I don't work with the gateway but in general that should work. That said, the RGW also sees all your client data going in so I'm not sure how much you buy by locking it down. If you're just trying to protect against accidents with the pools, you might give it write access on the monitor; any failures due to capability mismatches there would likely be pretty annoying to debug! -Greg
On Wed, May 31, 2017 at 12:21 AM Diedrich Ehlerding < [email protected]> wrote: > Hello. > > The documentation which I found proposes to create the ceph client > for a rados gateway with very global capabilities, namely > "mon allow rwx, osd allow rwx". > > Are there any reasons for these very global capabilities (allowing > this client to access and modify (even remove) all pools, all rbds, > etc., event thiose in use vy other ceph clients? I tried to restrict > the rights, and my rados gateway seems to work with > capabilities "mon allow r, osd allow rwx pool=.rgw.root, allow rwx > pool=a.root, allow rwx pool=am.rgw.control [etc. for all the pools > which this gateway uses]" > > Are there any reasons not to restrict the capabilities in this way? > > Thank you. > -- > Diedrich Ehlerding, Fujitsu Technology Solutions GmbH, > MIS ITST CE PS&IS WST, Hildesheimer Str 25, D-30880 Laatzen > Fon +49 511 8489-1806 <+49%20511%2084891806>, Fax -251806, Mobil +49 173 > 2464758 <+49%20173%202464758> > Firmenangaben: http://de.ts.fujitsu.com/imprint.html > > _______________________________________________ > ceph-users mailing list > [email protected] > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com >
_______________________________________________ ceph-users mailing list [email protected] http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
