Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 2. Ceph Dashboard installation and access


As a system administrator, you can access the dashboard with the credentials provided on bootstrapping the cluster.

Cephadm installs the dashboard by default. Following is an example of the dashboard URL:

URL: https://host01:8443/
User: admin
Password: zbiql951ar
Note

Update the browser and clear the cookies prior to accessing the dashboard URL.

The following are the Cephadm bootstrap options that are available for the Ceph dashboard configurations:

  • [–initial-dashboard-user INITIAL_DASHBOARD_USER] - Use this option while bootstrapping to set initial-dashboard-user.
  • [–initial-dashboard-password INITIAL_DASHBOARD_PASSWORD] - Use this option while bootstrapping to set initial-dashboard-password.
  • [–ssl-dashboard-port SSL_DASHBOARD_PORT] - Use this option while bootstrapping to set custom dashboard port other than default 8443.
  • [–dashboard-key DASHBOARD_KEY] - Use this option while bootstrapping to set Custom key for SSL.
  • [–dashboard-crt DASHBOARD_CRT] - Use this option while bootstrapping to set Custom certificate for SSL.
  • [–skip-dashboard] - Use this option while bootstrapping to deploy Ceph without dashboard.
  • [–dashboard-password-noupdate] - Use this option while bootstrapping if you used above two options and don’t want to reset password at the first time login.
  • [–allow-fqdn-hostname] - Use this option while bootstrapping to allow hostname that is fully-qualified.
  • [–skip-prepare-host] - Use this option while bootstrapping to skip preparing the host.
Note

To avoid connectivity issues with dashboard related external URL, use the fully qualified domain names (FQDN) for hostnames, for example, host01.ceph.redhat.com.

Note

Open the Grafana URL directly in the client internet browser and accept the security exception to see the graphs on the Ceph dashboard. Reload the browser to view the changes.

Example

[root@host01 ~]# cephadm bootstrap --mon-ip 127.0.0.1 --registry-json cephadm.txt  --initial-dashboard-user  admin --initial-dashboard-password zbiql951ar --dashboard-password-noupdate --allow-fqdn-hostname

Note

While boostrapping the storage cluster using cephadm, you can use the --image option for either custom container images or local container images.

Note

You have to change the password the first time you log into the dashboard with the credentials provided on bootstrapping only if --dashboard-password-noupdate option is not used while bootstrapping. You can find the Ceph dashboard credentials in the var/log/ceph/cephadm.log file. Search with the "Ceph Dashboard is now available at" string.

This section covers the following tasks:

2.1. Network port requirements for Ceph Dashboard

The Ceph dashboard components use certain TCP network ports which must be accessible. By default, the network ports are automatically opened in firewalld during installation of Red Hat Ceph Storage.

Table 2.1. TCP Port Requirements
PortUseOriginating HostDestination Host

8443

The dashboard web interface

IP addresses that need access to Ceph Dashboard UI and the host under Grafana server, since the AlertManager service can also initiate connections to the Dashboard for reporting alerts.

The Ceph Manager hosts.

3000

Grafana

IP addresses that need access to Grafana Dashboard UI and all Ceph Manager hosts and Grafana server.

The host or hosts running Grafana server.

2049

NFS-Ganesha

IP addresses that need access to NFS.

The IP addresses that provide NFS services.

9095

Default Prometheus server for basic Prometheus graphs

IP addresses that need access to Prometheus UI and all Ceph Manager hosts and Grafana server or Hosts running Prometheus.

The host or hosts running Prometheus.

9093

Prometheus Alertmanager

IP addresses that need access to Alertmanager Web UI and all Ceph Manager hosts and Grafana server or Hosts running Prometheus.

All Ceph Manager hosts and the host under Grafana server.

9094

Prometheus Alertmanager for configuring a highly available cluster made from multiple instances

All Ceph Manager hosts and the host under Grafana server.

Prometheus Alertmanager High Availability (peer daemon sync), so both src and dst should be hosts running Prometheus Alertmanager.

9100

The Prometheus node-exporter daemon

Hosts running Prometheus that need to view Node Exporter metrics Web UI and All Ceph Manager hosts and Grafana server or Hosts running Prometheus.

All storage cluster hosts, including MONs, OSDS, Grafana server host.

9283

Ceph Manager Prometheus exporter module

Hosts running Prometheus that need access to Ceph Exporter metrics Web UI and Grafana server.

