On Wed, May 31, 2017 at 11:20 PM Diedrich Ehlerding <
[email protected]> wrote:

> Thank you for your response. Yes, as I wrote, the gateway seems to
> work with these settings.
>
> The reason why I am considering the capabilities is: I am trying to
> attach a Openstack environment and a gateway to the same cluster,
> and I would like to prevent the Openstack admin to access the S3
> gateway data and vice versa to prevent the gateway admin to access
> the Openstack data. I just wonder if there is a reason why the
> documentation suggest these very global capabilities
>

You've probably noticed the RGW will create pools if it needs them and they
don't exist. That's why it "needs" the extra monitor capabilities. The OSD
capabilities are because 1) I don't think you could make them as
fine-grained when that documentation was written, 2) laziness about
specifying pools. :)

So, you should be good to go!


>
> Gregory Farnum wrote on Wed, 31 May 2017 20:07:16 +0000
>
> >
> > I don't work with the gateway but in general that should work.
> >
> > That said, the RGW also sees all your client data going in so I'm not
> > sure how much you buy by locking it down. If you're just trying to
> > protect against accidents with the pools, you might give it write access
> > on the monitor; any failures due to capability mismatches there would
> > likely be pretty annoying to debug!
> > -Greg
> >
> >
> > On Wed, May 31, 2017 at 12:21 AM Diedrich Ehlerding
> > <[email protected]> wrote:
> >     Hello.
> >
> >     The documentation which I found proposes to create the ceph client
> >     for a rados gateway with very global capabilities, namely
> >     "mon allow rwx, osd allow rwx".
> >
> >     Are there any reasons for these very global capabilities (allowing
> >     this client to access and modify (even remove) all pools, all rbds,
> >     etc., event thiose in use vy other ceph clients? I tried to
> >     restrict
> >     the rights, and my rados gateway seems to work with
> >     capabilities "mon allow r, osd allow rwx pool=.rgw.root, allow rwx
> >     pool=a.root, allow rwx pool=am.rgw.control [etc. for all the pools
> >     which this gateway uses]"
> >
> >     Are there any reasons not to restrict the capabilities in this way?
> --
> Diedrich Ehlerding, Fujitsu Technology Solutions GmbH,
> MIS ITST CE PS&IS WST, Hildesheimer Str 25, D-30880 Laatzen
> Fon +49 511 8489-1806 <+49%20511%2084891806>, Fax -251806, Mobil +49 173
> 2464758 <+49%20173%202464758>
> Firmenangaben: http://de.ts.fujitsu.com/imprint.html
>
>
_______________________________________________
ceph-users mailing list
[email protected]
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Reply via email to