Dear all,
I am experimenting with Ceph as a replacement for the AndrewFileSystem
(
https://en.wikipedia.org/wiki/Andrew_File_System). In my current setup, I am using AFS as
a distributed filesystem for approximately 1000 users to store personal data and let them
access their home directories and other shared data from multiple locations across
different buildings. The authentication is managed by Kerberos (+ LDAP server). My goal is
to replace AFS with CephFS but keep the current Kerberos database.
Right now I've managed to set up a testing Ceph cluster with 6 nodes and 11 osds and I
can mount CephFS using the kernel driver + CephX.
However, from the Ceph docs, I can't understand if this might be a correct use-case
for Ceph since the default authentication method CephX doesn't have a standard
username/password authentication protocol. As far as I understand it requires the creation
of a keyring with a random password generated on-the-fly which can then be used to mount
the filesystem using the CephFS kernel module
(
https://docs.ceph.com/en/latest/cephfs/mount-using-kernel-driver/#mounting-…).
As for the Kerberos integration, I found in the docs this page
https://docs.ceph.com/en/latest/dev/ceph_krb_auth/ which is still a draft even if the last
update was almost 2 years ago. From this page, I don't understand if the current
version of Ceph supports full integration with GSSAPI/kerberos/LDAP. Since the docs only
refer to keytab files, I was wondering if Kerberos can only be used as an authentication
protocol between Ceph monitors/osds/metadata-servers and not for mounting the filesystem.
Therefore I am asking
- if anyone has tried Ceph for a similar use-case
- what is the current status of Kerberos integration
- if there are alternatives to CephX for mounting CephFS using kernel drivers which uses
a username/password protocol
Thank you and best regards,
Alessandro Piazza