All Ceph Manager hosts.

9287

Ceph iSCSI gateway data

All Ceph Manager hosts and Grafana server.

All Ceph iSCSI gateway hosts.

Additional Resources

2.2. Accessing the Ceph dashboard

You can access the Ceph dashboard to administer and monitor your Red Hat Ceph Storage cluster.

Prerequisites

  • Successful installation of Red Hat Ceph Storage Dashboard.
  • NTP is synchronizing clocks properly.

Procedure

  1. Enter the following URL in a web browser:

    Syntax

    https://HOST_NAME:PORT

    Replace:

    • HOST_NAME with the fully qualified domain name (FQDN) of the active manager host.
    • PORT with port 8443

      Example

      https://host01:8443

      You can also get the URL of the dashboard by running the following command in the Cephadm shell:

      Example

      [ceph: root@host01 /]# ceph mgr services

      This command will show you all endpoints that are currently configured. Look for the dashboard key to obtain the URL for accessing the dashboard.

  2. On the login page, enter the username admin and the default password provided during bootstrapping.
  3. You have to change the password the first time you log in to the Red Hat Ceph Storage dashboard.
  4. After logging in, the dashboard default landing page is displayed, which provides a high-level overview of status, performance, and capacity metrics of the Red Hat Ceph Storage cluster.

    Figure 2.1. Ceph dashboard landing page

    Ceph dashboard landing page
  5. Click the following icon on the dashboard landing page to collapse or display the options in the vertical menu:

    Figure 2.2. Vertical menu on the Ceph dashboard

    Vertical menu on Ceph dashboard

2.3. Setting login banner on the Ceph dashboard

Many users require support for customizable text on the login page for security, legal, or disclaimer reasons.

You can set these custom texts on the login page of the Ceph Dashboard using the command-line interface (CLI).

Prerequisites

  • A running Red Hat Ceph Storage cluster with the monitoring stack installed.
  • Root-level access to the cephadm host.
  • The dashboard module enabled.

Procedure

  1. As a root user, create a login.txt file and provide the custom message for the users:

    Example

    ****CUSTOM LOGIN MESSAGE****

  2. Mount the login.txt file under a directory in the container:

    Example

    [root@host01 ~]# cephadm shell --mount login.txt:/var/lib/ceph/login.txt

    Note

    Every time you exit the shell, you have to mount the file in the container before deploying the daemon.

  3. Optional: Check if the dashboard Ceph Manager module is enabled:

    Example

    [ceph: root@host01 /]# ceph mgr module ls

  4. Set the login banner text:

    Syntax

    ceph dashboard set-login-banner -i FILE_PATH

    Example

    [ceph: root@host01 /]# ceph dashboard set-login-banner -i /var/lib/ceph/login.txt
    
    login banner file added

  5. Get the login banner text:

    Example

    [ceph: root@host01 /]# ceph dashboard get-login-banner
    
    ****CUSTOM LOGIN MESSAGE****

  6. Optional: You can remove the login banner using the unset command:

    Example

    [ceph: root@host01 /]# ceph dashboard unset-login-banner
    
    Login banner removed

Verification

  • Log in to the dashboard:

    https://HOST_NAME:8443
    Login banner

2.4. Setting message of the day (MOTD) on the Ceph dashboard

Sometimes, there is a need to inform the Ceph Dashboard users about the latest news, updates, and information on Red Hat Ceph Storage.

As a storage administrator, you can configure a message of the day (MOTD) using the command-line interface (CLI).

When the user logs in to the Ceph Dashboard, the configured MOTD is displayed at the top of the Ceph Dashboard similar to the Telemetry module.

The importance of MOTD can be configured based on severity, such as info, warning, or danger.

A MOTD with a info or warning severity can be closed by the user. The info MOTD is not displayed anymore until the local storage cookies are cleared or a new MOTD with a different severity is displayed. A MOTD with a warning severity is displayed again in a new session.

Prerequisites

  • A running Red Hat Ceph Storage cluster with the monitoring stack installed.
  • Root-level access to the cephadm host.
  • The dashboard module enabled.

Procedure

  1. Configure a MOTD for the dashboard:

    Syntax

    ceph dashboard motd set SEVERITY EXPIRES MESSAGE

    Example

    [ceph: root@host01 /]# ceph dashboard motd set danger 2d "Custom login message"
    
    Message of the day has been set.

