Concur that it's technically feasible by restricting access to
"rbd_id.<image name>", "rbd_header.<image id>.",
"rbd_object_map.<image id>.", and "rbd_data.<image id>." objects using
the prefix restriction in the OSD caps. However, this really won't
scale beyond a small number of images per user since every IO will
need to traverse the list of caps to verify the user can touch the

On Fri, Feb 2, 2018 at 11:05 AM, Gregory Farnum <> wrote:
> I don't think it's well-integrated with the tooling, but check out the cephx
> docs for the "prefix" level of access. It lets you grant access only to
> objects whose name matches a prefix, which for rbd would be the rbd volume
> ID (or name? Something easy to identify).
> -Greg
> On Fri, Feb 2, 2018 at 7:42 AM <> wrote:
>> Hello!
>> I wonder if it's possible in ceph Luminous to manage user access to rbd
>> images on per image (but not
>> the whole rbd pool) basis?
>> I need to provide rbd images for my users but would like to disable their
>> ability to list all images
>> in a pool as well as to somehow access/use ones if a ceph admin didn't
>> authorize that.
>> _______________________________________________
>> ceph-users mailing list
> _______________________________________________
> ceph-users mailing list

ceph-users mailing list

Reply via email to