A==caps mon = "allow r"caps osd = "allow * pool=zhiyong18-rdb"

2.ceph142节点删除原来的管理员授权文件,再次访问权限报错

[root@ceph142~]# rm -f  /etc/ceph/ceph.client.admin.keyring
[root@ceph142~]# ceph -s
2024-11-05T23:38:38.932+0800 7f7fe4d69640 -1 auth: unable to find a keyring on /etc/ceph/ceph.client.admin.keyring,/etc/ceph/ceph.keyring,/etc/ceph/keyring,/etc/ceph/keyring.bin: (2) No such file or directory
2024-11-05T23:38:38.932+0800 7f7fe4d69640 -1 AuthRegistry(0x7f7fe00672a0) no keyring found at /etc/ceph/ceph.client.admin.keyring,/etc/ceph/ceph.keyring,/etc/ceph/keyring,/etc/ceph/keyring.bin, disabling cephx
2024-11-05T23:38:38.936+0800 7f7fe4d69640 -1 auth: unable to find a keyring on /etc/ceph/ceph.client.admin.keyring,/etc/ceph/ceph.keyring,/etc/ceph/keyring,/etc/ceph/keyring.bin: (2) No such file or directory
2024-11-05T23:38:38.936+0800 7f7fe4d69640 -1 AuthRegistry(0x7f7fe4d67f60) no keyring found at /etc/ceph/ceph.client.admin.keyring,/etc/ceph/ceph.keyring,/etc/ceph/keyring,/etc/ceph/keyring.bin, disabling cephx
2024-11-05T23:38:38.936+0800 7f7fde59c640 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [1]
2024-11-05T23:38:38.936+0800 7f7fded9d640 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [1]
2024-11-05T23:38:38.936+0800 7f7fddd9b640 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [1]
2024-11-05T23:38:38.936+0800 7f7fe4d69640 -1 monclient: authenticate NOTE: no keyring found; disabled cephx authentication
[errno 13] RADOS permission denied (error connecting to the cluster)

3.服务端将认证文件拷贝到客户端

[root@ceph141~]# scp ceph.client.k3s.keyring ceph142:/etc/ceph/

4.客户端验证权限

[root@ceph142~]# ceph -s --user k3scluster:id:     12fad866-9aa0-11ef-8656-6516a17ad6ddhealth: HEALTH_WARN
...[root@ceph142~]# cat /etc/ceph/ceph.client.k3s.keyring
[client.k3s]key = AQCzRSpn1SShChAAPmJUYIvCKsuAH47HDNWD0A==caps mon = "allow r"caps osd = "allow * pool=zhiyong18-rdb"
[root@ceph142~]# ceph --user k3s auth get client.k3s
Error EACCES: access denied

这是因为对用户相关的操作还没有执行权限,不能调用相关函数。后期添加上去就可以了

5.服务端尝试修改k3s用户权限

[root@ceph141~]# ceph auth caps client.k3s mon 'allow rx' 
updated caps for client.k3

6.客户端再次验证权限。虽然客户端可以查看用户信息了,但是此时/etc/ceph/ceph.client.k3s.keyring是没有任何变化的;也就是说:本地的keyring文件的caps字段并没有作用,而是基于KEY访问集群进行验证的!

[root@ceph142~]# ceph --user k3s auth get client.k3s
[client.k3s]key = AQCzRSpn1SShChAAPmJUYIvCKsuAH47HDNWD0A==caps mon = "allow rx"[root@ceph142~]# cat /etc/ceph/ceph.client.k3s.keyring 
[client.k3s]key = AQCzRSpn1SShChAAPmJUYIvCKsuAH47HDNWD0A==caps mon = "allow r"caps osd = "allow * pool=zhiyong18-rdb"

7.进一步验证k3s用户的权限,可以查看池列表

[root@ceph142~]# ceph --user k3s osd pool ls
.mgr
zhiyong-rbd
zhiyong18-rbd
zhiyong

但是没有权限访问存储池下的镜像文件

[root@ceph142~]# rbd --id k3s -p zhiyong ls -l
2024-11-05T23:47:24.820+0800 7f8de091de00 -1 librbd::api::Image: list_images: error listing v1 images: (1) Operation not permitted
rbd: listing images failed: (1) Operation not permitted
[root@ceph142~]# rbd --id k3s -p zhiyong18-rbd ls -l
2024-11-05T23:48:00.588+0800 7f38f923ce00 -1 librbd::api::Image: list_images: error listing v1 images: (1) Operation not permitted
rbd: listing images failed: (1) Operation not permitted