    Replace

    • SEVERITY can be info, warning, or danger.
    • EXPIRES can be for seconds (s), minutes (m), hours (h), days (d), weeks (w), or never expires (0).
    • MESSAGE can be any custom message that users can view as soon as they log in to the dashboard.
  2. Optional: Set the MOTD that does not expire:

    Example

    [ceph: root@host01 /]# ceph dashboard motd set danger 0 "Custom login message"
    
    Message of the day has been set.

  3. Get the configured MOTD :

    Example

    [ceph: root@host01 /]# ceph dashboard motd get
    
    Message="Custom login message", severity="danger", expires="2022-09-08T07:38:52.963882Z"

  4. Optional: Clear the configure MOTD using the clear command:

    Example

    [ceph: root@host01 /]# ceph dashboard motd clear
    
    Message of the day has been cleared.

Verification

  • Log in to the dashboard:

    https://HOST_NAME:8443
    MOTD

2.5. Expanding the cluster on the Ceph dashboard

You can use the dashboard to expand the Red Hat Ceph Storage cluster for adding hosts, adding OSDs, and creating services such as Alertmanager, Cephadm-exporter, CephFS-mirror, Grafana, ingress, iSCSI, MDS, NFS, node-exporter, Prometheus, RBD-mirror, and Ceph Object Gateway.

Once you bootstrap a new storage cluster, the Ceph Monitor and Ceph Manager daemons are created and the cluster is in HEALTH_WARN state. After creating all the services for the cluster on the dashboard, the health of the cluster changes from HEALTH_WARN to HEALTH_OK status.

Prerequisites

Procedure

  1. Copy the admin key from the bootstrapped host to other hosts:

    Syntax

    ssh-copy-id -f -i /etc/ceph/ceph.pub root@HOST_NAME

    Example

    [ceph: root@host01 /]# ssh-copy-id -f -i /etc/ceph/ceph.pub root@host02
    [ceph: root@host01 /]# ssh-copy-id -f -i /etc/ceph/ceph.pub root@host03

  2. Log in to the dashboard with the default credentials provided during bootstrap.
  3. Change the password and log in to the dashboard with the new password .
  4. On the landing page, click Expand Cluster.

    Figure 2.3. Expand cluster

    Expand cluster
  5. Add hosts:

    1. In the Add Hosts window, click +Add.
    2. Provide the hostname. This is same as the hostname that was provided while copying the key from the bootstrapped host.

      Note

      You can use the tool tip in the Add Hosts dialog box for more details.

    3. Optional: Provide the respective IP address of the host.
    4. Optional: Select the labels for the hosts on which the services are going to be created.
    5. Click Add Host.
    6. Follow the above steps for all the hosts in the storage cluster.
  6. In the Add Hosts window, click Next.
  7. Create OSDs:

    1. In the Create OSDs window, for Primary devices, Click +Add.
    2. In the Primary Devices window, filter for the device and select the device.
    3. Click Add.
    4. Optional: In the Create OSDs window, if you have any shared devices such as WAL or DB devices, then add the devices.
    5. Optional: Click on the check-box Encryption to encrypt the features.
    6. In the Create OSDs window, click Next.
  8. Create services:

    1. In the Create Services window, click +Create.
    2. In the Create Service dialog box,

      1. Select the type of the service from the drop-down.
      2. Provide the service ID, a unique name of the service.
      3. Provide the placement by hosts or label.
      4. Select the hosts.
      5. Provide the number of daemons or services that need to be deployed.
    3. Click Create Service.
  9. In the Create Service window, Click Next.
  10. Review the Cluster Resources, Hosts by Services, Host Details. If you want to edit any parameter, click Back and follow the above steps.

    Figure 2.4. Review cluster

    Review cluster
  11. Click Expand Cluster.
  12. You get a notification that the cluster expansion was successful.
  13. The cluster health changes to HEALTH_OK status on the dashboard.

Verification

  1. Log in to the cephadm shell:

    Example

    [root@host01 ~]# cephadm shell

  2. Run the ceph -s command.

    Example

    [ceph: root@host01 /]# ceph -s

    The health of the cluster is HEALTH_OK.

