Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Applies to SUSE Enterprise Storage 6

14 Managing Users and Roles on the Command Line Edit source

This section describes how to manage user accounts used by the Ceph Dashboard. It helps you create or modify user accounts, as well as set proper user roles and permissions.

14.1 User Accounts Edit source

The Ceph Dashboard supports managing multiple user accounts. Each user account consists of a user name, a password (stored in encrypted form using bcrypt), an optional name, and an optional e-mail address.

User accounts are stored in Ceph Monitor’s configuration database and are globally shared across all Ceph Manager instances.

Use the following commands to manage user accounts:

Show existing users:
cephadm@adm > ceph dashboard ac-user-show [USERNAME]
Create a new user:
cephadm@adm > ceph dashboard ac-user-create USERNAME [PASSWORD] [ROLENAME] [NAME] [EMAIL]
Delete a user:
cephadm@adm > ceph dashboard ac-user-delete USERNAME
Change a user's password:
cephadm@adm > ceph dashboard ac-user-set-password USERNAME PASSWORD
Modify a user's name and email:
cephadm@adm > ceph dashboard ac-user-set-info USERNAME NAME EMAIL

14.2 User Roles and Permissions Edit source

This section describes what security scopes you can assign to a user role, how to manage user roles and assign them to user accounts.

14.2.1 Security Scopes Edit source

User accounts are associated with a set of roles that define which parts of the dashboard can be accessed by the user. The dashboard parts are grouped within a security scope. Security scopes are predefined and static. The following security scopes are currently available:

hosts

Includes all features related to the Hosts menu entry.

config-opt

Includes all features related to the management of Ceph configuration options.

pool

Includes all features related to pool management.

osd

Includes all features related to the Ceph OSD management.

monitor

Includes all features related to the Ceph Monitor management.

rbd-image

Includes all features related to the RADOS Block Device image management.

rbd-mirroring

Includes all features related to the RADOS Block Device mirroring management.

iscsi

Includes all features related to iSCSI management.

rgw

Includes all features related to the Object Gateway management.

cephfs

Includes all features related to CephFS management.

manager

Includes all features related to the Ceph Manager management.

log

Includes all features related to Ceph logs management.

grafana

Includes all features related to the Grafana proxy.

dashboard-settings

Allows changing dashboard settings.

14.2.2 User Roles Edit source

A role specifies a set of mappings between a security scope and a set of permissions. There are four types of permissions: 'read', 'create', 'update', and 'delete'.

The following example specifies a role where a user has 'read' and 'create' permissions for features related to pool management, and has full permissions for features related to RBD image management:

{
  'role': 'my_new_role',
  'description': 'My new role',
  'scopes_permissions': {
    'pool': ['read', 'create'],
    'rbd-image': ['read', 'create', 'update', 'delete']
  }
}

The dashboard already provides a set of predefined roles that we call system roles. You can instantly use them after a fresh Ceph Dashboard installation:

administrator

Provides full permissions for all security scopes.

read-only

Provides read permission for all security scopes except the dashboard settings.

block-manager

Provides full permissions for 'rbd-image', 'rbd-mirroring', and 'iscsi' scopes.

rgw-manager

Provides full permissions for the 'rgw' scope.

cluster-manager

Provides full permissions for the 'hosts', 'osd', 'monitor', 'manager', and 'config-opt' scopes.

pool-manager

Provides full permissions for the 'pool' scope.

cephfs-manager

Provides full permissions for the 'cephfs' scope.

14.2.2.1 Managing Custom Roles Edit source

You can create new user roles by using the following commands:

Create a new role:
cephadm@adm > ceph dashboard ac-role-create ROLENAME [DESCRIPTION]
Delete a role:
cephadm@adm > ceph dashboard ac-role-delete ROLENAME
Add scope permissions to a role:
cephadm@adm > ceph dashboard ac-role-add-scope-perms ROLENAME SCOPENAME PERMISSION [PERMISSION...]
Delete scope permissions from a role:
cephadm@adm > ceph dashboard ac-role-del-perms ROLENAME SCOPENAME

14.2.2.2 Assigning Roles to User Accounts Edit source

Use the following commands to assign roles to users:

Set user roles:
cephadm@adm > ceph dashboard ac-user-set-roles USERNAME ROLENAME [ROLENAME ...]
Add additional roles to a user:
cephadm@adm > ceph dashboard ac-user-add-roles USERNAME ROLENAME [ROLENAME ...]
Delete roles from a user:
cephadm@adm > ceph dashboard ac-user-del-roles USERNAME ROLENAME [ROLENAME ...]
Tip
Tip: Purging Custom Roles

If you create custom user roles and intend to remove the Ceph cluster with the ceph.purge runner later on, you need to purge the custom roles first. Find more details in Section 2.17, “Removing an Entire Ceph Cluster”.

14.2.2.3 Example: Creating a User and a Custom Role Edit source

This section illustrates a procedure for creating a user account capable of managing RBD images, viewing and creating Ceph pools, and having read-only access to any other scopes.

  1. Create a new user named 'tux':

     cephadm@adm > ceph dashboard ac-user-create tux PASSWORD
  2. Create a role and specify scope permissions:

    cephadm@adm > ceph dashboard ac-role-create rbd/pool-manager
    cephadm@adm > ceph dashboard ac-role-add-scope-perms rbd/pool-manager \
     rbd-image read create update delete
    cephadm@adm > ceph dashboard ac-role-add-scope-perms rbd/pool-manager pool read create
  3. Associate the roles with the 'tux' user:

    cephadm@adm > ceph dashboard ac-user-set-roles tux rbd/pool-manager read-only

14.3 Reverse Proxies Edit source

If you are accessing the dashboard via a reverse proxy configuration, you may need to service it under a URL prefix. To get the dashboard to use hyperlinks that include your prefix, you can set the url_prefix setting:

cephadm@adm > ceph config set mgr mgr/dashboard/url_prefix URL_PREFIX

Then you can access the dashboard at http://HOST_NAME:PORT_NUMBER/URL_PREFIX/.

14.4 Auditing Edit source

The Ceph Dashboard's REST API can log PUT, POST, and DELETE requests to the Ceph audit log. Logging is disabled by default, but you can enable it with the following command:

cephadm@adm > ceph dashboard set-audit-api-enabled true

If enabled, the following parameters are logged per each request:

from

The origin of the request, for example 'https://[::1]:44410'.

path

The REST API path, for example '/api/auth'.

method

'PUT', 'POST', or 'DELETE'.

user

The name of the user (or ‘None’).

An example log entry looks like this:

2019-02-06 10:33:01.302514 mgr.x [INF] [DASHBOARD] \
 from='https://[::ffff:127.0.0.1]:37022' path='/api/rgw/user/exu' method='PUT' \
 user='admin' params='{"max_buckets": "1000", "display_name": "Example User", "uid": "exu", "suspended": "0", "email": "user@example.com"}'
Tip
Tip: Disable Logging of Request Payload

The logging of the request payload (the list of arguments and their values) is enabled by default. You can disable it as follows:

cephadm@adm > ceph dashboard set-audit-api-log-payload false
Print this page