Hello, I try to give access to a rbd to a client on a fresh Luminous cluster
http://docs.ceph.com/docs/luminous/rados/operations/user-management/ first of all, I'd like to know the exact syntax for auth caps the result of "ceph auth ls" give this : > osd.9 > key: AQDjAsVZ+nI7NBAA14X9U5Xjunlk/9ovTht3Og== > caps: [mgr] allow profile osd > caps: [mon] allow profile osd > caps: [osd] allow * but in the documentation, it writes : > osd 'profile {name} [pool={pool-name} [namespace={namespace-name}]]' Does the "allow" needed before "profile" ? it's not clear If I create a user like this : > # ceph --cluster container auth get-or-create client.container001 \ > mon 'allow profile rbd' \ > osd 'allow profile rbd \ > pool=rbd namespace=container001' \ > -o /etc/ceph/container.client.container001.keyring Is this user able to create an rbd volume ? > # rbd --cluster container create --size 1024 rbd/container003 --id > client.container001 --keyring /etc/ceph/container.client.container001.keyring > 2017-09-26 09:54:10.158234 7fbda23270c0 0 librados: > client.client.container001 authentication error (22) Invalid argument > rbd: couldn't connect to the cluster! In that case client.client.container001 does not exist, I tried without "client." but failed as well with another error. > # rbd --cluster container create --size 1024 rbd/container003 --id > container001 --keyring /etc/ceph/container.client.container001.keyring > 2017-09-26 09:55:11.869745 7f10de6d30c0 0 librados: client.container001 > authentication error (22) Invalid argument > rbd: couldn't connect to the cluster! it works if I create the rbd volume like : > # rbd --cluster container create --size 1024 rbd/container003 Then I can get rbd volume information with the admin key but not with the user key. > # rbd --cluster container info rbd/container003 > rbd image 'container003': > size 1024 MB in 256 objects > order 22 (4096 kB objects) > block_name_prefix: rbd_data.5f7c74b0dc51 > format: 2 > features: layering, exclusive-lock, object-map, fast-diff, deep-flatten > flags: > create_timestamp: Tue Sep 26 09:54:50 2017 > # rbd --cluster container info rbd/container003 --keyring > /etc/ceph/container.client.container001.keyring > 2017-09-26 09:58:29.864348 7f2fe60780c0 0 librados: client.admin > authentication error (22) Invalid argument > rbd: couldn't connect to the cluster! > # rbd --cluster container info rbd/container003 --keyring > /etc/ceph/container.client.container001.keyring --id client.container001 > 2017-09-26 09:58:38.971827 7fcafa7aa0c0 0 librados: > client.client.container001 authentication error (22) Invalid argument > rbd: couldn't connect to the cluster! > # rbd --cluster container info rbd/container003 --keyring > /etc/ceph/container.client.container001.keyring --id container001 > 2017-09-26 09:58:45.515253 7fbb0208c0c0 0 librados: client.container001 > authentication error (22) Invalid argument > rbd: couldn't connect to the cluster! I might have missed something somewhere, but I don't know where. Does the "rbd profile" give the capability to create rbd volumes to the user ? or it just gives the access to rbd volume previously create by the admin ? In the case we give access to those rbd inside the container, how I can be sure users in each container do not have access to others rbd ? Is the namespace good to isolate each user ? I haven't used a lot rbd before and never use client keys capabilities, it might a bit confuse for me. Thanks for your help Best regards, -- Yoann Moulin EPFL IC-IT _______________________________________________ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
