I don't work with the gateway but in general that should work.
That said, the RGW also sees all your client data going in so I'm not sure how much you buy by locking it down. If you're just trying to protect against accidents with the pools, you might give it write access on the monitor; any failures due to capability mismatches there would likely be pretty annoying to debug!
-Greg
On Wed, May 31, 2017 at 12:21 AM Diedrich Ehlerding <diedrich.ehlerding@xxxxxxxxxxxxxx> wrote:
Hello.
The documentation which I found proposes to create the ceph client
for a rados gateway with very global capabilities, namely
"mon allow rwx, osd allow rwx".
Are there any reasons for these very global capabilities (allowing
this client to access and modify (even remove) all pools, all rbds,
etc., event thiose in use vy other ceph clients? I tried to restrict
the rights, and my rados gateway seems to work with
capabilities "mon allow r, osd allow rwx pool=.rgw.root, allow rwx
pool=a.root, allow rwx pool=am.rgw.control [etc. for all the pools
which this gateway uses]"
Are there any reasons not to restrict the capabilities in this way?
Thank you.
--
Diedrich Ehlerding, Fujitsu Technology Solutions GmbH,
MIS ITST CE PS&IS WST, Hildesheimer Str 25, D-30880 Laatzen
Fon +49 511 8489-1806, Fax -251806, Mobil +49 173 2464758
Firmenangaben: http://de.ts.fujitsu.com/imprint.html
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
_______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com