Additional Resources

2.6. Toggling Ceph dashboard features

You can customize the Red Hat Ceph Storage dashboard components by enabling or disabling features on demand. All features are enabled by default. When disabling a feature, the web-interface elements become hidden and the associated REST API end-points reject any further requests for that feature. Enabling and disabling dashboard features can be done from the command-line interface or the web interface.

Available features:

  • Ceph Block Devices:

    • Image management, rbd
    • Mirroring, mirroring
    • iSCSI gateway, iscsi
  • Ceph Filesystem, cephfs
  • Ceph Object Gateway, rgw
  • NFS Ganesha gateway, nfs
Note

By default, the Ceph Manager is collocated with the Ceph Monitor.

Note

You can disable multiple features at once.

Important

Once a feature is disabled, it can take up to 20 seconds to reflect the change in the web interface.

Prerequisites

  • Installation and configuration of the Red Hat Ceph Storage dashboard software.
  • User access to the Ceph Manager host or the dashboard web interface.
  • Root level access to the Ceph Manager host.

Procedure

  • To toggle the dashboard features from the dashboard web interface:

    1. On the dashboard landing page, navigate to Cluster drop-down menu.
    2. Select Manager Modules, and then select Dashboard.
    3. In the Edit Manager module page, you can enable or disable the dashboard features by checking or unchecking the selection box next to the feature name.

      Figure 2.5. Edit Manager module

      Edit Manager module
    4. Once the selections have been made, scroll down and click Update.
  • To toggle the dashboard features from the command-line interface:

    1. Log in to the Cephadm shell:

      Example

      [root@host01 ~]# cephadm shell

    2. List the feature status:

      Example

      [ceph: root@host01 /]# ceph dashboard feature status

    3. Disable a feature:

      [ceph: root@host01 /]# ceph dashboard feature disable iscsi

      This example disables the Ceph iSCSI gateway feature.

    4. Enable a feature:

      [ceph: root@host01 /]# ceph dashboard feature enable cephfs

      This example enables the Ceph Filesystem feature.

2.7. Understanding the landing page of the Ceph dashboard

The landing page displays an overview of the entire Ceph cluster using navigation bars and individual panels.

The navigation bar provides the following options:

  • Messages about tasks and notifications.
  • Link to the documentation, Ceph Rest API, and details about the Red Hat Ceph Storage Dashboard.
  • Link to user management and telemetry configuration.
  • Link to change password and sign out of the dashboard.

Figure 2.6. Navigation bar

Navigation bar

Apart from that, the individual panel displays specific information about the state of the cluster.

Categories

The landing page organizes panels into the following three categories:

  1. Status
  2. Capacity
  3. Performance

Figure 2.7. Ceph dashboard landing page

Ceph dashboard Landing page

Status panel

The status panels display the health of the cluster and host and daemon states.

Cluster Status: Displays the current health status of the Ceph storage cluster.

Hosts: Displays the total number of hosts in the Ceph storage cluster.

Monitors: Displays the number of Ceph Monitors and the quorum status.

OSDs: Displays the total number of OSDs in the Ceph Storage cluster and the number that are up, and in.

Managers: Displays the number and status of the Manager Daemons.

Object Gateways: Displays the number of Object Gateways in the Ceph storage cluster.

Metadata Servers: Displays the number and status of metadata servers for Ceph Filesystems (CephFS).

iSCSI Gateways: Displays the number of iSCSI Gateways in the Ceph storage cluster.

Capacity panel

The capacity panel displays storage usage metrics.

Raw Capacity: Displays the utilization and availability of the raw storage capacity of the cluster.

Objects: Displays the total number of objects in the pools and a graph dividing objects into states of Healthy, Misplaced, Degraded, or Unfound.

PG Status: Displays the total number of Placement Groups and a graph dividing PGs into states of Clean, Working, Warning, or Unknown. To simplify display of PG states Working and Warning actually each encompass multiple states.

The Working state includes PGs with any of these states:

  • activating
  • backfill_wait
  • backfilling
  • creating
  • deep
  • degraded
  • forced_backfill
  • forced_recovery
  • peering
  • peered
  • recovering
  • recovery_wait
  • repair
  • scrubbing
  • snaptrim
  • snaptrim_wait

The Warning state includes PGs with any of these states:

  • backfill_toofull
  • backfill_unfound
  • down
  • incomplete
  • inconsistent
  • recovery_toofull
  • recovery_unfound
  • remapped
  • snaptrim_error
  • stale
  • undersized

Pools: Displays the number of storage pools in the Ceph cluster.

