You could try creating Subvolumes as well: https://docs.ceph.com/en/latest/cephfs/fs-volumes/ As usual, ceph caps and data layout semantics apply to Subvolumes as well. On Thu, Dec 22, 2022 at 8:19 PM Jonas Schwab < jonas.schwab@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > Hello everyone, > > I would like to setup my CephFS with different directories exclusively > accessible by corresponding clients. By this, I mean e.g. /dir_a only > accessible by client.a and /dir_b only by client.b. > > From the documentation I gathered, having client caps like > > client.a > key: <some_key_a> > caps: [mds] allow rw fsname=cephfs path=/dir_a > caps: [mon] allow r fsname=cephfs > caps: [osd] allow rw tag cephfs data=cephfs > > client.b > key: <some_key_b> > caps: [mds] allow rw fsname=cephfs path=/dir_b > caps: [mon] allow r fsname=cephfs > caps: [osd] allow rw tag cephfs data=cephfs > > is not enough, since it does only restrict the clients' access to the > metadata pool. So to restrict access to the data, I create pools for > each of the directories, e.g. cephfs_a_data and cephfs_b_data. To make > the data end up on the right pool, I set attributes through cephfs-shell: > > setxattr /dir_a ceph.dir.layout.pool cephfs_a_data > setxattr /dir_b ceph.dir.layout.pool cephfs_b_data > > Through trial an error, I found out the following client caps work with > this setup: > > client.a > key: <some_key_a> > caps: [mds] allow rw fsname=cephfs path=/dir_a > caps: [mon] allow r fsname=cephfs > caps: [osd] allow rwx pool=cephfs_a_data > > client.b > key: <some_key_b> > caps: [mds] allow rw fsname=cephfs path=/dir_b > caps: [mon] allow r fsname=cephfs > caps: [osd] allow rwx pool=cephfs_b_data > > With only rw on osds, I was not able to write in the mounted dirs. > > Now the question: Since I established this setup more or less through > trial and error, I was wondering if there is a more elegant/better > approach than what is outlined above? > > Thank you for you help! > > Best regards, > Jonas > > _______________________________________________ > ceph-users mailing list -- ceph-users@xxxxxxx > To unsubscribe send an email to ceph-users-leave@xxxxxxx > -- Milind _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |