subject:"\[ceph\-users\] restrict user access to certain rbd image"

Re: [ceph-users] restrict user access to certain rbd image

2018-02-05 Thread knawnd

Thanks a lot who shared thoughts and own experience on that topic! It seems that Frédéric's input is
exactly I've been looking for. Thanks Frédéric!

Jason Dillaman wrote on 02/02/18 19:24:

Concur that it's technically feasible by restricting access to
"rbd_id.", "rbd_header..",
"rbd_object_map..", and "rbd_data.." objects using
the prefix restriction in the OSD caps. However, this really won't
scale beyond a small number of images per user since every IO will
need to traverse the list of caps to verify the user can touch the
object.

On Fri, Feb 2, 2018 at 11:05 AM, Gregory Farnum wrote:

I don't think it's well-integrated with the tooling, but check out the cephx
docs for the "prefix" level of access. It lets you grant access only to
objects whose name matches a prefix, which for rbd would be the rbd volume
ID (or name? Something easy to identify).
-Greg

On Fri, Feb 2, 2018 at 7:42 AM wrote:

Hello!

I wonder if it's possible in ceph Luminous to manage user access to rbd
images on per image (but not
the whole rbd pool) basis?
I need to provide rbd images for my users but would like to disable their
ability to list all images
in a pool as well as to somehow access/use ones if a ceph admin didn't
authorize that.
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] restrict user access to certain rbd image

2018-02-02 Thread Jason Dillaman

Concur that it's technically feasible by restricting access to
"rbd_id.", "rbd_header..",
"rbd_object_map..", and "rbd_data.." objects using
the prefix restriction in the OSD caps. However, this really won't
scale beyond a small number of images per user since every IO will
need to traverse the list of caps to verify the user can touch the
object.

On Fri, Feb 2, 2018 at 11:05 AM, Gregory Farnum  wrote:
> I don't think it's well-integrated with the tooling, but check out the cephx
> docs for the "prefix" level of access. It lets you grant access only to
> objects whose name matches a prefix, which for rbd would be the rbd volume
> ID (or name? Something easy to identify).
> -Greg
>
>
> On Fri, Feb 2, 2018 at 7:42 AM  wrote:
>>
>> Hello!
>>
>> I wonder if it's possible in ceph Luminous to manage user access to rbd
>> images on per image (but not
>> the whole rbd pool) basis?
>> I need to provide rbd images for my users but would like to disable their
>> ability to list all images
>> in a pool as well as to somehow access/use ones if a ceph admin didn't
>> authorize that.
>> ___
>> ceph-users mailing list
>> ceph-users@lists.ceph.com
>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>
>
> ___
> ceph-users mailing list
> ceph-users@lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>



-- 
Jason
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] restrict user access to certain rbd image

2018-02-02 Thread Frédéric Nass


Hi,

We use this on our side:

$ rbd create rbd-image --size 1048576 --pool rbd --image-feature layering
$ rbd create rbd-other-image --size 1048576 --pool rbd --image-feature 
layering


$ rbd info rbd/rbd-image
rbd image 'rbd-image':
    size 1024 GB in 262144 objects
    order 22 (4096 kB objects)
    block_name_prefix: rbd_data.2b36cf238e1f29
    format: 2
    features: layering
    flags:

$ ceph auth get-or-create client.rbd.image mon 'allow r' osd 'allow rwx 
pool rbd object_prefix rbd_data.2b36cf238e1f29; allow rwx pool rbd 
object_prefix rbd_header.2b36cf238e1f29; allow rx pool rbd object_prefix 
rbd_id.rbd-image' -o /etc/ceph/ceph.client.rbd.image.keyring


$ rbd -p rbd --keyring=/etc/ceph/ceph.client.rbd.image.keyring 
--id=rbd.image info rbd-image

rbd image 'rbd-image':
    size 1024 GB in 262144 objects
    order 22 (4096 kB objects)
    block_name_prefix: rbd_data.2b36cf238e1f29
    format: 2
    features: layering
    flags:

$ rbd -p rbd --keyring=/etc/ceph/ceph.client.rbd.image.keyring 
--id=rbd.image info rbd-other-image

rbd: error opening image rbd-other-image: (1) Operation not permitted
2018-02-02 17:19:13.758624 7f38d76fd700 -1 librbd::image::OpenRequest: 
failed to stat v2 image header: (1) Operation not permitted
2018-02-02 17:19:13.758724 7f38d6efc700 -1 librbd::ImageState: 
0x55ac0ea6b7f0 failed to open image: (1) Operation not permitted


$ rbd --keyring=/etc/ceph/ceph.client.rbd.image.keyring --id=rbd.image 
-p rbd ls

rbd: list: (1) Operation not permitted

Regards,

Frédéric.

Le 02/02/2018 à 17:05, Gregory Farnum a écrit :
I don't think it's well-integrated with the tooling, but check out the 
cephx docs for the "prefix" level of access. It lets you grant access 
only to objects whose name matches a prefix, which for rbd would be 
the rbd volume ID (or name? Something easy to identify).

-Greg

On Fri, Feb 2, 2018 at 7:42 AM > wrote:


Hello!

I wonder if it's possible in ceph Luminous to manage user access
to rbd images on per image (but not
the whole rbd pool) basis?
I need to provide rbd images for my users but would like to
disable their ability to list all images
in a pool as well as to somehow access/use ones if a ceph admin
didn't authorize that.
___
ceph-users mailing list
ceph-users@lists.ceph.com 
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com



___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com


___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] restrict user access to certain rbd image

2018-02-02 Thread Gregory Farnum

I don't think it's well-integrated with the tooling, but check out the
cephx docs for the "prefix" level of access. It lets you grant access only
to objects whose name matches a prefix, which for rbd would be the rbd
volume ID (or name? Something easy to identify).
-Greg

On Fri, Feb 2, 2018 at 7:42 AM  wrote:

> Hello!
>
> I wonder if it's possible in ceph Luminous to manage user access to rbd
> images on per image (but not
> the whole rbd pool) basis?
> I need to provide rbd images for my users but would like to disable their
> ability to list all images
> in a pool as well as to somehow access/use ones if a ceph admin didn't
> authorize that.
> ___
> ceph-users mailing list
> ceph-users@lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

[ceph-users] restrict user access to certain rbd image

2018-02-02 Thread knawnd


Hello!

I wonder if it's possible in ceph Luminous to manage user access to rbd images on per image (but not 
the whole rbd pool) basis?
I need to provide rbd images for my users but would like to disable their ability to list all images 
in a pool as well as to somehow access/use ones if a ceph admin didn't authorize that.

___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] restrict user access to certain rbd image

Re: [ceph-users] restrict user access to certain rbd image

Re: [ceph-users] restrict user access to certain rbd image

Re: [ceph-users] restrict user access to certain rbd image

[ceph-users] restrict user access to certain rbd image

5 matches

Site Navigation

Mail list logo

Footer information