PGs per OSD: Displays the number of placement groups per OSD.

Performance panel

The performance panel display information related to data transfer speeds.

Client Read/Write: Displays total input/output operations per second, reads per second, and writes per second.

Client Throughput: Displays total client throughput, read throughput, and write throughput.

Recovery Throughput: Displays the data recovery rate.

Scrubbing: Displays whether Ceph is scrubbing data to verify its integrity.

Additional Resources

2.8. Changing the dashboard password using the Ceph dashboard

By default, the password for accessing dashboard is randomly generated by the system while bootstrapping the cluster. You have to change the password the first time you log in to the Red Hat Ceph Storage dashboard. You can change the password for the admin user using the dashboard.

Prerequisites

  • A running Red Hat Ceph Storage cluster.

Procedure

  1. Log in to the dashboard:

    https://HOST_NAME:8443
  2. Click the Dashboard Settings icon and then click User management.

    Figure 2.8. User management

    User management
  3. To change the password of admin, click it’s row.
  4. From the Edit drop-down menu, select Edit.
  5. In the Edit User window, enter the new password, and change the other parameters, and then Click Edit User.

    Figure 2.9. Edit user management

    Edit user management

    You will be logged out and redirected to the log-in screen. A notification appears confirming the password change.

2.9. Changing the Ceph dashboard password using the command line interface

If you have forgotten your Ceph dashboard password, you can change the password using the command line interface.

Prerequisites

  • A running Red Hat Ceph Storage cluster.
  • Root-level access to the host on which the dashboard is installed.

Procedure

  1. Log into the Cephadm shell:

    Example

    [root@host01 ~]# cephadm shell

  2. Create the dashboard_password.yml file:

    Example

    [ceph: root@host01 /]# touch dashboard_password.yml

  3. Edit the file and add the new dashboard password:

    Example

    [ceph: root@host01 /]# vi dashboard_password.yml

  4. Reset the dashboard password:

    Syntax

    ceph dashboard ac-user-set-password DASHBOARD_USERNAME -i PASSWORD_FILE

    Example

    [ceph: root@host01 /]# ceph dashboard ac-user-set-password admin -i dashboard_password.yml
    {"username": "admin", "password": "$2b$12$i5RmvN1PolR61Fay0mPgt.GDpcga1QpYsaHUbJfoqaHd1rfFFx7XS", "roles": ["administrator"], "name": null, "email": null, "lastUpdate": , "enabled": true, "pwdExpirationDate": null, "pwdUpdateRequired": false}

Verification

  • Log in to the dashboard with your new password.

2.10. Setting admin user password for Grafana

By default, cephadm does not create an admin user for Grafana. With the Ceph Orchestrator, you can create an admin user and set the password.

With these credentials, you can log in to the storage cluster’s Grafana URL with the given password for the admin user.

Prerequisites

  • A running Red Hat Ceph Storage cluster with the monitoring stack installed.
  • Root-level access to the cephadm host.
  • The dashboard module enabled.

Procedure

  1. As a root user, create a grafana.yml file and provide the following details:

    Syntax

    service_type: grafana
    spec:
      initial_admin_password: PASSWORD

    Example

    service_type: grafana
    spec:
      initial_admin_password: mypassword

  2. Mount the grafana.yml file under a directory in the container:

    Example

    [root@host01 ~]# cephadm shell --mount grafana.yml:/var/lib/ceph/grafana.yml

    Note

    Every time you exit the shell, you have to mount the file in the container before deploying the daemon.

  3. Optional: Check if the dashboard Ceph Manager module is enabled:

    Example

    [ceph: root@host01 /]# ceph mgr module ls

  4. Optional: Enable the dashboard Ceph Manager module:

    Example

    [ceph: root@host01 /]# ceph mgr module enable dashboard

  5. Apply the specification using the orch command:

    Syntax

    ceph orch apply -i FILE_NAME.yml

    Example

    [ceph: root@host01 /]# ceph orch apply -i /var/lib/ceph/grafana.yml

  6. Redeploy grafana service:

    Example

    [ceph: root@host01 /]# ceph orch redeploy grafana

    This creates an admin user called admin with the given password and the user can log in to the Grafana URL with these credentials.

