On Wed, May 31, 2017 at 11:20 PM Diedrich Ehlerding < [email protected]> wrote:
> Thank you for your response. Yes, as I wrote, the gateway seems to > work with these settings. > > The reason why I am considering the capabilities is: I am trying to > attach a Openstack environment and a gateway to the same cluster, > and I would like to prevent the Openstack admin to access the S3 > gateway data and vice versa to prevent the gateway admin to access > the Openstack data. I just wonder if there is a reason why the > documentation suggest these very global capabilities > You've probably noticed the RGW will create pools if it needs them and they don't exist. That's why it "needs" the extra monitor capabilities. The OSD capabilities are because 1) I don't think you could make them as fine-grained when that documentation was written, 2) laziness about specifying pools. :) So, you should be good to go! > > Gregory Farnum wrote on Wed, 31 May 2017 20:07:16 +0000 > > > > > I don't work with the gateway but in general that should work. > > > > That said, the RGW also sees all your client data going in so I'm not > > sure how much you buy by locking it down. If you're just trying to > > protect against accidents with the pools, you might give it write access > > on the monitor; any failures due to capability mismatches there would > > likely be pretty annoying to debug! > > -Greg > > > > > > On Wed, May 31, 2017 at 12:21 AM Diedrich Ehlerding > > <[email protected]> wrote: > > Hello. > > > > The documentation which I found proposes to create the ceph client > > for a rados gateway with very global capabilities, namely > > "mon allow rwx, osd allow rwx". > > > > Are there any reasons for these very global capabilities (allowing > > this client to access and modify (even remove) all pools, all rbds, > > etc., event thiose in use vy other ceph clients? I tried to > > restrict > > the rights, and my rados gateway seems to work with > > capabilities "mon allow r, osd allow rwx pool=.rgw.root, allow rwx > > pool=a.root, allow rwx pool=am.rgw.control [etc. for all the pools > > which this gateway uses]" > > > > Are there any reasons not to restrict the capabilities in this way? > -- > Diedrich Ehlerding, Fujitsu Technology Solutions GmbH, > MIS ITST CE PS&IS WST, Hildesheimer Str 25, D-30880 Laatzen > Fon +49 511 8489-1806 <+49%20511%2084891806>, Fax -251806, Mobil +49 173 > 2464758 <+49%20173%202464758> > Firmenangaben: http://de.ts.fujitsu.com/imprint.html > >
_______________________________________________ ceph-users mailing list [email protected] http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
