Re: [ceph-users] NFS

Thu, 03 Oct 2019 08:19:04 -0700 

Hi Mark,

Here's an example that should work--userx and usery are RGW users
created in different tenants, like so:

radosgw-admin --tenant tnt1 --uid userx --display-name "tnt1-userx" \
     --access_key "userxacc" --secret "test123" user create

 radosgw-admin --tenant tnt2 --uid usery --display-name "tnt2-usery" \
     --access_key "useryacc" --secret "test456" user create

Remember that to make use of this feature, you need recent librgw and
matching nfs-ganesha.  In particular, Ceph should have, among other
changes:

commit 65d0ae733defe277f31825364ee52d5102c06ab9
Author: Matt Benjamin <mbenja...@redhat.com>
Date:   Wed Jun 5 07:25:35 2019 -0400

    rgw_file: include tenant in hashes of object

    Because bucket names are taken as object names in the top
    of an export.  Make hashing by tenant general to avoid disjoint
    hashing of bucket.

    Fixes: http://tracker.ceph.com/issues/40118

    Signed-off-by: Matt Benjamin <mbenja...@redhat.com>
    (cherry picked from commit 8e0fd5fbfa7c770f6b668e79b772179946027bce)

commit 459b6b2b224953655fd0360e8098ae598e41d3b2
Author: Matt Benjamin <mbenja...@redhat.com>
Date:   Wed May 15 15:53:32 2019 -0400

    rgw_file: include tenant when hashing bucket names

    Prevent identical paths from distinct tenants from colliding in
    RGW NFS handle cache.

    Fixes: http://tracker.ceph.com/issues/40118

    Signed-off-by: Matt Benjamin <mbenja...@redhat.com>
    (cherry picked from commit b800a9de83dff23a150ed7d236cb61c8b7d971ae)
    Signed-off-by: Matt Benjamin <mbenja...@redhat.com>


ganesha.conf.deuxtenant:


EXPORT
{
    # Export Id (mandatory, each EXPORT must have a unique Export_Id)
    Export_Id = 77;

    # Exported path (mandatory)
    Path = "/";

    # Pseudo Path (required for NFS v4)
    Pseudo = "/userx";

    # Required for access (default is None)
    # Could use CLIENT blocks instead
    Access_Type = RW;

    SecType = "sys";

    Protocols = 3,4;
    Transports = UDP,TCP;

    #Delegations = Readwrite;

    Squash = No_Root_Squash;

    # Exporting FSAL
    FSAL {
        Name = RGW;
        User_Id = "userx";
        Access_Key_Id = "userxacc";
        Secret_Access_Key = "test123";
    }
}

EXPORT
{
    # Export Id (mandatory, each EXPORT must have a unique Export_Id)
    Export_Id = 78;

    # Exported path (mandatory)
    Path = "/";

    # Pseudo Path (required for NFS v4)
    Pseudo = "/usery";

    # Required for access (default is None)
    # Could use CLIENT blocks instead
    Access_Type = RW;

    SecType = "sys";

    Protocols = 3,4;
    Transports = UDP,TCP;

    #Delegations = Readwrite;

    Squash = No_Root_Squash;

    # Exporting FSAL
    FSAL {
        Name = RGW;
        User_Id = "usery";
        Access_Key_Id = "useryacc";
        Secret_Access_Key = "test456";
    }
}

#mount at bucket case
EXPORT
{
    # Export Id (mandatory, each EXPORT must have a unique Export_Id)
    Export_Id = 79;

    # Exported path (mandatory)
    Path = "/buck5";

    # Pseudo Path (required for NFS v4)
    Pseudo = "/usery_buck5";

    # Required for access (default is None)
    # Could use CLIENT blocks instead
    Access_Type = RW;

    SecType = "sys";

    Protocols = 3,4;
    Transports = UDP,TCP;

    #Delegations = Readwrite;

    Squash = No_Root_Squash;

    # Exporting FSAL
    FSAL {
        Name = RGW;
        User_Id = "usery";
        Access_Key_Id = "useryacc";
        Secret_Access_Key = "test456";
    }
}



RGW {
    ceph_conf = "/home/mbenjamin/ceph-noob/build/ceph.conf";
    #init_args = "-d --debug-rgw=16";
    init_args = "";
}

NFS_Core_Param {
        Nb_Worker = 17;
        mount_path_pseudo = true;
}

CacheInode {
    Chunks_HWMark = 70000;
    Entries_Hwmark = 2000000;
}

NFSV4 {
    Graceless = true;
    Allow_Numeric_Owners = true;
    Only_Numeric_Owners = true;
}

