Re: [ceph-users] how to limit access to pools ?

Wed, 17 Jul 2013 21:20:09 -0700 

Referebce: http://linux.die.net/man/8/ceph-authtool

The subsystem is the name of a Ceph subsystem: *mon*, *mds*, or *osd*.
The capability is a string describing what the given user is allowed to do. This takes the form of a comma separated list of allow clauses with a permission specifier containing one or more of rwx for read, write, and execute permission. The *allow ** grants full superuser permissions for the given subsystem. 

For example:

   # can read, write, and execute objects
   osd = "allow rwx"

   # can access mds server
   mds = "allow"

   # can modify cluster state (i.e., is a server daemon)
   mon = "allow rwx"

A librados user restricted to a single pool might look like:

   mon = "allow r"

   osd = "allow rw pool foo"
A client using rbd with read access to one pool and read/write access to another: 

   mon = "allow r"

   osd = "allow class-read object_prefix rbd_children, allow pool templates r 
class-read, allow pool vms rwx"
A client mounting the file system with minimal permissions would need caps like: 

   mds = "allow"

   osd = "allow rw pool data"

   mon = "allow r"


--tuantaba


On 07/16/2013 08:34 PM, Ta Ba Tuan wrote:

Hi Markus,

Limit access to specified pool through key authentication.:
Example, i having a pool is 'instances', and setting permission likes:
#ceph auth get-or-create client.instances mon 'allow r' osd 'allow rwx pool=instances' 


--tuantaba
TA BA TUAN



On 07/16/2013 08:04 PM, Markus Goldberg wrote:

Hi,
i created a few pools with
'ceph osd pool create <poolname> 100 100'
and set a relation to corresponding directories with
 'cephfs /mnt/myceph/<dirname> set_layout -p <poolname>'.

I can list the pools with 'ceph osd pools'

I can mount the dirs/subdirs at the client with
'mount -t ceph xxx.xxx.xxx.xxx:6789:/dir1/dir2 /mnt/myceph -v -o name=admin,secretfile=/etc/ceph/admin.secret' 
(admin.secret is the key for the data-rootdir (/) )
how can i give specific clients read/write access to only a subset of the pools ? 






_______________________________________________
ceph-users mailing list
[email protected]
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Reply via email to