On Wed, May 31, 2017 at 11:20 PM Diedrich Ehlerding <diedrich.ehlerding@xxxxxxxxxxxxxx> wrote:
Thank you for your response. Yes, as I wrote, the gateway seems to
work with these settings.
The reason why I am considering the capabilities is: I am trying to
attach a Openstack environment and a gateway to the same cluster,
and I would like to prevent the Openstack admin to access the S3
gateway data and vice versa to prevent the gateway admin to access
the Openstack data. I just wonder if there is a reason why the
documentation suggest these very global capabilities
You've probably noticed the RGW will create pools if it needs them and they don't exist. That's why it "needs" the extra monitor capabilities. The OSD capabilities are because 1) I don't think you could make them as fine-grained when that documentation was written, 2) laziness about specifying pools. :)
So, you should be good to go!
Gregory Farnum wrote on Wed, 31 May 2017 20:07:16 +0000
>
> I don't work with the gateway but in general that should work.
>
> That said, the RGW also sees all your client data going in so I'm not
> sure how much you buy by locking it down. If you're just trying to
> protect against accidents with the pools, you might give it write access
> on the monitor; any failures due to capability mismatches there would
> likely be pretty annoying to debug!
> -Greg
>
>
> On Wed, May 31, 2017 at 12:21 AM Diedrich Ehlerding
> <diedrich.ehlerding@xxxxxxxxxxxxxx> wrote:
> Hello.
>
> The documentation which I found proposes to create the ceph client
> for a rados gateway with very global capabilities, namely
> "mon allow rwx, osd allow rwx".
>
> Are there any reasons for these very global capabilities (allowing
> this client to access and modify (even remove) all pools, all rbds,
> etc., event thiose in use vy other ceph clients? I tried to
> restrict
> the rights, and my rados gateway seems to work with
> capabilities "mon allow r, osd allow rwx pool=.rgw.root, allow rwx
> pool=a.root, allow rwx pool=am.rgw.control [etc. for all the pools
> which this gateway uses]"
>
> Are there any reasons not to restrict the capabilities in this way?
--
Diedrich Ehlerding, Fujitsu Technology Solutions GmbH,
MIS ITST CE PS&IS WST, Hildesheimer Str 25, D-30880 Laatzen
Fon +49 511 8489-1806, Fax -251806, Mobil +49 173 2464758
Firmenangaben: http://de.ts.fujitsu.com/imprint.html
_______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