LOG {
    Components {
        #NFS_READDIR = FULL_DEBUG;
        #NFS4 = FULL_DEBUG;
        #CACHE_INODE = FULL_DEBUG;
        #FSAL = FULL_DEBUG;
    }
    Facility {
        name = FILE;
        destination = "/tmp/ganesha-rgw.log";
        enable = active;
    }
}

On Thu, Oct 3, 2019 at 10:34 AM Marc Roos <m.r...@f1-outsourcing.eu> wrote:
>
>
> How should a multi tenant RGW config look like, I am not able get this
> working:
>
> EXPORT {
>        Export_ID=301;
>        Path = "test:test3";
>        #Path = "/";
>        Pseudo = "/rgwtester";
>
>        Protocols = 4;
>        FSAL {
>                Name = RGW;
>                User_Id = "test$tester1";
>                Access_Key_Id = "TESTER";
>                Secret_Access_Key = "xxx";
>        }
>        Disable_ACL = TRUE;
>        CLIENT { Clients = 192.168.10.0/24; access_type = "RO"; }
> }
>
>
> 03/10/2019 16:15:37 : epoch 5d8d274c : c01 : ganesha.nfsd-4722[sigmgr]
> create_export :FSAL :CRIT :RGW module: librgw init failed (-5)
> 03/10/2019 16:15:37 : epoch 5d8d274c : c01 : ganesha.nfsd-4722[sigmgr]
> mdcache_fsal_create_export :FSAL :MAJ :Failed to call create_export on
> underlying FSAL RGW
> 03/10/2019 16:15:37 : epoch 5d8d274c : c01 : ganesha.nfsd-4722[sigmgr]
> fsal_put :FSAL :INFO :FSAL RGW now unused
> 03/10/2019 16:15:37 : epoch 5d8d274c : c01 : ganesha.nfsd-4722[sigmgr]
> fsal_cfg_commit :CONFIG :CRIT :Could not create export for (/rgwtester)
> to (test:test3)
> 03/10/2019 16:15:37 : epoch 5d8d274c : c01 : ganesha.nfsd-4722[sigmgr]
> fsal_cfg_commit :FSAL :F_DBG :FSAL RGW refcount 0
> 03/10/2019 16:15:37 : epoch 5d8d274c : c01 : ganesha.nfsd-4722[sigmgr]
> config_errs_to_log :CONFIG :CRIT :Config File
> (/etc/ganesha/ganesha.conf:216): 1 validation errors in block FSAL
> 03/10/2019 16:15:37 : epoch 5d8d274c : c01 : ganesha.nfsd-4722[sigmgr]
> config_errs_to_log :CONFIG :CRIT :Config File
> (/etc/ganesha/ganesha.conf:216): Errors processing block (FSAL)
> 03/10/2019 16:15:37 : epoch 5d8d274c : c01 : ganesha.nfsd-4722[sigmgr]
> config_errs_to_log :CONFIG :CRIT :Config File
> (/etc/ganesha/ganesha.conf:209): 1 validation errors in block EXPORT
> 03/10/2019 16:15:37 : epoch 5d8d274c : c01 : ganesha.nfsd-4722[sigmgr]
> config_errs_to_log :CONFIG :CRIT :Config File
> (/etc/ganesha/ganesha.conf:209): Errors processing block (EXPORT)
>
> -----Original Message-----
> Subject: Re: [ceph-users] NFS
>
> RGW NFS can support any NFS style of authentication, but users will have
> the RGW access of their nfs-ganesha export.  You can create exports with
> disjoint privileges, and since recent L, N, RGW tenants.
>
> Matt
>
> On Tue, Oct 1, 2019 at 8:31 AM Marc Roos <m.r...@f1-outsourcing.eu>
> wrote:
> >
> >  I think you can run into problems
> > with a multi user environment of RGW and nfs-ganesha.
> >
> > _______________________________________________
> > ceph-users mailing list
> > ceph-users@lists.ceph.com
> > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>
> --
>
> Matt Benjamin
> Red Hat, Inc.
> 315 West Huron Street, Suite 140A
> Ann Arbor, Michigan 48103
>
> http://www.redhat.com/en/technologies/storage
>
> tel.  734-821-5101
> fax.  734-769-8938
> cel.  734-216-5309
>
>


-- 

Matt Benjamin
Red Hat, Inc.
315 West Huron Street, Suite 140A
Ann Arbor, Michigan 48103

http://www.redhat.com/en/technologies/storage

tel.  734-821-5101
fax.  734-769-8938
cel.  734-216-5309
_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Reply via email to