Re: ceph nautilus namespaces for rbd and rbd image access problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, May 20, 2019 at 11:14 AM Rainer Krienke <krienke@xxxxxxxxxxxxxx> wrote:
>
> Am 20.05.19 um 09:06 schrieb Jason Dillaman:
>
> >> $ rbd --namespace=testnamespace map rbd/rbdtestns --name client.rainer
> >> --keyring=/etc/ceph/ceph.keyring
> >> rbd: sysfs write failed
> >> rbd: error opening image rbdtestns: (1) Operation not permitted
> >> In some cases useful info is found in syslog - try "dmesg | tail".
> >> 2019-05-20 08:18:29.187 7f42ab7fe700 -1 librbd::image::RefreshRequest:
> >> failed to retrieve pool metadata: (1) Operation not permitted
> >> 2019-05-20 08:18:29.187 7f42aaffd700 -1 librbd::image::OpenRequest:
> >> failed to refresh image: (1) Operation not permitted
> >> 2019-05-20 08:18:29.187 7f42aaffd700 -1 librbd::ImageState:
> >> 0x561792408860 failed to open image: (1) Operation not permitted
> >> rbd: map failed: (22) Invalid argument
> >
> > Hmm, it looks like we overlooked updating the 'rbd' profile when PR
> > 27423 [1] was merged into v14.2.1. We'll get that fixed, but in the
> > meantime, you can add a "class rbd metadata_list" cap on the base pool
> > (w/o the namespace restriction) [2].
> >
>
> Thanks for your answer. Well I still have Kernel 4.15 so namespaces
> won't work for me at the moment.
>
> Could you please explain what the magic behind "class rbd metadata_list"
> is? Is it thought to "simply" allow access to the basepool (rbd in my
> case), so I authorize access to the pool instead of a namespaces? And if
> this is true then I do not understand the difference of your class cap
> compared to a cap like  osd 'allow rw pool=rbd'?

It allows access to invoke a single OSD object class method named
rbd.metadata_list, which is a read-only operation. Therefore, you are
giving access to read pool-level configuration overrides but not
access to read/write/execute any other things in the base pool. You
could further restrict it to the "rbd_info" object when combined w/
the "object_prefix rbd_info" matcher.

> --
> Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1
> 56070 Koblenz, Tel: +49261287 1312 Fax +49261287 100 1312
> Web: http://userpages.uni-koblenz.de/~krienke
> PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html



-- 
Jason
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux