On 22/04/2014 08:56, Gregory Farnum wrote: > On Monday, April 21, 2014, Loic Dachary <[email protected] > <mailto:[email protected]>> wrote: > > Hi, > > I would like to allow users to create,use and delete RBD volumes, up to X > GB, from a single pool. The user is a Debian GNU/Linux box using krbd. The > sysadmin of the box is not trusted to have unlimited access to the Ceph > cluster but (s)he is not malicious either. Permissions and quota are > safeguards to prevent mistake. > > While it seems possible to grant access to a single pool to a given cephx > client with > > ceph-authtool -n client.foo --cap osd 'allow rwx pool=customer-pool > > and the cap parser suggests even more flexibility > > https://github.com/ceph/ceph/blob/master/src/mon/MonCap.cc#L329 > > the documentation states that it should not be done > > > http://ceph.com/docs/master/rados/operations/auth-intro/#cephx-limitations > > Suggestions about how to approach this use case are most welcome :-) > > Cheers > -- > Loïc Dachary, Artisan Logiciel Libre > > > That looks fine to me. The documentation is just pointing out that cephx keys > are per-host, not per-user. > -Greg >
Cool :-) Here is how it could go then # use import because ceph auth get-or-create does not allos for --set-uid * ceph-authtool /tmp/keyring --create-keyring --name client.me --gen-key --set-uid 123 --cap osd 'allow rwx pool=foobar' * ceph auth import -i /tmp/keyring # creating the pool via client.me will implicitly set auid https://github.com/ceph/ceph/blob/dumpling/src/mon/OSDMonitor.cc#L2551 * ceph --name client.me osd pool create foobar 12 # record the desired quota but it is not enforced * ceph osd pool set-quota foobar max_bytes 1T On a daily basis a cron job uses ceph df to act on the quotas. -- Loïc Dachary, Artisan Logiciel Libre
signature.asc
Description: OpenPGP digital signature
_______________________________________________ ceph-users mailing list [email protected] http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
