There is a tiny bit more to it. The idea is that, when adding a data pool, any cephfs client can access the new pool without changing and updating the caps. To this end, the fs-caps must include 2 pieces of information, the application name "cephfs" and the file system name (ceph can have multiple file systems). Any cephfs enabled pool with the correct file system name will be accessible to a properly authorized client of that file system without having to add that pool to the client caps explicitly, as was necessary in older versions.
The 2 pieces of information are provided like:
application name cephfs: "tag cephfs"
file system name: "data=con-fs2"
One can check what is encoded for each pool using
ceph osd pool ls detail --format=json | jq '.[] | .pool_name, .application_metadata'
For a ceph-fs pool, it will look something like
"con-fs2-data2"
{
"cephfs": {
"data": "con-fs2"
}
}
As of today, it seems indeed undocumented black magic and you need to search very carefully to find ceph-user cases that discuss (issues with) these tags, thereby explaining it as a side effect.
Best regards,
=================
Frank Schilder
AIT Risø Campus
Bygning 109, rum S14
________________________________________
From: Eugen Block <eblock@xxxxxx>
Sent: Tuesday, June 11, 2024 2:14 PM
To: ceph-users@xxxxxxx
Subject: Re: Documentation for meaning of "tag cephfs" in OSD caps
I assume it means that pools with an enabled application "cephfs" can
be targeted by specifying this tag instead of listing each pool
separately. Browsing through the code [1] seems to confirm that
(somehow, I'm not a dev):
> if (g.match.pool_tag.application == ng.match.pool_tag.application
But I agree, it's worth adding that to the docs.
[1]
https://github.com/ceph/ceph/blob/09e81319648dd504cfd94edfdd321c7163cefa98/src/osd/OSDCap.cc#L549
Zitat von Petr Bena <petr@bena.rocks>:
> Hello
>
> In https://docs.ceph.com/en/latest/cephfs/client-auth/ we can find that
>
> ceph fs authorize cephfs_a client.foo / r /bar rw Results in
>
> client.foo
> key: *key*
> caps: [mds] allow r, allow rw path=/bar
> caps: [mon] allow r
> caps: [osd] allow rw tag cephfs data=cephfs_a
>
>
> What is this "tag cephfs" thing? It seems like some undocumented
> black magic to me, since I can't find anything that documents it.
> Can someone explain how it works under the hood? What does it expand
> to? What does it limit and how?
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx
> To unsubscribe send an email to ceph-users-leave@xxxxxxx
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
