Re: how to limit access to pools ?

Ta Ba Tuan <tuantb@xxxxxxxxxx> · Thu, 18 Jul 2013 11:19:02 +0700



      Referebce: http://linux.die.net/man/8/ceph-authtool

      
      The subsystem is the name of a Ceph subsystem: mon, mds,
        or osd.
      
      The capability is a string describing what the given user is
        allowed to do. This takes the form of a comma separated list of
        allow clauses with a permission
        specifier containing one or more of rwx for read, write, and
        execute permission. The allow * grants full superuser
        permissions for the given subsystem.
      
      For example:
      
      
          # can read, write, and execute objects
osd = "allow rwx"

# can access mds server
mds = "allow"

# can modify cluster state (i.e., is a server daemon)
mon = "allow rwx"
        
        A librados user restricted to a single pool might look like:
        
        
          mon = "allow r"

osd = "allow rw pool foo"
        
        A client using rbd with read access to one pool and
          read/write access to another:
        
        
          mon = "allow r"

osd = "allow class-read object_prefix rbd_children, allow pool templates r class-read, allow pool vms rwx"
        
        A client mounting the file system with minimal permissions
          would need caps like:
        
        
          mds = "allow"

osd = "allow rw pool data"

mon = "allow r"
        
      
      --tuantaba

      
      On 07/16/2013 08:34 PM, Ta Ba Tuan wrote:

    
    Hi
      Markus,
      

      Limit access to specified pool through key authentication.:
      

      Example, i having a pool is 'instances', and setting permission
      likes:
      

      #ceph auth get-or-create client.instances mon 'allow r' osd 'allow
      rwx pool=instances'
      

      --tuantaba
      

      TA BA TUAN
      

      On 07/16/2013 08:04 PM, Markus Goldberg wrote:
      

      Hi,
        

        i created a few pools with
        

        'ceph osd pool create <poolname> 100 100'
        

        and set a relation to corresponding directories with
        

         'cephfs /mnt/myceph/<dirname> set_layout -p
        <poolname>'.
        

        I can list the pools with 'ceph osd pools'
        

        I can mount the dirs/subdirs at the client with
        

        'mount -t ceph xxx.xxx.xxx.xxx:6789:/dir1/dir2 /mnt/myceph -v -o
        name=admin,secretfile=/etc/ceph/admin.secret'
        

        (admin.secret is the key for the data-rootdir (/) )
        

        how can i give specific clients read/write access to only a
        subset of the pools ?
        

_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com