The current osd capabilities do a few things that, in retrospect, are more complex than is necessary or desired. In particular, the current implementation allows allow rwx, deny pool blah rwx The deny stuff is confusing to understand (it's ordering dependent), and not used by anything (that we know of). There is also an idea of 'default permissions' on pools that you own. For example, if you have a blank capability, and create a pool 'foo' owned by your auid, then you (by default) get rwx permissions. Unless the cap says otherwise, like allow pool foo rw allow auid 123 rw This is also sneaky and confusing. You can get equivalent functionality with an explicit cap like allow auid 123 rwx The current implementation is also awkward to maintain and understand in terms of grants. So: there's a new implementation in wip-osdcap that removes 'deny' and the default caps thing, has a well-defined grammar, and a simpler implementation. See https://github.com/ceph/ceph/commits/wip-osdcap The danger is merging this is that someone out there has dived into the old and documented caps code and started using the deny or default cap functionality. This is your fair warning! If you're using deny, you probably shouldn't, and if you're using the default caps, you need to adjust them to explicitly allow access to pools you create. sage -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
