Hello everyone,
I would like to setup my CephFS with different directories exclusively
accessible by corresponding clients. By this, I mean e.g. /dir_a only
accessible by client.a and /dir_b only by client.b.
From the documentation I gathered, having client caps like
client.a
key: <some_key_a>
caps: [mds] allow rw fsname=cephfs path=/dir_a
caps: [mon] allow r fsname=cephfs
caps: [osd] allow rw tag cephfs data=cephfs
client.b
key: <some_key_b>
caps: [mds] allow rw fsname=cephfs path=/dir_b
caps: [mon] allow r fsname=cephfs
caps: [osd] allow rw tag cephfs data=cephfs
is not enough, since it does only restrict the clients' access to the
metadata pool. So to restrict access to the data, I create pools for
each of the directories, e.g. cephfs_a_data and cephfs_b_data. To make
the data end up on the right pool, I set attributes through cephfs-shell:
setxattr /dir_a ceph.dir.layout.pool cephfs_a_data
setxattr /dir_b ceph.dir.layout.pool cephfs_b_data
Through trial an error, I found out the following client caps work with
this setup:
client.a
key: <some_key_a>
caps: [mds] allow rw fsname=cephfs path=/dir_a
caps: [mon] allow r fsname=cephfs
caps: [osd] allow rwx pool=cephfs_a_data
client.b
key: <some_key_b>
caps: [mds] allow rw fsname=cephfs path=/dir_b
caps: [mon] allow r fsname=cephfs
caps: [osd] allow rwx pool=cephfs_b_data
With only rw on osds, I was not able to write in the mounted dirs.
Now the question: Since I established this setup more or less through
trial and error, I was wondering if there is a more elegant/better
approach than what is outlined above?
Thank you for you help!
Best regards,
Jonas
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
