Concur that it's technically feasible by restricting access to "rbd_id.<image name>", "rbd_header.<image id>.", "rbd_object_map.<image id>.", and "rbd_data.<image id>." objects using the prefix restriction in the OSD caps. However, this really won't scale beyond a small number of images per user since every IO will need to traverse the list of caps to verify the user can touch the object.
On Fri, Feb 2, 2018 at 11:05 AM, Gregory Farnum <gfar...@redhat.com> wrote: > I don't think it's well-integrated with the tooling, but check out the cephx > docs for the "prefix" level of access. It lets you grant access only to > objects whose name matches a prefix, which for rbd would be the rbd volume > ID (or name? Something easy to identify). > -Greg > > > On Fri, Feb 2, 2018 at 7:42 AM <kna...@gmail.com> wrote: >> >> Hello! >> >> I wonder if it's possible in ceph Luminous to manage user access to rbd >> images on per image (but not >> the whole rbd pool) basis? >> I need to provide rbd images for my users but would like to disable their >> ability to list all images >> in a pool as well as to somehow access/use ones if a ceph admin didn't >> authorize that. >> _______________________________________________ >> ceph-users mailing list >> firstname.lastname@example.org >> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > > > _______________________________________________ > ceph-users mailing list > email@example.com > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > -- Jason _______________________________________________ ceph-users mailing list firstname.lastname@example.org http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com