Hi, For the record, I summarized the operations to implement this use case : http://dachary.org/?p=2930
Cheers On 22/04/2014 09:51, Loic Dachary wrote: > > > On 22/04/2014 08:56, Gregory Farnum wrote: >> On Monday, April 21, 2014, Loic Dachary <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi, >> >> I would like to allow users to create,use and delete RBD volumes, up to >> X GB, from a single pool. The user is a Debian GNU/Linux box using krbd. The >> sysadmin of the box is not trusted to have unlimited access to the Ceph >> cluster but (s)he is not malicious either. Permissions and quota are >> safeguards to prevent mistake. >> >> While it seems possible to grant access to a single pool to a given >> cephx client with >> >> ceph-authtool -n client.foo --cap osd 'allow rwx pool=customer-pool >> >> and the cap parser suggests even more flexibility >> >> https://github.com/ceph/ceph/blob/master/src/mon/MonCap.cc#L329 >> >> the documentation states that it should not be done >> >> >> http://ceph.com/docs/master/rados/operations/auth-intro/#cephx-limitations >> >> Suggestions about how to approach this use case are most welcome :-) >> >> Cheers >> -- >> Loïc Dachary, Artisan Logiciel Libre >> >> >> That looks fine to me. The documentation is just pointing out that cephx >> keys are per-host, not per-user. >> -Greg >> > > Cool :-) > > Here is how it could go then > > # use import because ceph auth get-or-create does not allos for --set-uid > * ceph-authtool /tmp/keyring --create-keyring --name client.me --gen-key > --set-uid 123 --cap osd 'allow rwx pool=foobar' > * ceph auth import -i /tmp/keyring > # creating the pool via client.me will implicitly set auid > https://github.com/ceph/ceph/blob/dumpling/src/mon/OSDMonitor.cc#L2551 > * ceph --name client.me osd pool create foobar 12 > # record the desired quota but it is not enforced > * ceph osd pool set-quota foobar max_bytes 1T > > On a daily basis a cron job uses ceph df to act on the quotas. > > > > _______________________________________________ > ceph-users mailing list > [email protected] > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > -- Loïc Dachary, Artisan Logiciel Libre
signature.asc
Description: OpenPGP digital signature
_______________________________________________ ceph-users mailing list [email protected] http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
