Hello,
I want to cycle / renew all CEPH keyrings across the cluster as part of my security maintenance procedures.
My environment
Current situation
I tried to rotate the keys in the following order: MON and
The process for each component:
Unfortunately, these steps were not sufficient and I got a "permission denied" error (respectively
Questions
Thanks in advance!
I want to cycle / renew all CEPH keyrings across the cluster as part of my security maintenance procedures.
My environment
- Proxmox VE 8.2.8
- CEPH 18.2.4
- Components where I want to cycle the keyrings
- MON &
client.admin - MGR
- MDS
- MON &
Current situation
I tried to rotate the keys in the following order: MON and
client.admin keyrings first, then MGR, then MDS and lastly any client keyrings.The process for each component:
- Create new keyring via
ceph-authtool - Backup old keyring
- Set correct permissions for the newly created keyring
- Copy new keyring to
/var/lib/ceph/<component>/ceph-<nodename>/keyring - Import keyring into DB via
ceph auth import
Unfortunately, these steps were not sufficient and I got a "permission denied" error (respectively
handle_auth_bad_method). So I had to switch back to my old keyrings to recover.Questions
- What is the correct order to cycle these keyrings?
- Any dependency between components I'm missing?
Thanks in advance!
