Re: Mapping rbd with read permission

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Oct 9, 2014 at 9:32 AM, Ramakrishnan Periyasamy
<Ramakrishnan.Periyasamy@xxxxxxxxxxx> wrote:
> Hi,
>
> Thanks Ilya for reply and I require some more clarifications, correct me if somewhere am wrong.
>
> Am able to map rbd with --read-only option using user specific keyring for pool3 since it is having "rwx" but unable to map for pool1 where capabilities are "rx"/"r" (i.e. tried both).
>
> User specific keyring for client8 as follows:
> client.client8
>         key: AQB9bjVU4FWPMBAAeB8DBAU53LoYV+bIKSr7WQ==
>         caps: [mds] allow
>         caps: [mon] allow r
>         caps: [osd] allow class-read object_prefix rbd_children, allow pool pool1 r class-read, allow pool pool3 rwx
>
> server@node1:~$ sudo rbd map --read-only pool3img2 -p pool3 -n client.client8 -k /etc/ceph/client.client8.keyring
> 2014-10-09 16:11:51.781214 7f2934e58840  2 auth: KeyRing::load: loaded key file /etc/ceph/client.client8.keyring
> /dev/rbd5
> server@node1:~$ sudo rbd map --read-only pool1img3 -p pool1 -n client.client8 -k /etc/ceph/client.client8.keyring
> 2014-10-09 16:13:06.670636 7fc80d68b840  2 auth: KeyRing::load: loaded key file /etc/ceph/client.client8.keyring
> rbd: sysfs write failed
> rbd: map failed: (1) Operation not permitted
>
> As per this link http://ceph.com/docs/master/man/8/ceph-authtool/?highlight=authtool we can set read access to one pool, is this read access allowed for objects or only classes in that Pool ?
> What is the exact usage of "allow pool pool1 r class-read" capability ?

osd capabilites are at the rados (lower) layer, --read-only is at the
kernel rbd (higher) layer, they have nothing in common.  Like I said in
my previous mail, to map an rbd image you need to have both write and
execute capabilities, *even* if you are going to be mapping with
--read-only.  That's the reason mapping out of pool1 above fails with
-EPERM.

As far as class-read and rbd, I think with --read-only you can get away
with 'rw class-read' instead of 'rwx', but I haven't tried it and the
value of that given that you are still going to need 'w' is unclear.

With 'r class-read' you can read objects and execute read-only cls
methods.  Unfortunately, because of how watch osd ops work, that won't
work for rbd pools, you'll need to make it 'rw class-read' at least.

Thanks,

                Ilya
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux