On Wed, Jun 12, 2013 at 12:59 PM, John Nielsen <[email protected]> wrote: > After updating to Cuttlefish I was able to set up two rados gateways using > distinct pools and users. (Thanks Yehuda!) Now I'd like to make it so the > user for each gateway can only access its own pools and nothing else. The > reasons include security and preventing foot-shooting. > > Instead of simply having this: caps osd = "allow rwx" > > I tried: > > caps osd = "allow class-read, allow pool .intent-log rwx, allow pool > .log rwx, allow pool .rgw rwx, allow pool .rgw.buckets rwx, allow pool > .rgw.control rwx, allow pool .rgw.gc rwx, allow pool .usage rwx, allow pool > .users rwx, allow pool .users.email rwx, allow pool .users.swift rwx, allow > pool .users.uid rwx"
You'll need more than just class-read. > > Unfortunately, the radosgw won't run with those settings. It starts but then > exits, with this in the logs: > > 2013-06-12 11:51:39.574693 7f61de950820 0 ceph version 0.61.3 > (92b1e398576d55df8e5888dd1a9545ed3fd99532), process radosgw, pid 32182 > 2013-06-12 11:51:39.591093 7f61cb5fe700 2 garbage collection: start > 2013-06-12 11:51:39.594462 7f61cb5fe700 0 ERROR: garbage collection > process() returned error r=-1 > 2013-06-12 11:51:39.594472 7f61cb5fe700 2 garbage collection: stop > 2013-06-12 11:51:39.596405 7f61de950820 -1 Couldn't init storage provider > (RADOS) > > Can someone tell me what permissions I might need or if I'm doing something > wrong? If for some reason this kind of per-user partitioning can't be done > (meaning rgw needs 'caps osd = "allow rwx"') I'd like to know why, and see > about changing that in a future release. > > Thanks, > > JN > > _______________________________________________ > ceph-users mailing list > [email protected] > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com _______________________________________________ ceph-users mailing list [email protected] http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