Verification:

  • Log in to Grafana with the credentials:

    Syntax

    https://HOST_NAME:PORT

    Example

    https://host01:3000/

2.11. Enabling Red Hat Ceph Storage Dashboard manually

If you have installed a Red Hat Ceph Storage cluster by using --skip-dashboard option during bootstrap, you can see that the dashboard URL and credentials are not available in the bootstrap output. You can enable the dashboard manually using the command-line interface. Although the monitoring stack components such as Prometheus, Grafana, Alertmanager, and node-exporter are deployed, they are disabled and you have to enable them manually.

Prerequisite

  • A running Red Hat Ceph Storage cluster installed with --skip-dashboard option during bootstrap.
  • Root-level access to the host on which the dashboard needs to be enabled.

Procedure

  1. Log into the Cephadm shell:

    Example

    [root@host01 ~]# cephadm shell

  2. Check the Ceph Manager services:

    Example

    [ceph: root@host01 /]# ceph mgr services
    
    {
        "prometheus": "http://10.8.0.101:9283/"
    }

    You can see that the Dashboard URL is not configured.

  3. Enable the dashboard module:

    Example

    [ceph: root@host01 /]# ceph mgr module enable dashboard

  4. Create the self-signed certificate for the dashboard access:

    Example

    [ceph: root@host01 /]# ceph dashboard create-self-signed-cert

    Note

    You can disable the certificate verification to avoid certification errors.

  5. Check the Ceph Manager services:

    Example

    [ceph: root@host01 /]# ceph mgr services
    
    {
        "dashboard": "https://10.8.0.101:8443/",
        "prometheus": "http://10.8.0.101:9283/"
    }

  6. Create the admin user and password to access the Red Hat Ceph Storage dashboard:

    Syntax

    echo -n "PASSWORD" > PASSWORD_FILE
    ceph dashboard ac-user-create admin -i PASSWORD_FILE administrator

    Example

    [ceph: root@host01 /]# echo -n "p@ssw0rd" > password.txt
    [ceph: root@host01 /]# ceph dashboard ac-user-create admin -i password.txt administrator

  7. Enable the monitoring stack. See the Enabling monitoring stack section in the Red Hat Ceph Storage Dashboard Guide for details.

Additional Resources

2.12. Creating an admin account for syncing users to the Ceph dashboard

You have to create an admin account to synchronize users to the Ceph dashboard.

After creating the account, use Red Hat Single Sign-on (SSO) to synchronize users to the Ceph dashboard. See Syncing users to the Ceph dashboard using Red Hat Single Sign-On section in the Red Hat Ceph Storage Dashboard Guide.

Prerequisites

  • A running Red Hat Ceph Storage cluster.
  • Dashboard is installed.
  • Admin level access to the dashboard.
  • Users are added to the dashboard.
  • Root-level access on all the hosts.
  • Red hat Single Sign-On installed from a ZIP file. See the Installing Red Hat Single Sign-On from a zip file for additional information.

Procedure

  1. Download the Red Hat Single Sign-On 7.4.0 Server on the system where Red Hat Ceph Storage is installed.
  2. Unzip the folder:

    [root@host01 ~]# unzip rhsso-7.4.0.zip
  3. Navigate to the standalone/configuration directory and open the standalone.xml for editing:

    [root@host01 ~]# cd standalone/configuration
    [root@host01 configuration]# vi standalone.xml
  4. Replace all instances of localhost and two instances of 127.0.0.1 with the IP address of the machine where Red Hat SSO is installed.
  5. Optional: For Red Hat Enterprise Linux 8, users might get Certificate Authority (CA) issues. Import the custom certificates from CA and move them into the keystore with the exact java version.

    Example

    [root@host01 ~]# keytool -import -noprompt -trustcacerts -alias ca -file ../ca.cer -keystore /etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.272.b10-3.el8_3.x86_64/lib/security/cacert

  6. To start the server from the bin directory of rh-sso-7.4 folder, run the standalone boot script:

    [root@host01 bin]# ./standalone.sh
  7. Create the admin account in https: IP_ADDRESS :8080/auth with a username and password:

    Note

    You have to create an admin account only the first time that you log into the console

  8. Log into the admin console with the credentials created.

Additional Resources

2.13. Syncing users to the Ceph dashboard using Red Hat Single Sign-On

You can use Red Hat Single Sign-on (SSO) with Lightweight Directory Access Protocol (LDAP) integration to synchronize users to the Red Hat Ceph Storage Dashboard.

