Re: restrict user access to certain rbd image

Frédéric Nass <frederic.nass@xxxxxxxxxxxxxxxx> · Fri, 2 Feb 2018 17:23:53 +0100



    Hi,
    We use this on our side:
    $ rbd create rbd-image --size 1048576 --pool rbd --image-feature
      layering

      $ rbd create rbd-other-image --size 1048576 --pool rbd
      --image-feature layering
    $ rbd info rbd/rbd-image

    rbd image 'rbd-image':

        size 1024 GB in 262144 objects

        order 22 (4096 kB objects)

        block_name_prefix: rbd_data.2b36cf238e1f29

        format: 2

        features: layering

        flags: 

    
    $ ceph auth get-or-create client.rbd.image mon 'allow r' osd 'allow
    rwx pool rbd object_prefix rbd_data.2b36cf238e1f29; allow rwx pool
    rbd object_prefix rbd_header.2b36cf238e1f29; allow rx pool rbd
    object_prefix rbd_id.rbd-image' -o
    /etc/ceph/ceph.client.rbd.image.keyring

    
    $ rbd -p rbd --keyring=/etc/ceph/ceph.client.rbd.image.keyring
    --id=rbd.image info rbd-image

    rbd image 'rbd-image':

        size 1024 GB in 262144 objects

        order 22 (4096 kB objects)

        block_name_prefix: rbd_data.2b36cf238e1f29

        format: 2

        features: layering

        flags: 

    
    $ rbd -p rbd --keyring=/etc/ceph/ceph.client.rbd.image.keyring
    --id=rbd.image info rbd-other-image

    rbd: error opening image rbd-other-image: (1) Operation not
    permitted

    2018-02-02 17:19:13.758624 7f38d76fd700 -1
    librbd::image::OpenRequest: failed to stat v2 image header: (1)
    Operation not permitted

    2018-02-02 17:19:13.758724 7f38d6efc700 -1 librbd::ImageState:
    0x55ac0ea6b7f0 failed to open image: (1) Operation not permitted

    
    $ rbd --keyring=/etc/ceph/ceph.client.rbd.image.keyring
    --id=rbd.image -p rbd ls

    rbd: list: (1) Operation not permitted

    
    Regards,

    
    Frédéric.

    
    Le 02/02/2018 à 17:05, Gregory Farnum a
      écrit :

    
      I don't think it's well-integrated with the
        tooling, but check out the cephx docs for the "prefix" level of
        access. It lets you grant access only to objects whose name
        matches a prefix, which for rbd would be the rbd volume ID (or
        name? Something easy to identify).
        -Greg

          
            On Fri, Feb 2, 2018 at 7:42 AM <knawnd@xxxxxxxxx>
              wrote:

            
            Hello!

              
              I wonder if it's possible in ceph Luminous to manage user
              access to rbd images on per image (but not

              the whole rbd pool) basis?

              I need to provide rbd images for my users but would like
              to disable their ability to list all images

              in a pool as well as to somehow access/use ones if a ceph
              admin didn't authorize that.

              _______________________________________________

              ceph-users mailing list

              ceph-users@xxxxxxxxxxxxxx

              http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

            
      _______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

    
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com