Hrm, I don't remember. Let me know which permutation works and we can dig into it. -Greg Software Engineer #42 @ http://inktank.com | http://ceph.com On Wed, Apr 2, 2014 at 9:00 AM, Travis Rhoden <trhoden at gmail.com> wrote: > Thanks for the response Greg. > > Unfortunately, I appear to be missing something. If I use my "cephfs" key > with these perms: > > client.cephfs > key: <redacted> > caps: [mds] allow rwx > caps: [mon] allow r > caps: [osd] allow rwx pool=data > > This is what happens when I mount: > > # ceph-fuse -k /etc/ceph/ceph.client.cephfs.keyring -m ceph0-10g /data > ceph-fuse[13533]: starting ceph client > ceph-fuse[13533]: ceph mount failed with (1) Operation not permitted > ceph-fuse[13531]: mount failed: (1) Operation not permitted > > But using the admin key works just fine: > > # ceph-fuse -k /etc/ceph/ceph.client.admin.keyring -m ceph0-10g /data > ceph-fuse[13548]: starting ceph client > ceph-fuse[13548]: starting fuse > > The admin key as the following perms: > > client.admin > key: <redacted> > caps: [mds] allow > caps: [mon] allow * > caps: [osd] allow * > > Since the mds permissions are functionally equivalent, either I need extra > rights on the monitor, or the OSDs. Does a client need to access the > metadata pool in order to do a CephFS mount? > > I'll experiment a bit and report back. > > > On Mon, Mar 31, 2014 at 1:36 PM, Gregory Farnum <greg at inktank.com> wrote: >> >> At present, the only security permission on the MDS is "allowed to do >> stuff", so "rwx" and "*" are synonymous. In general "*" means "is an >> admin", though, so you'll be happier in the future if you use "rwx". >> You may also want a more restrictive set of monitor capabilities as >> somebody else recently pointed out, but [3] will give you the >> filesystem access you're looking for. >> -Greg >> Software Engineer #42 @ http://inktank.com | http://ceph.com >> >> >> On Fri, Mar 28, 2014 at 9:40 AM, Travis Rhoden <trhoden at gmail.com> wrote: >> > Hi Folks, >> > >> > What would be the right set of capabilities to set for a new client key >> > that >> > has access to CephFS only? I've seen a few different examples: >> > >> > [1] mds 'allow *' mon 'allow r' osd 'allow rwx pool=data' >> > [2] mon 'allow r' osd 'allow rwx pool=data' >> > [3] mds 'allow rwx' mon 'allow r' osd 'allow rwx pool=data' >> > >> > I'm inclined to go with [3]. [1] seems weird for using *, I like seeing >> > rwx. >> > Are these synonymous? [2] seems wrong because it doesn't include >> > anything >> > for MDS. >> > >> > - Travis >> > >> > _______________________________________________ >> > ceph-users mailing list >> > ceph-users at lists.ceph.com >> > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com >> > > >
 |