Hi,
I was curious and tried the same with debug logs. One thing I noticed
was that if I use the '-k <keyring>' option I get a different error
message than with '--id user3'. So with '-k' the result is the same:
---snip---
pacific:~ # rbd -k /etc/ceph/ceph.client.user3.keyring -p test2
--namespace user3 create --size 1G --image test2-user3
2022-03-25T09:45:44.541+0100 7f1f21021700 -1 monclient(hunting):
handle_auth_bad_method server allowed_methods [2] but i only support
[2,1]
rbd: couldn't connect to the cluster!
---snip---
With '--id' I get these messages:
---snip---
pacific:~ # rbd --id user3 -p test2 --namespace user3 create --size 1G
--image test2-user3
2022-03-25T09:45:49.573+0100 7f186bfff700 -1
librbd::image::GetMetadataRequest: 0x5627b6b5d6b0
handle_metadata_list: failed to retrieve image metadata: (1) Operation
not permitted
2022-03-25T09:45:49.573+0100 7f188ad7d1c0 -1 librbd::PoolMetadata:
list: failed listing metadata: (1) Operation not permitted
2022-03-25T09:45:49.573+0100 7f188ad7d1c0 -1 librbd::Config:
apply_pool_overrides: failed to read pool config overrides: (1)
Operation not permitted
2022-03-25T09:45:49.573+0100 7f1878d8a700 -1
librbd::image::ValidatePoolRequest: handle_read_rbd_info: failed to
read RBD info: (1) Operation not permitted
2022-03-25T09:45:49.573+0100 7f1878d8a700 -1
librbd::image::CreateRequest: 0x5627b69b61c0
handle_validate_data_pool: failed to validate pool: (1) Operation not
permitted
rbd: create error: (1) Operation not permitted
---snip---
The user apparently requires permissions to read some of the pool's
information which are not stored in a namespace like rbd_info but it's
not allowed:
pacific:~ # rados -p test2 --id user3 stat rbd_info
error stat-ing test2/rbd_info: (1) Operation not permitted
I modified the caps for that user a little:
pacific:~ # ceph auth get-or-create client.user3 mon 'profile rbd' osd
'profile rbd, allow rwx pool=test2 namespace=user3' -o
/etc/ceph/ceph.client.user3.keyring
And now it seems to work (but not with '-k' option):
---snip---
pacific:~ # rbd --id user3 -p test2 --namespace user3 create --size 1G
--image test3-user3
pacific:~ # rbd --id user3 -p test2 --namespace user3 info --image test3-user3
rbd image 'test3-user3':
size 1 GiB in 256 objects
order 22 (4 MiB objects)
snapshot_count: 0
id: d9a619a15959
block_name_prefix: rbd_data.d9a619a15959
format: 2
features: layering, exclusive-lock, object-map, fast-diff,
deep-flatten
op_features:
flags:
create_timestamp: Fri Mar 25 10:08:27 2022
access_timestamp: Fri Mar 25 10:08:27 2022
modify_timestamp: Fri Mar 25 10:08:27 2022
---snip---
Hope this helps!
Eugen
Zitat von Budai Laszlo <laszlo.budai@xxxxxxxxx>:
Hello all,
what capabilities a ceph user should have in order to be able to
create rbd images in one namespace only?
I have tried the following:
[root@ceph1 ~]# rbd namespace ls --format=json
[{"name":"user1"},{"name":"user2"}]
[root@ceph1 ~]# ceph auth get-or-create client.user2 mon 'profile
rbd' osd 'allow rwx pool=rbd namespace=user2' -o
/etc/ceph/client.user2.keyring
[root@ceph1 ~]# rbd create -k /etc/ceph/client.user2.keyring
--namespace user2 user2img1 --size 1G
2022-03-23T16:09:56.291+1100 7f94fa6b7700 -1 monclient(hunting):
handle_auth_bad_method server allowed_methods [2] but i only support
[2,1]
2022-03-23T16:09:56.291+1100 7f94f9eb6700 -1 monclient(hunting):
handle_auth_bad_method server allowed_methods [2] but i only support
[2,1]
2022-03-23T16:09:56.292+1100 7f94f96b5700 -1 monclient(hunting):
handle_auth_bad_method server allowed_methods [2] but i only support
[2,1]
rbd: couldn't connect to the cluster!
Thank you,
Laszlo
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx