Thanks a lot who shared thoughts and own experience on that topic! It seems that Frédéric's input is
exactly I've been looking for. Thanks Frédéric!
Jason Dillaman wrote on 02/02/18 19:24:
Concur that it's technically feasible by restricting access to
"rbd_id.<image name>", "rbd_header.<image id>.",
"rbd_object_map.<image id>.", and "rbd_data.<image id>." objects using
the prefix restriction in the OSD caps. However, this really won't
scale beyond a small number of images per user since every IO will
need to traverse the list of caps to verify the user can touch the
object.
On Fri, Feb 2, 2018 at 11:05 AM, Gregory Farnum <gfarnum@xxxxxxxxxx> wrote:
I don't think it's well-integrated with the tooling, but check out the cephx
docs for the "prefix" level of access. It lets you grant access only to
objects whose name matches a prefix, which for rbd would be the rbd volume
ID (or name? Something easy to identify).
-Greg
On Fri, Feb 2, 2018 at 7:42 AM <knawnd@xxxxxxxxx> wrote:
Hello!
I wonder if it's possible in ceph Luminous to manage user access to rbd
images on per image (but not
the whole rbd pool) basis?
I need to provide rbd images for my users but would like to disable their
ability to list all images
in a pool as well as to somehow access/use ones if a ceph admin didn't
authorize that.
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
