CephX key/secret generation

CephX key/secret generation

[Andrew Woodward]

Hi, I'm looking for help understanding how the cephx auth keys are
generated. I want to pre-create the keys for the cluster within my
deployment engine. It appears that we can use `ceph-athtool
--gen-print-key` in order to generate the keys and use them, however
the application runs inside a container and it seems silly to 150mb of
deps to get access to ceph-authtool.

Looking through the code at a basic level, I see that it's calling
some AES functions, however it quickly goes over my ability to read C.

Can some one go over the key construction requirements? Can we use any
string encoded with base64? Is the AES encoding needed? What is the
correct formula for the AES generation? It looks like the have the
same seed but I'm having problems reading it out of the code.

-- 
Andrew
Mirantis
Fuel community ambassador

Re: CephX key/secret generation

[Sage Weil]

Hi Andrew,

On Wed, 15 Jul 2015, Andrew Woodward wrote:
> Hi, I'm looking for help understanding how the cephx auth keys are
> generated. I want to pre-create the keys for the cluster within my
> deployment engine. It appears that we can use `ceph-athtool
> --gen-print-key` in order to generate the keys and use them, however
> the application runs inside a container and it seems silly to 150mb of
> deps to get access to ceph-authtool.
> 
> Looking through the code at a basic level, I see that it's calling
> some AES functions, however it quickly goes over my ability to read C.
> 
> Can some one go over the key construction requirements? Can we use any
> string encoded with base64? Is the AES encoding needed? What is the
> correct formula for the AES generation? It looks like the have the
> same seed but I'm having problems reading it out of the code.

Here's a bit of python to do it:

	https://github.com/ceph/ceph-deploy/blob/master/ceph_deploy/new.py#L21

Hope that helps!
sage

Re: CephX key/secret generation

[Sebastien Han]

[-- Attachment #1: Type: text/plain, Size: 1599 bytes --]

Awesome I’ve been looking for something similar for ceph-ansible too :)

> On 16 Jul 2015, at 16:46, Sage Weil <sage@newdream.net> wrote:
> 
> Hi Andrew,
> 
> On Wed, 15 Jul 2015, Andrew Woodward wrote:
>> Hi, I'm looking for help understanding how the cephx auth keys are
>> generated. I want to pre-create the keys for the cluster within my
>> deployment engine. It appears that we can use `ceph-athtool
>> --gen-print-key` in order to generate the keys and use them, however
>> the application runs inside a container and it seems silly to 150mb of
>> deps to get access to ceph-authtool.
>> 
>> Looking through the code at a basic level, I see that it's calling
>> some AES functions, however it quickly goes over my ability to read C.
>> 
>> Can some one go over the key construction requirements? Can we use any
>> string encoded with base64? Is the AES encoding needed? What is the
>> correct formula for the AES generation? It looks like the have the
>> same seed but I'm having problems reading it out of the code.
> 
> Here's a bit of python to do it:
> 
> 	https://github.com/ceph/ceph-deploy/blob/master/ceph_deploy/new.py#L21
> 
> Hope that helps!
> sage
> 
> --
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


Cheers.
––––
Sébastien Han
Senior Cloud Architect

"Always give 100%. Unless you're giving blood."

Mail: seb@redhat.com
Address: 11 bis, rue Roquépine - 75008 Paris


[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 842 bytes --]

Re: CephX key/secret generation

[Andrew Woodward]

Sage,

Thanks this is exactly what I was looking for.

On Thu, Jul 16, 2015 at 8:32 AM, Sebastien Han <seb@redhat.com> wrote:
> Awesome I’ve been looking for something similar for ceph-ansible too :)
>
>> On 16 Jul 2015, at 16:46, Sage Weil <sage@newdream.net> wrote:
>>
>> Hi Andrew,
>>
>> On Wed, 15 Jul 2015, Andrew Woodward wrote:
>>> Hi, I'm looking for help understanding how the cephx auth keys are
>>> generated. I want to pre-create the keys for the cluster within my
>>> deployment engine. It appears that we can use `ceph-athtool
>>> --gen-print-key` in order to generate the keys and use them, however
>>> the application runs inside a container and it seems silly to 150mb of
>>> deps to get access to ceph-authtool.
>>>
>>> Looking through the code at a basic level, I see that it's calling
>>> some AES functions, however it quickly goes over my ability to read C.
>>>
>>> Can some one go over the key construction requirements? Can we use any
>>> string encoded with base64? Is the AES encoding needed? What is the
>>> correct formula for the AES generation? It looks like the have the
>>> same seed but I'm having problems reading it out of the code.
>>
>> Here's a bit of python to do it:
>>
>>       https://github.com/ceph/ceph-deploy/blob/master/ceph_deploy/new.py#L21
>>
>> Hope that helps!
>> sage
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>
> Cheers.
> ––––
> Sébastien Han
> Senior Cloud Architect
>
> "Always give 100%. Unless you're giving blood."
>
> Mail: seb@redhat.com
> Address: 11 bis, rue Roquépine - 75008 Paris
>



-- 
Andrew
Mirantis
Fuel community ambassador
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html