8.服务端再次修改权限

[root@ceph141~]# ceph auth get client.k3s
[client.k3s]key = AQCzRSpn1SShChAAPmJUYIvCKsuAH47HDNWD0A==caps mon = "allow rx"
[root@ceph141~]# ceph auth caps client.k3s  mon 'allow *'  osd 'allow *'
updated caps for client.k3s

10.客户端再次验证权限

[root@ceph142~]# rbd --id k3s -p zhiyong18-rbd ls -l
NAME        SIZE   PARENT  FMT  PROT  LOCK
mysqld      5 GiB            2            
rbd-snap    2 GiB            2            
wordpress   2 GiB            2            
zhiyong     5 GiB            2            
zhiyong@v1  5 GiB            2            
zhiyong@v2  5 GiB            2            
zhiyong@v3  5 GiB            2            
zhiyong@v4  5 GiB            2            
zhiyong@v5  5 GiB            2            
zhiyong@v6  5 GiB            2

用户授权总结

1.如果使用"–user k3s"指定用户,则默认去找以下文件,找不到就报错:

  • /etc/ceph/ceph.client.k3s.keyring
  • /etc/ceph/ceph.keyring
  • /etc/ceph/keyring
  • /etc/ceph/keyring.bin

2.如果不使用"–user"选项,咱们可以立即为默认为"–user amdin"

  • /etc/ceph/ceph.client.admin.keyring
  • /etc/ceph/ceph.keyring
  • /etc/ceph/keyring
  • /etc/ceph/keyring.bin

3.对于认证文件不能随便起名字,而是需要遵循上述2条的规范文件命名,否则ceph不识别用户的配置文件

4 客户端在连接ceph集群时,仅需要读取keyring文件中的KEY值;其他caps字段会被忽视。也就是说,对于文件中只要保留key值依旧是有效的

cephx认证

01 cephx认证概述

参考链接:

https://docs.ceph.com/en/nautilus/rados/configuration/auth-config-ref/
https://docs.ceph.com/en/nautilus/rados/operations/operating/
https://docs.ceph.com/en/nautilus/architecture/#high-availability-authentication

  • 为了识别用户并防止中间人攻击,Ceph提供了cephx身份验证系统来验证用户和守护进程。但是注意cephx协议不解决传输中的数据加密(例如SSL/TLS)或静止时的加密问题

  • 不建议关闭cephx认证,因为没有认证则集群任意节点都可以直接操作,除非内环环境相对安全

在这里插入图片描述

02 cephx相关参数说明

  • auth_cluster_required
    • 如果启用,Ceph存储群集守护进程(即Ceph-mon、Ceph-osd、Ceph-mds和Ceph-mgr)必须相互进行身份验证
    • 有效设置为cephx或none,默认值为cephx
  • auth_service_required
    • 如果启用,则Ceph存储群集守护进程要求Ceph客户端向Ceph存储集群进行身份验证,以便访问Ceph服务
    • 有效设置为cephx或none,默认值为cephx
  • 有效设置为cephx或none,默认值为cephx
    • 如果启用,Ceph客户端需要Ceph存储群集向Ceph客户端进行身份验证
    • 有效设置为cephx或none,默认值为cephx

03 cephx启动和关闭

1.找到mon组件的容器

[root@ceph141~]# docker ps -a | grep mon
aa345967806c   quay.io/ceph/ceph:v18                     "/usr/bin/ceph-mon -…"

2.进入容器,再关闭认证:在/etc/ceph/ceph.conf增加以下参数,修改后需重启集群

auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx

关闭认证:在vim /etc/ceph/ceph.conf改为以下参数

auth_cluster_required = none
auth_service_required = none
auth_client_required = none- 有效设置为cephx或none,默认值为cephx
- 有效设置为cephx或none,默认值为cephx- 如果启用,Ceph客户端需要Ceph存储群集向Ceph客户端进行身份验证- 有效设置为cephx或none,默认值为cephx## 03 cephx启动和关闭1.找到mon组件的容器```bash
[root@ceph141~]# docker ps -a | grep mon
aa345967806c   quay.io/ceph/ceph:v18                     "/usr/bin/ceph-mon -…"

2.进入容器,再关闭认证:在/etc/ceph/ceph.conf增加以下参数,修改后需重启集群

auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx

关闭认证:在vim /etc/ceph/ceph.conf改为以下参数

auth_cluster_required = none
auth_service_required = none
auth_client_required = none

版权声明:

本网仅为发布的内容提供存储空间,不对发表、转载的内容提供任何形式的保证。凡本网注明“来源:XXX网络”的作品,均转载自其它媒体,著作权归作者所有,商业转载请联系作者获得授权,非商业转载请注明出处。

我们尊重并感谢每一位作者,均已注明文章来源和作者。如因作品内容、版权或其它问题,请及时与我们联系,联系邮箱:809451989@qq.com,投稿邮箱:809451989@qq.com