Ah, I figured it out. My original key worked, but I needed to use the --id option with ceph-fuse to tell it to use the cephfs user rather than the admin user. Tailing the log on my monitor pointed out that it was logging in with client.admin, but providing the key for client.cephfs. So, final working command is: ceph-fuse -k /etc/ceph/ceph.client.cephfs.keyring --id cephfs -m ceph0-10g /data I will note that neither the "-k" or "--id" options are present in "man ceph-fuse", "ceph-fuse --help", or in the Ceph docs, really. An example using "-k" is found here: http://ceph.com/docs/master/start/quick-cephfs/#filesystem-in-user-space-fuse, but there is never any mention of needing to change users if you are not using client.admin. In fact, using the search functionality on "ceph-fuse" returns zero results. If I'm ambitious I'll submit changes for the docs... Thanks for the help! - Travis On Wed, Apr 2, 2014 at 12:00 PM, Travis Rhoden <trhoden at gmail.com> wrote: > Thanks for the response Greg. > > Unfortunately, I appear to be missing something. If I use my "cephfs" key > with these perms: > > client.cephfs > key: <redacted> > caps: [mds] allow rwx > caps: [mon] allow r > caps: [osd] allow rwx pool=data > > This is what happens when I mount: > > # ceph-fuse -k /etc/ceph/ceph.client.cephfs.keyring -m ceph0-10g /data > ceph-fuse[13533]: starting ceph client > ceph-fuse[13533]: ceph mount failed with (1) Operation not permitted > ceph-fuse[13531]: mount failed: (1) Operation not permitted > > But using the admin key works just fine: > > # ceph-fuse -k /etc/ceph/ceph.client.admin.keyring -m ceph0-10g /data > ceph-fuse[13548]: starting ceph client > ceph-fuse[13548]: starting fuse > > The admin key as the following perms: > > client.admin > key: <redacted> > caps: [mds] allow > caps: [mon] allow * > caps: [osd] allow * > > Since the mds permissions are functionally equivalent, either I need extra > rights on the monitor, or the OSDs. Does a client need to access the > metadata pool in order to do a CephFS mount? > > I'll experiment a bit and report back. > > > On Mon, Mar 31, 2014 at 1:36 PM, Gregory Farnum <greg at inktank.com> wrote: > >> At present, the only security permission on the MDS is "allowed to do >> stuff", so "rwx" and "*" are synonymous. In general "*" means "is an >> admin", though, so you'll be happier in the future if you use "rwx". >> You may also want a more restrictive set of monitor capabilities as >> somebody else recently pointed out, but [3] will give you the >> filesystem access you're looking for. >> -Greg >> Software Engineer #42 @ http://inktank.com | http://ceph.com >> >> >> On Fri, Mar 28, 2014 at 9:40 AM, Travis Rhoden <trhoden at gmail.com> wrote: >> > Hi Folks, >> > >> > What would be the right set of capabilities to set for a new client key >> that >> > has access to CephFS only? I've seen a few different examples: >> > >> > [1] mds 'allow *' mon 'allow r' osd 'allow rwx pool=data' >> > [2] mon 'allow r' osd 'allow rwx pool=data' >> > [3] mds 'allow rwx' mon 'allow r' osd 'allow rwx pool=data' >> > >> > I'm inclined to go with [3]. [1] seems weird for using *, I like seeing >> rwx. >> > Are these synonymous? [2] seems wrong because it doesn't include >> anything >> > for MDS. >> > >> > - Travis >> > >> > _______________________________________________ >> > ceph-users mailing list >> > ceph-users at lists.ceph.com >> > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com >> > >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.ceph.com/pipermail/ceph-users-ceph.com/attachments/20140402/cb9bdf77/attachment.htm>
 |