Re: minimal ceph permissions for rados gateway

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Jun 12, 2013, at 2:02 PM, Yehuda Sadeh <yehuda@xxxxxxxxxxx> wrote:

> On Wed, Jun 12, 2013 at 12:59 PM, John Nielsen <lists@xxxxxxxxxxxx> wrote:
>> After updating to Cuttlefish I was able to set up two rados gateways using distinct pools and users. (Thanks Yehuda!) Now I'd like to make it so the user for each gateway can only access its own pools and nothing else. The reasons include security and preventing foot-shooting.
>> 
>> Instead of simply having this:  caps osd = "allow rwx"
>> 
>> I tried:
>> 
>>        caps osd = "allow class-read, allow pool .intent-log rwx, allow pool .log rwx, allow pool .rgw rwx, allow pool .rgw.buckets rwx, allow pool .rgw.control rwx, allow pool .rgw.gc rwx, allow pool .usage rwx, allow pool .users rwx, allow pool .users.email rwx, allow pool .users.swift rwx, allow pool .users.uid rwx"
> 
> You'll need more than just class-read.

Can you be more specific?

>> Unfortunately, the radosgw won't run with those settings. It starts but then exits, with this in the logs:
>> 
>> 2013-06-12 11:51:39.574693 7f61de950820  0 ceph version 0.61.3 (92b1e398576d55df8e5888dd1a9545ed3fd99532), process radosgw, pid 32182
>> 2013-06-12 11:51:39.591093 7f61cb5fe700  2 garbage collection: start
>> 2013-06-12 11:51:39.594462 7f61cb5fe700  0 ERROR: garbage collection process() returned error r=-1
>> 2013-06-12 11:51:39.594472 7f61cb5fe700  2 garbage collection: stop
>> 2013-06-12 11:51:39.596405 7f61de950820 -1 Couldn't init storage provider (RADOS)
>> 
>> Can someone tell me what permissions I might need or if I'm doing something wrong? If for some reason this kind of per-user partitioning can't be done (meaning rgw needs 'caps osd = "allow rwx"') I'd like to know why, and see about changing that in a future release.
>> 
>> Thanks,
>> 
>> JN
>> 
>> _______________________________________________
>> ceph-users mailing list
>> ceph-users@xxxxxxxxxxxxxx
>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
> 

_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux