Hi, >>>>> Kernels on client is 4.4.0-93 and on ceph node are 4.4.0-96 >>>>> >>>>> What is exactly an older kernel client ? 4.4 is old ? >>>>> >>>>> See >>>>> http://docs.ceph.com/docs/master/cephfs/best-practices/#which-kernel-version >>>>> >>>>> If you're on Ubuntu Xenial I would advise to use >>>>> "linux-generic-hwe-16.04". Currently gives you 4.10.0-* kernel. >>>> >>>> OK, but I still cannot set caps without read access to "/" on cephfs volume, is there something else I must do ? >>>> >>>> # ceph auth get-or-create client.foo mon "allow r" osd "allow rw pool=cephfs_data" mds "allow rw path=/foo" >>>> Error EINVAL: key for client.foo exists but cap mds does not match >>>> >>>> # ceph fs authorize cephfs client.foo /foo rw >>>> Error EINVAL: key for client.foo exists but cap mds does not match >>> >>> Use "ceph auth list" to check the current caps for the client. With ceph >>> auth caps (note, _not_ get-or-create) you can update the caps: >>> >>> ceph auth caps client.foo mon "allow r" osd "allow rw >>> pool=cephfs_data" mds "allow rw path=/foo" >>> >>> The command should return "updated caps for client.foo" >> >> oops, you're right I must use "ceph auth caps" and not "ceph auth get-or-create" >> >> # ceph auth caps client.foo mon "allow r" osd "allow rw pool=cephfs_data" mds "allow rw path=/foo" >> updated caps for client.foo > > In cases like this you also want to set RADOS namespaces for each tenant’s directory in the CephFS layout and give them OSD access to only that > namespace. That will prevent malicious users from tampering with the raw RADOS objects of other users. You mean by doing something like : ceph auth caps client.foo mon "allow r" osd "allow rw pool=cephfs_data namespace=foo" mds "allow rw path=/foo" ? [client.foo] key = [snip] caps mds = "allow rw path=/foo" caps mon = "allow r" caps osd = "allow rw pool=cephfs_data namespace=foo" or you are referring also to : http://docs.ceph.com/docs/master/cephfs/file-layouts/ -- Yoann Moulin EPFL IC-IT _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com