Hi,
Thanks Ilya for reply and I require some more clarifications, correct me if somewhere am wrong.
Am able to map rbd with --read-only option using user specific keyring for pool3 since it is having "rwx" but unable to map for pool1 where capabilities are "rx"/"r" (i.e. tried both).
User specific keyring for client8 as follows:
client.client8
key: AQB9bjVU4FWPMBAAeB8DBAU53LoYV+bIKSr7WQ==
caps: [mds] allow
caps: [mon] allow r
caps: [osd] allow class-read object_prefix rbd_children, allow pool pool1 r class-read, allow pool pool3 rwx
server@node1:~$ sudo rbd map --read-only pool3img2 -p pool3 -n client.client8 -k /etc/ceph/client.client8.keyring
2014-10-09 16:11:51.781214 7f2934e58840 2 auth: KeyRing::load: loaded key file /etc/ceph/client.client8.keyring
/dev/rbd5
server@node1:~$ sudo rbd map --read-only pool1img3 -p pool1 -n client.client8 -k /etc/ceph/client.client8.keyring
2014-10-09 16:13:06.670636 7fc80d68b840 2 auth: KeyRing::load: loaded key file /etc/ceph/client.client8.keyring
rbd: sysfs write failed
rbd: map failed: (1) Operation not permitted
As per this link http://ceph.com/docs/master/man/8/ceph-authtool/?highlight=authtool we can set read access to one pool, is this read access allowed for objects or only classes in that Pool ?
What is the exact usage of "allow pool pool1 r class-read" capability ?
Regards,
Ramakrishnan P
-----Original Message-----
From: Ilya Dryomov [mailto:ilya.dryomov@xxxxxxxxxxx]
Sent: Thursday, October 02, 2014 12:34 PM
To: Ramakrishnan Periyasamy
Cc: ceph-users@xxxxxxxx
Subject: Re: Mapping rbd with read permission
On Wed, Oct 1, 2014 at 2:56 PM, Ramakrishnan Periyasamy <Ramakrishnan.Periyasamy@xxxxxxxxxxx> wrote:
> Hi,
>
>
>
> I have a doubt in mapping rbd using client keyring file. Created
> keyring as below
>
>
>
> sudo ceph-authtool -C -n client.foo --gen-key /etc/ceph/keyring
>
> sudo chmod +r /etc/ceph/keyring
>
> sudo ceph-authtool -n client.foo --cap mds 'allow' --cap osd 'allow rw
> pool=pool1' --cap mon 'allow r' /etc/ceph/keyring
>
> sudo ceph-authtool -l /etc/ceph/keyring
>
> sudo ceph -k /etc/ceph/ceph.client.admin.keyring auth add client.foo
> -i /etc/ceph/keyring
>
>
>
> root@client1:~$ sudo cat /etc/ceph/keyring
>
> [client.foo]
>
> key = AQDkeSlUWGa6ExAAf2T/S6kJdQtRJqNoovinWw==
>
> caps mds = "allow"
>
> caps mon = "allow r"
>
> caps osd = "allow r pool=pool1"
>
>
>
> I tried mapping rbd and got following error message
>
>
>
> root@client1:~$ sudo rbd map img1 -p pool1 -n client.foo -k
> /etc/ceph/keyring
>
> 2014-10-01 21:37:43.404051 7f3858d4a840 2 auth: KeyRing::load: loaded
> key file /etc/ceph/keyring
>
> rbd: sysfs write failed
>
> rbd: map failed: (34) Numerical result out of range
This is a busted error code, read -EPERM.. Fixed in testing.
>
>
>
> How to map an rbd after setting read-only permission for particular pool ?
You can't do that, however you can establish a read-only mapping with 'rbd map --read-only'. The reason is 'rbd map' (even with --read-only
switch) issues a write osd op to setup watch/notify stuff. Moreover, you need the 'x' bit as well: rbd client needs to be able to execute cls methods to function.
Thanks,
Ilya
________________________________
PLEASE NOTE: The information contained in this electronic mail message is intended only for the use of the designated recipient(s) named above. If the reader of this message is not the intended recipient, you are hereby notified that you have received this message in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify the sender by telephone or e-mail (as shown above) immediately and destroy any and all copies of this message in your possession (whether hard copies or electronically stored copies).
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
