Hi Jason, Thank you for the information. I saw the documentation but the "rbd_children" caps wasn't well explained. I was interested if those caps must be set global or can be restricted to a pool since in our use case of Ceph several users have independent access to their pool. What we want to avoid is that users can globally see or read anything from an other user. I see now why they need to be global since a rbd image can have cloned snapshots (children) in an other pool and before deleting or unprotecting the parent I need to check if there are no children in other pools. Best, Martin On Thu, Jan 12, 2017 at 5:38 PM, Jason Dillaman <jdillama@xxxxxxxxxx> wrote: > The "rbd snap unprotect" action needs to scan the "rbd_children" > object of all pools to ensure that the image doesn't have any children > attached. Therefore, you need to ensure that the user that will > perform the "snap unprotect" has the "allow class-read object_prefix > rbd_children" on all pools [1]. > > [1] http://docs.ceph.com/docs/master/man/8/ceph-authtool/#capabilities > > On Thu, Jan 12, 2017 at 10:56 AM, Martin Palma <martin@xxxxxxxx> wrote: >> Hi all, >> >> what permissions do I need to unprotect a protected rbd snapshot? >> >> Currently the key interacting with the pool containing the rbd image >> has the following permissions: >> >> mon 'allow r' >> osd 'allow rwx pool=vms' >> >> When I try to unprotect a snaphost with the following command "rbd >> snap unprotect vms/ubuntu@snap" I get the following error: >> >> 2017-01-12 16:45:15.385212 7fab38ee4700 -1 >> librbd::SnapshotUnprotectRequest: cannot get children for pool 'vms' >> 2017-01-12 16:45:15.385343 7fab38ee4700 -1 >> librbd::SnapshotUnprotectRequest: cannot get children for pool 'data' >> 2017-01-12 16:45:15.386220 7fab38ee4700 -1 >> librbd::SnapshotUnprotectRequest: cannot get children for pool >> 'cephfs_data' >> 2017-01-12 16:45:15.386332 7fab38ee4700 -1 >> librbd::SnapshotUnprotectRequest: cannot get children for pool >> 'cephfs_metadata' >> 2017-01-12 16:45:15.386845 7fab38ee4700 -1 >> librbd::SnapshotUnprotectRequest: encountered error: (1) Operation not >> permitted >> 2017-01-12 16:45:15.386870 7fab38ee4700 -1 >> librbd::SnapshotUnprotectRequest: 0x7fab6376a4a0 >> should_complete_error: ret_val=-1 >> 2017-01-12 16:45:15.389819 7fab38ee4700 -1 >> librbd::SnapshotUnprotectRequest: 0x7fab6376a4a0 >> should_complete_error: ret_val=-1 >> rbd: unprotecting snap failed: (1) Operation not permitted >> >> What additional permission does the key need? And why does the command >> try to get children on all pools? >> >> Best, >> Martin >> _______________________________________________ >> ceph-users mailing list >> ceph-users@xxxxxxxxxxxxxx >> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > > > > -- > Jason _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com