The users are added to specific realms in which they can access the dashboard through SSO without any additional requirements of a password.

Prerequisites

Procedure

  1. To create a realm, click the Master drop-down menu. In this realm, you can provide access to users and applications.
  2. In the Add Realm window, enter a case-sensitive realm name and set the parameter Enabled to ON and click Create:

    Add realm window
  3. In the Realm Settings tab, set the following parameters and click Save:

    1. Enabled - ON
    2. User-Managed Access - ON
    3. Make a note of the link address of SAML 2.0 Identity Provider Metadata to paste in Client Settings.

      Add realm settings window
  4. In the Clients tab, click Create:

    Add client
  5. In the Add Client window, set the following parameters and click Save:

    1. Client ID - BASE_URL:8443/auth/saml2/metadata

      Example

      https://example.ceph.redhat.com:8443/auth/saml2/metadata

    2. Client Protocol - saml
  6. In the Client window, under Settings tab, set the following parameters:

    Table 2.2. Client Settings tab
    Name of the parameterSyntaxExample

    Client ID

    BASE_URL:8443/auth/saml2/metadata

    https://example.ceph.redhat.com:8443/auth/saml2/metadata

    Enabled

    ON

    ON

    Client Protocol

    saml

    saml

    Include AuthnStatement

    ON

    ON

    Sign Documents

    ON

    ON

    Signature Algorithm

    RSA_SHA1

    RSA_SHA1

    SAML Signature Key Name

    KEY_ID

    KEY_ID

    Valid Redirect URLs

    BASE_URL:8443/*

    https://example.ceph.redhat.com:8443/*

    Base URL

    BASE_URL:8443

    https://example.ceph.redhat.com:8443/

    Master SAML Processing URL

    https://localhost:8080/auth/realms/REALM_NAME/protocol/saml/descriptor

    https://localhost:8080/auth/realms/Ceph_LDAP/protocol/saml/descriptor

    Note

    Paste the link of SAML 2.0 Identity Provider Metadata from Realm Settings tab.

    Under Fine Grain SAML Endpoint Configuration, set the following parameters and click Save:

    Table 2.3. Fine Grain SAML configuration
    Name of the parameterSyntaxExample

    Assertion Consumer Service POST Binding URL

    BASE_URL:8443/#/dashboard

    https://example.ceph.redhat.com:8443/#/dashboard

    Assertion Consumer Service Redirect Binding URL

    BASE_URL:8443/#/dashboard

    https://example.ceph.redhat.com:8443/#/dashboard

    Logout Service Redirect Binding URL

    BASE_URL:8443/

    https://example.ceph.redhat.com:8443/

  7. In the Clients window, Mappers tab, set the following parameters and click Save:

    Table 2.4. Client Mappers tab
    Name of the parameterValue

    Protocol

    saml

    Name

    username

    Mapper Property

    User Property

    Property

    username

    SAML Attribute name

    username

  8. In the Clients Scope tab, select role_list:

    1. In Mappers tab, select role list, set the Single Role Attribute to ON.
  9. Select User_Federation tab:

    1. In User Federation window, select ldap from the drop-down menu:
    2. In User_Federation window, Settings tab, set the following parameters and click Save:

      Table 2.5. User Federation Settings tab
      Name of the parameterValue

      Console Display Name

      rh-ldap

      Import Users

      ON

      Edit_Mode

      READ_ONLY

      Username LDAP attribute

      username

      RDN LDAP attribute

      username

      UUID LDAP attribute

      nsuniqueid

      User Object Classes

      inetOrgPerson

      organizationalPerson

      rhatPerson

      Connection URL

      Example: ldap://ldap.corp.redhat.com Click Test Connection. You will get a notification that the LDAP connection is successful.

      Users DN

      ou=users, dc=example, dc=com

      Bind Type

      simple

      Click Test authentication. You will get a notification that the LDAP authentication is successful.

    3. In Mappers tab, select first name row and edit the following parameter and Click Save:

      • LDAP Attribute - givenName
    4. In User_Federation tab, Settings tab, Click Synchronize all users:

      User Federation Synchronize

      You will get a notification that the sync of users is finished successfully.

