Hi,
On 28.10.21 18:10, Konstantin Shalygin wrote:
Hi,
Try to use profile cap, like 'allow profile rbd'
That's fine for csi rbd, thx. Works like a charm so far.
But cephfs is a little different beast. As far as I understand the
source code, it uses the mgr interface to create subvolumes and
subvolume groups (e.g. the same API calls used by 'ceph fs subvolume
create..' and others). The default authx caps generated by 'ceph fs
authorize' do not seem to be sufficient in this case.
To give an example:
caps mds = "allow rwps fsname=test"
caps mon = "allow r fsname=test"
caps osd = "allow rw tag cephfs data=test"
This is not enough to be used with the cephfs csi driver. The caps are
fine for accessing the filesystem, e.g. mounting.
Even adding 'mgr = "allow rw"' does not work. If I use the client.admin
credentials instead everything is fine, but I do not want to expose
those in kubernetes...
Regards,
Burkhard
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
