Re: ceph client capabilities for the rados gateway

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thank you for your response. Yes, as I wrote, the gateway seems to 
work with these settings.

The reason why I am considering the capabilities is: I am trying to 
attach a Openstack environment and a gateway to the same cluster, 
and I would like to prevent the Openstack admin to access the S3 
gateway data and vice versa to prevent the gateway admin to access 
the Openstack data. I just wonder if there is a reason why the 
documentation suggest these very global capabilities

Gregory Farnum wrote on Wed, 31 May 2017 20:07:16 +0000

> 
> I don't work with the gateway but in general that should work. 
> 
> That said, the RGW also sees all your client data going in so I'm not 
> sure how much you buy by locking it down. If you're just trying to 
> protect against accidents with the pools, you might give it write access 
> on the monitor; any failures due to capability mismatches there would 
> likely be pretty annoying to debug!
> -Greg
> 
> 
> On Wed, May 31, 2017 at 12:21 AM Diedrich Ehlerding 
> <diedrich.ehlerding@xxxxxxxxxxxxxx> wrote:
>     Hello.
>     
>     The documentation which I found proposes to create the ceph client
>     for a rados gateway with very global capabilities, namely
>     "mon allow rwx, osd allow rwx".
>     
>     Are there any reasons for these very global capabilities (allowing
>     this client to access and modify (even remove) all pools, all rbds,
>     etc., event thiose in use vy other ceph clients? I tried to 
>     restrict
>     the rights, and my rados gateway seems to work with
>     capabilities "mon allow r, osd allow rwx pool=.rgw.root, allow rwx
>     pool=a.root, allow rwx pool=am.rgw.control [etc. for all the pools
>     which this gateway uses]"
>     
>     Are there any reasons not to restrict the capabilities in this way?
-- 
Diedrich Ehlerding, Fujitsu Technology Solutions GmbH, 
MIS ITST CE PS&IS WST, Hildesheimer Str 25, D-30880 Laatzen
Fon +49 511 8489-1806, Fax -251806, Mobil +49 173 2464758
Firmenangaben: http://de.ts.fujitsu.com/imprint.html

_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux