Your caps are invalid -- you are missing the access-spec on the first OSD cap clause. See [1] for more information for how to properly format caps. What version of Ceph are you using? If I remember correctly, since Luminous it will at least throw an error when you give it invalid caps. Additionally, the forthcoming Nautilus release is adding support for RBD namespaces, which can be used to provide isolation between clients (i.e. your caps would only provide a client access to objects within a specific pool namespace and there won't be a need to update caps for each individual image). [1] http://docs.ceph.com/docs/master/rados/operations/user-management/#authorization-capabilities On Fri, Jan 25, 2019 at 7:28 AM Thomas <74cmonty@xxxxxxxxx> wrote: > > Hi, > > unfortunately it's not working, yet. > > I have modified user gbsadm: > root@ld4257:/etc/ceph# ceph auth get client.gbsadm > exported keyring for client.gbsadm > [client.gbsadm] > key = AQBd0klcFknvMRAAwuu30bNG7L7PHk5d8cSVvg== > caps mon = "allow r" > caps osd = "allow pool backup object_prefix rbd_data.18102d6b8b4567; allow rwx pool backup object_prefix rbd_header.18102d6b8b4567; allow rx pool backup object_prefix rbd_id.gbs" > > But mapping fails with same error: > ld7581:/etc/ceph # rbd map backup/gbs --user gbsadm -k /etc/ceph/ceph.client.gbsadm.keyring -c /etc/ceph/ceph.conf > rbd: sysfs write failed > 2019-01-25 13:19:29.158211 7fc629ffb700 -1 librbd::image::OpenRequest: failed to stat v2 image header: (1) Operation not permitted > 2019-01-25 13:19:29.158476 7fc6297fa700 -1 librbd::ImageState: 0x55b623a91f70 failed to open image: (1) Operation not permitted > rbd: error opening image gbs: (1) Operation not permitted > In some cases useful info is found in syslog - try "dmesg | tail". > rbd: map failed: (1) Operation not permitted > > > Regards > Thomas > > Am 25.01.2019 um 12:31 schrieb Eugen Block: > > You can check all objects of that pool to see if your caps match: > > rados -p backup ls | grep rbd_id > > > Zitat von Eugen Block <eblock@xxxxxx>: > > caps osd = "allow pool backup object_prefix > rbd_data.18102d6b8b4567; allow rwx pool backup object_prefix > rbd_header.18102d6b8b4567; allow rx pool backup object_prefix > rbd_id.rbd-image" > > > I think your caps are not entirely correct, the part "[...] object_prefix rbd_id.rbd-image" should contain the > actual image name, so in your case it should be "[...] rbd_id.gbs". > > Regards, > Eugen > > Zitat von Thomas <74cmonty@xxxxxxxxx>: > > Thanks. > > Unfortunately this is still not working. > > Here's the info of my image: > root@ld4257:/etc/ceph# rbd info backup/gbs > rbd image 'gbs': > size 500GiB in 128000 objects > order 22 (4MiB objects) > block_name_prefix: rbd_data.18102d6b8b4567 > format: 2 > features: layering > flags: > create_timestamp: Thu Jan 24 16:01:55 2019 > > And here's the user caps ouput: > root@ld4257:/etc/ceph# ceph auth get client.gbsadm > exported keyring for client.gbsadm > [client.gbsadm] > key = AQBd0klcFknvMRAAwuu30bNG7L7PHk5d8cSVvg== > caps mon = "allow r" > caps osd = "allow pool backup object_prefix > rbd_data.18102d6b8b4567; allow rwx pool backup object_prefix > rbd_header.18102d6b8b4567; allow rx pool backup object_prefix > rbd_id.rbd-image" > > > Trying to map rbd "backup/gbs" now fails with this error; this operation > should be permitted: > ld7581:/etc/ceph # rbd map backup/gbs --user gbsadm -k > /etc/ceph/ceph.client.gbsadm.keyring -c /etc/ceph/ceph.conf > rbd: sysfs write failed > 2019-01-25 12:15:19.786724 7fe4357fa700 -1 librbd::image::OpenRequest: > failed to stat v2 image header: (1) Operation not permitted > 2019-01-25 12:15:19.786962 7fe434ff9700 -1 librbd::ImageState: > 0x55b6522177f0 failed to open image: (1) Operation not permitted > rbd: error opening image gbs: (1) Operation not permitted > In some cases useful info is found in syslog - try "dmesg | tail". > rbd: map failed: (1) Operation not permitted > > The same error is shown when I try to map rbd "backup/isa"; this > operation must be prohibited: > ld7581:/etc/ceph # rbd map backup/isa --user gbsadm -k > /etc/ceph/ceph.client.gbsadm.keyring -c /etc/ceph/ceph.conf > rbd: sysfs write failed > 2019-01-25 12:15:04.850151 7f8041ffb700 -1 librbd::image::OpenRequest: > failed to stat v2 image header: (1) Operation not permitted > 2019-01-25 12:15:04.850350 7f80417fa700 -1 librbd::ImageState: > 0x5643668a5700 failed to open image: (1) Operation not permitted > rbd: error opening image isa: (1) Operation not permitted > In some cases useful info is found in syslog - try "dmesg | tail". > rbd: map failed: (1) Operation not permitted > > > Regards > Thomas > > Am 25.01.2019 um 11:52 schrieb Eugen Block: > > osd 'allow rwx > pool <pool> object_prefix rbd_data.2b36cf238e1f29; allow rwx pool <pool> > object_prefix rbd_header.2b36cf238e1f29 > > > > > _______________________________________________ > ceph-users mailing list > ceph-users@xxxxxxxxxxxxxx > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > > > > > _______________________________________________ > ceph-users mailing list > ceph-users@xxxxxxxxxxxxxx > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > > > _______________________________________________ > ceph-users mailing list > ceph-users@xxxxxxxxxxxxxx > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com -- Jason _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com