Thanks for the response Greg.
Unfortunately, I appear to be missing something. If I use my "cephfs" key
with these perms:
client.cephfs
key: <redacted>
caps: [mds] allow rwx
caps: [mon] allow r
caps: [osd] allow rwx pool=data
This is what happens when I mount:
# ceph-fuse -k /etc/ceph/ceph.client.cephfs.keyring -m ceph0-10g /data
ceph-fuse[13533]: starting ceph client
ceph-fuse[13533]: ceph mount failed with (1) Operation not permitted
ceph-fuse[13531]: mount failed: (1) Operation not permitted
But using the admin key works just fine:
# ceph-fuse -k /etc/ceph/ceph.client.admin.keyring -m ceph0-10g /data
ceph-fuse[13548]: starting ceph client
ceph-fuse[13548]: starting fuse
The admin key as the following perms:
client.admin
key: <redacted>
caps: [mds] allow
caps: [mon] allow *
caps: [osd] allow *
Since the mds permissions are functionally equivalent, either I need extra
rights on the monitor, or the OSDs. Does a client need to access the
metadata pool in order to do a CephFS mount?
I'll experiment a bit and report back.
On Mon, Mar 31, 2014 at 1:36 PM, Gregory Farnum <greg at inktank.com> wrote:
> At present, the only security permission on the MDS is "allowed to do
> stuff", so "rwx" and "*" are synonymous. In general "*" means "is an
> admin", though, so you'll be happier in the future if you use "rwx".
> You may also want a more restrictive set of monitor capabilities as
> somebody else recently pointed out, but [3] will give you the
> filesystem access you're looking for.
> -Greg
> Software Engineer #42 @ http://inktank.com | http://ceph.com
>
>
> On Fri, Mar 28, 2014 at 9:40 AM, Travis Rhoden <trhoden at gmail.com> wrote:
> > Hi Folks,
> >
> > What would be the right set of capabilities to set for a new client key
> that
> > has access to CephFS only? I've seen a few different examples:
> >
> > [1] mds 'allow *' mon 'allow r' osd 'allow rwx pool=data'
> > [2] mon 'allow r' osd 'allow rwx pool=data'
> > [3] mds 'allow rwx' mon 'allow r' osd 'allow rwx pool=data'
> >
> > I'm inclined to go with [3]. [1] seems weird for using *, I like seeing
> rwx.
> > Are these synonymous? [2] seems wrong because it doesn't include anything
> > for MDS.
> >
> > - Travis
> >
> > _______________________________________________
> > ceph-users mailing list
> > ceph-users at lists.ceph.com
> > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ceph.com/pipermail/ceph-users-ceph.com/attachments/20140402/0b5b0894/attachment.htm>
