Re: Access to rbd with a user key

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Keep in mind you can also do prefix-based cephx with caps. That was set up so you can give a key ring access to specific RBD images (although you can’t do live updates on what the client can access without making him reconnect).
On Tue, Sep 26, 2017 at 7:44 AM Jason Dillaman <jdillama@xxxxxxxxxx> wrote:
On Tue, Sep 26, 2017 at 9:36 AM, Yoann Moulin <yoann.moulin@xxxxxxx> wrote:
>
>>> ok, I don't know where I read the -o option to write the key but the file was empty I do a ">" and seems to work to list or create rbd now.
>>>
>>> and for what I have tested then, the good syntax is « mon 'profile rbd' osd 'profile rbd pool=rbd' »
>>>
>>>> In the case we give access to those rbd inside the container, how I can be sure users in each container do not have access to others rbd ? Is
>>>> the namespace good to isolate each user ?
>>>
>>> The question about namespace is still open, if I have a namespace in the osd caps, I can't create rbd volume. How I can isolate each client to
>>> only his own volumes ?
>>
>> Unfortunately, RBD doesn't currently support namespaces, but it's on
>> our backlog.
>
> So if I want to separate data between each container, I need to create a pool per user (one user can have multiple containers).

Definitely don't want to create a pool per user assuming you have more
than a handful of users. Usually the higher level container management
system handles the user separation since the end-user cannot directly
access the Ceph storage system and instead the RBD image is mapped
into the container. That's why RBD support for namespaces has been
low-priority since there hasn't been a lot of end-user demand.

> I'm gonna give a look to cephfs, it seems possible to allow access only to a subdirectory per user, could you confirm it ?

Yes, I believe that is correct.

> Thanks,
>
> Best regards,
>
> --
> Yoann Moulin
> EPFL IC-IT
> _______________________________________________
> ceph-users mailing list
> ceph-users@xxxxxxxxxxxxxx
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com



--
Jason
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux