On Fri, Feb 24, 2023 at 9:05 AM Thomas Schneider <74cmonty@xxxxxxxxx> wrote:
>
> Actually I didn't try other caps.
>
> The setup of RBD images and authorizations is automised with a bash
> script that worked in the past w/o issues.
> I need to understand the root cause in order to adapt the script
> accordingly.
Using home-grown scripts to allow a client to access only a particular
image this way (object_prefix match for "rbd_data.<image id>" and then
playing whack-a-mole to cover everything else that is needed: rbd_info
object, rbd_mirroring object, etc -- and that is before someone enables
e.g. object-map image feature on the image) is not recommended.
Instead, create a namespace, place the image(s) that a client should be
allowed to access into the namespace and use the built-in "profile rbd"
capability for it. Here is an example:
$ rbd namespace create mypool/foo
$ rbd namespace create mypool/bar
$ ceph auth get-or-create client.foo mon 'profile rbd' osd 'profile
rbd pool mypool namespace foo'
$ ceph auth get-or-create client.bar mon 'profile rbd' osd 'profile
rbd pool mypool namespace bar'
$ rbd create --id foo --size 1G mypool/foo/img
$ sudo rbd map --id foo mypool/foo/img
$ rbd create --id bar --size 1G mypool/bar/img
$ sudo rbd map --id bar mypool/bar/img
Note that both images are named "img" -- since each resides in its own
namespace, this works just fine. An attempt to map using a mismatching
client would fail (unless it's sufficiently privileged, of course):
$ sudo rbd map --id foo mypool/bar/img
rbd: error asserting namespace: (1) Operation not permitted
2023-02-26T07:22:37.420-0500 7f7354ad8740 -1 librbd::api::Namespace:
exists: error asserting namespace: (1) Operation not permitted
The kernel client supports namespaces since kernel 4.19 (and also
CentOS 8.0).
Thanks,
Ilya
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
