On Thu, Jun 13, 2013 at 3:01 PM, John Nielsen <[email protected]> wrote: > On Jun 12, 2013, at 8:15 PM, Yehuda Sadeh <[email protected]> wrote: > >> On Wed, Jun 12, 2013 at 2:43 PM, John Nielsen <[email protected]> wrote: >>> On Jun 12, 2013, at 2:51 PM, Yehuda Sadeh <[email protected]> wrote: >>> >>>> On Wed, Jun 12, 2013 at 1:48 PM, John Nielsen <[email protected]> wrote: >>>>> On Jun 12, 2013, at 2:02 PM, Yehuda Sadeh <[email protected]> wrote: >>>>> >>>>>> On Wed, Jun 12, 2013 at 12:59 PM, John Nielsen <[email protected]> >>>>>> wrote: >>>>>>> After updating to Cuttlefish I was able to set up two rados gateways >>>>>>> using distinct pools and users. (Thanks Yehuda!) Now I'd like to make >>>>>>> it so the user for each gateway can only access its own pools and >>>>>>> nothing else. The reasons include security and preventing foot-shooting. >>>>>>> >>>>>>> Instead of simply having this: caps osd = "allow rwx" >>>>>>> >>>>>>> I tried: >>>>>>> >>>>>>> caps osd = "allow class-read, allow pool .intent-log rwx, allow >>>>>>> pool .log rwx, allow pool .rgw rwx, allow pool .rgw.buckets rwx, allow >>>>>>> pool .rgw.control rwx, allow pool .rgw.gc rwx, allow pool .usage rwx, >>>>>>> allow pool .users rwx, allow pool .users.email rwx, allow pool >>>>>>> .users.swift rwx, allow pool .users.uid rwx" >>>>>> >>>>>> You'll need more than just class-read. >>>>> >>>>> Can you be more specific? >>>> >>>> Try adding class-write. >>> >>> >>> With: >>> caps osd = "allow x, allow pool .pubintent-log rwx, allow pool >>> .publog rwx, allow pool .pubrgw rwx, allow pool .pubrgw.buckets rwx, allow >>> pool .pubrgw.control rwx, allow pool .pubrgw.gc rwx, allow pool .pubusage >>> rwx, allow pool .pubusers rwx, allow pool .pubusers.email rwx, allow pool >>> .pubusers.swift rwx, allow pool .pubusers.uid rwx" >>> >> >> Instead of adding 'class-write', you removed 'class-read'. You >> probably need both. > > Is "x" not the same as "class-write class-read"? In any case, I see the same > behavior with "class-write class-read". > >>> I get the same result: >>> >>> 2013-06-12 13:47:21.711904 7f9f53244820 0 ceph version 0.61.3 >>> (92b1e398576d55df8e5888dd1a9545ed3fd99532), process radosgw, pid 6173 >>> 2013-06-12 13:47:21.727924 7f9f53244820 20 get_obj_state: rctx=0x2b72690 >>> obj=.pubrgw:zone_info state=0x2b763d8 s->prefetch_data=0 >>> 2013-06-12 13:47:21.727945 7f9f53244820 10 cache get: >>> name=.pubrgw+zone_info : miss >>> 2013-06-12 13:47:21.731676 7f9f37fff700 2 garbage collection: start >>> 2013-06-12 13:47:21.734877 7f9f37fff700 0 ERROR: garbage collection >>> process() returned error r=-1
Try setting 'debug ms = 1', and see what operation fails. You may want to correlate that to an osd log. Yehuda _______________________________________________ ceph-users mailing list [email protected] http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
