Hi Loris, If i'm not mistaken, there are no rbd ACL in cephx. Why not 1 pool/client and pool quota ? David. 2016-02-12 3:34 GMT+01:00 Loris Cuoghi <lc@xxxxxxxxxxxxxxxxx>: > Hi! > > We are on version 9.2.0, 5 mons and 80 OSDS distributed on 10 hosts. > > How could we twist cephx capabilities so to forbid our KVM+QEMU+libvirt > hosts any RBD creation capability ? > > We currently have an rbd-user key like so : > > caps: [mon] allow r > caps: [osd] allow x object_prefix rbd_children, allow rwx > object_prefix rbd_header., allow rwx object_prefix rbd_id., allow rw > object_prefix rbd_data. > > > And another rbd-manager key like the one suggested in the documentation, > which is used in a central machine which is the only one allowed to create > RBD images: > > caps: [mon] allow r > caps: [osd] allow class-read object_prefix rbd_children, allow rwx > pool=rbd > > Now, the libvirt hosts all share the same "rbd-user" secret. > Our intention is to permit the QEMU processes to take full advantage of any > single RBD functionality, but to forbid any new RBD creation with this same > key. In the eventuality of a stolen key, or other hellish scenarios. > > What cephx capabilities did you guys configure for your virtualization > hosts? > > Thanks, > > Loris > _______________________________________________ > ceph-users mailing list > ceph-users@xxxxxxxxxxxxxx > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com -- ________________________________________________________ ________________________________________________________ _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |