Graeme Gillies
2018-07-09 01:05:59 UTC
Hi,
I was wondering how (if?) people handle rotating cephx keys while
keeping cluster up/available.
Part of meeting compliance standards such as PCI DSS is making sure that
data encryption keys and security credentials are rotated regularly and
during other key points (such as notable staff turnover).
We are currently looking at using Ceph as a storage solution and was
wondering how people handle rotating cephx keys (at the very least, the
admin and client.$user keys) while causing minimal/no downtime to ceph
or the clients.
My understanding is that if you change the keys stored in the ceph kv db
then any existing sessions should still continue to work, but any new
ones (say, a hypervisor establishing new connections to osds for a new
vm volume) will fail until the key on the client side is also updated.
I attempted to set two keys against the same client to see if I can have
an "overlap" period of new and old keys before rotating out the old key,
but it seems that ceph only has the concept of 1 key per user.
Any hints, advice, or any information on how to achieve this would be
much appreciated.
Thanks in advance,
Graeme
I was wondering how (if?) people handle rotating cephx keys while
keeping cluster up/available.
Part of meeting compliance standards such as PCI DSS is making sure that
data encryption keys and security credentials are rotated regularly and
during other key points (such as notable staff turnover).
We are currently looking at using Ceph as a storage solution and was
wondering how people handle rotating cephx keys (at the very least, the
admin and client.$user keys) while causing minimal/no downtime to ceph
or the clients.
My understanding is that if you change the keys stored in the ceph kv db
then any existing sessions should still continue to work, but any new
ones (say, a hypervisor establishing new connections to osds for a new
vm volume) will fail until the key on the client side is also updated.
I attempted to set two keys against the same client to see if I can have
an "overlap" period of new and old keys before rotating out the old key,
but it seems that ceph only has the concept of 1 key per user.
Any hints, advice, or any information on how to achieve this would be
much appreciated.
Thanks in advance,
Graeme