>> I am trying to follow the instructions at: >> http://docs.ceph.com/docs/master/cephfs/client-auth/ >> to restrict a client to a subdirectory of Ceph filesystem, but always get >> an error. >> >> We are running the latest stable release of Ceph (v12.2.1) on CentOS 7 >> servers. The user 'hydra' has the following capabilities: >> # ceph auth get client.hydra >> exported keyring for client.hydra >> [client.hydra] >> key = AQxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx== >> caps mds = "allow rw" >> caps mgr = "allow r" >> caps mon = "allow r" >> caps osd = "allow rw" >> >> When I tried to restrict the client to only mount and work within the >> directory /hydra of the Ceph filesystem 'pulpos', I got an error: >> # ceph fs authorize pulpos client.hydra /hydra rw >> Error EINVAL: key for client.dong exists but cap mds does not match >> >> I've tried a few combinations of user caps and CephFS client caps; but >> always got the same error! > > The "fs authorize" command isn't smart enough to edit existing > capabilities safely, so it is cautious and refuses to overwrite what > is already there. If you remove your client.hydra user and try again, > it should create it for you with the correct capabilities. I confirm it works perfectly ! it should be added to the documentation. :) # ceph fs authorize cephfs client.foo1 /foo1 rw [client.foo1] key = XXX1 # ceph fs authorize cephfs client.foo2 / r /foo2 rw [client.foo2] key = XXX2 # ceph auth get client.foo1 exported keyring for client.foo1 [client.foo1] key = XXX1 caps mds = "allow rw path=/foo1" caps mon = "allow r" caps osd = "allow rw pool=cephfs_data" # ceph auth get client.foo2 exported keyring for client.foo2 [client.foo2] key = XXX2 caps mds = "allow r, allow rw path=/foo2" caps mon = "allow r" caps osd = "allow rw pool=cephfs_data" Best regards, -- Yoann Moulin EPFL IC-IT _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |