On Jun 12, 2013, at 8:15 PM, Yehuda Sadeh <[email protected]> wrote:
> On Wed, Jun 12, 2013 at 2:43 PM, John Nielsen <[email protected]> wrote: >> On Jun 12, 2013, at 2:51 PM, Yehuda Sadeh <[email protected]> wrote: >> >>> On Wed, Jun 12, 2013 at 1:48 PM, John Nielsen <[email protected]> wrote: >>>> On Jun 12, 2013, at 2:02 PM, Yehuda Sadeh <[email protected]> wrote: >>>> >>>>> On Wed, Jun 12, 2013 at 12:59 PM, John Nielsen <[email protected]> wrote: >>>>>> After updating to Cuttlefish I was able to set up two rados gateways >>>>>> using distinct pools and users. (Thanks Yehuda!) Now I'd like to make it >>>>>> so the user for each gateway can only access its own pools and nothing >>>>>> else. The reasons include security and preventing foot-shooting. >>>>>> >>>>>> Instead of simply having this: caps osd = "allow rwx" >>>>>> >>>>>> I tried: >>>>>> >>>>>> caps osd = "allow class-read, allow pool .intent-log rwx, allow >>>>>> pool .log rwx, allow pool .rgw rwx, allow pool .rgw.buckets rwx, allow >>>>>> pool .rgw.control rwx, allow pool .rgw.gc rwx, allow pool .usage rwx, >>>>>> allow pool .users rwx, allow pool .users.email rwx, allow pool >>>>>> .users.swift rwx, allow pool .users.uid rwx" >>>>> >>>>> You'll need more than just class-read. >>>> >>>> Can you be more specific? >>> >>> Try adding class-write. >> >> >> With: >> caps osd = "allow x, allow pool .pubintent-log rwx, allow pool >> .publog rwx, allow pool .pubrgw rwx, allow pool .pubrgw.buckets rwx, allow >> pool .pubrgw.control rwx, allow pool .pubrgw.gc rwx, allow pool .pubusage >> rwx, allow pool .pubusers rwx, allow pool .pubusers.email rwx, allow pool >> .pubusers.swift rwx, allow pool .pubusers.uid rwx" >> > > Instead of adding 'class-write', you removed 'class-read'. You > probably need both. Is "x" not the same as "class-write class-read"? In any case, I see the same behavior with "class-write class-read". >> I get the same result: >> >> 2013-06-12 13:47:21.711904 7f9f53244820 0 ceph version 0.61.3 >> (92b1e398576d55df8e5888dd1a9545ed3fd99532), process radosgw, pid 6173 >> 2013-06-12 13:47:21.727924 7f9f53244820 20 get_obj_state: rctx=0x2b72690 >> obj=.pubrgw:zone_info state=0x2b763d8 s->prefetch_data=0 >> 2013-06-12 13:47:21.727945 7f9f53244820 10 cache get: name=.pubrgw+zone_info >> : miss >> 2013-06-12 13:47:21.731676 7f9f37fff700 2 garbage collection: start >> 2013-06-12 13:47:21.734877 7f9f37fff700 0 ERROR: garbage collection >> process() returned error r=-1 >> 2013-06-12 13:47:21.734888 7f9f37fff700 2 garbage collection: stop >> 2013-06-12 13:47:21.736052 7f9f53244820 -1 Couldn't init storage provider >> (RADOS) >> > _______________________________________________ ceph-users mailing list [email protected] http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