  10. In the Users tab, search for the user added to the dashboard and click the Search icon:

    User search tab
  11. To view the user , click the specific row. You should see the federation link as the name provided for the User Federation.

    User details
    Important

    Do not add users manually as the users will not be synchronized by LDAP. If added manually, delete the user by clicking Delete.

Verification

  • Users added to the realm and the dashboard can access the Ceph dashboard with their mail address and password.

    Example

    https://example.ceph.redhat.com:8443

Additional Resources

2.14. Enabling Single Sign-On for the Ceph Dashboard

The Ceph Dashboard supports external authentication of users with the Security Assertion Markup Language (SAML) 2.0 protocol. Before using single sign-On (SSO) with the Ceph dashboard, create the dashboard user accounts and assign the desired roles. The Ceph Dashboard performs authorization of the users and the authentication process is performed by an existing Identity Provider (IdP). You can enable single sign-on using the SAML protocol.

Prerequisites

  • A running Red Hat Ceph Storage cluster.
  • Installation of the Ceph Dashboard.
  • Root-level access to The Ceph Manager hosts.

Procedure

  1. To configure SSO on Ceph Dashboard, run the following command:

    Syntax

    podman exec CEPH_MGR_HOST ceph dashboard sso setup saml2 CEPH_DASHBOARD_BASE_URL IDP_METADATA IDP_USERNAME_ATTRIBUTE IDP_ENTITY_ID SP_X_509_CERT SP_PRIVATE_KEY

    Example

    [root@host01 ~]# podman exec host01 ceph dashboard sso setup saml2 https://dashboard_hostname.ceph.redhat.com:8443 idp-metadata.xml username https://10.70.59.125:8080/auth/realms/realm_name /home/certificate.txt /home/private-key.txt

    Replace

    • CEPH_MGR_HOST with Ceph mgr host. For example, host01
    • CEPH_DASHBOARD_BASE_URL with the base URL where Ceph Dashboard is accessible.
    • IDP_METADATA with the URL to remote or local path or content of the IdP metadata XML. The supported URL types are http, https, and file.
    • Optional: IDP_USERNAME_ATTRIBUTE with the attribute used to get the username from the authentication response. Defaults to uid.
    • Optional: IDP_ENTITY_ID with the IdP entity ID when more than one entity ID exists on the IdP metadata.
    • Optional: SP_X_509_CERT with the file path of the certificate used by Ceph Dashboard for signing and encryption.
    • Optional: SP_PRIVATE_KEY with the file path of the private key used by Ceph Dashboard for signing and encryption.
  2. Verify the current SAML 2.0 configuration:

    Syntax

    podman exec CEPH_MGR_HOST ceph dashboard sso show saml2

    Example

    [root@host01 ~]#  podman exec host01 ceph dashboard sso show saml2

  3. To enable SSO, run the following command:

    Syntax

    podman exec CEPH_MGR_HOST ceph dashboard sso enable saml2
    SSO is "enabled" with "SAML2" protocol.

    Example

    [root@host01 ~]#  podman exec host01 ceph dashboard sso enable saml2

  4. Open your dashboard URL.

    Example

    https://dashboard_hostname.ceph.redhat.com:8443

  5. On the SSO page, enter the login credentials. SSO redirects to the dashboard web interface.

Additional Resources

2.15. Disabling Single Sign-On for the Ceph Dashboard

You can disable single sign-on for Ceph Dashboard using the SAML 2.0 protocol.

Prerequisites

  • A running Red Hat Ceph Storage cluster.
  • Installation of the Ceph Dashboard.
  • Root-level access to The Ceph Manager hosts.
  • Single sign-on enabled for Ceph Dashboard

Procedure

  1. Check if SSO is enabled:

    Syntax

    podman exec CEPH_MGR_HOST ceph dashboard sso status

    Example

    [root@host01 ~]# podman exec host01 ceph dashboard sso status
    
    SSO is "enabled" with "SAML2" protocol.

  2. Disable SSO:

    Syntax

    podman exec CEPH_MGR_HOST ceph dashboard sso disable
    
    SSO is "disabled".

    Example

    [root@host01 ~]#  podman exec host01 ceph dashboard sso disable

Additional Resources

Red Hat logoGithubRedditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez leBlog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

© 2024 Red Hat, Inc.