On Tue, Oct 10, 2017 at 2:22 AM, Shawfeng Dong <[email protected]> wrote: > Dear all, > > I am trying to follow the instructions at: > http://docs.ceph.com/docs/master/cephfs/client-auth/ > to restrict a client to a subdirectory of Ceph filesystem, but always get > an error. > > We are running the latest stable release of Ceph (v12.2.1) on CentOS 7 > servers. The user 'hydra' has the following capabilities: > # ceph auth get client.hydra > exported keyring for client.hydra > [client.hydra] > key = AQxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx== > caps mds = "allow rw" > caps mgr = "allow r" > caps mon = "allow r" > caps osd = "allow rw" > > When I tried to restrict the client to only mount and work within the > directory /hydra of the Ceph filesystem 'pulpos', I got an error: > # ceph fs authorize pulpos client.hydra /hydra rw > Error EINVAL: key for client.dong exists but cap mds does not match > > I've tried a few combinations of user caps and CephFS client caps; but > always got the same error!
The "fs authorize" command isn't smart enough to edit existing capabilities safely, so it is cautious and refuses to overwrite what is already there. If you remove your client.hydra user and try again, it should create it for you with the correct capabilities. John > > Has anyone able to get this to work? What is your recipe? > > Thanks, > Shaw > > _______________________________________________ > ceph-users mailing list > [email protected] > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > _______________________________________________ ceph-users mailing list [email protected] http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
