In addition (or instead of) making the API harder to fat-finger, we could also add a mon config option like mon allow pool deletion = false that defaults off. Then, to delete any pool, you need to update ceph.conf and restart mons or inject the config option change (ceph daemon mon.`hostname` conig set ... on the leader) or the API will give you EPERM. This offers some protection even for client.admin key users if we prevent injectargs for that option (maybe feasible) and they don't have access to the actual mon machine. It also makes it easy to drop these protections for our QA because we can just stick that option in the teuthology and vstart.sh ceph.conf files. sage -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
