This is a note meant to tag this issue for evaluation and likely inclusion in the documentation in the near future (in August of 2024).
Zac Dover
Head of Documentation
Ceph Foundation
On Tuesday, June 11th, 2024 at 11:58 PM, Frank Schilder <frans@xxxxxx> wrote:
>
>
> There is a tiny bit more to it. The idea is that, when adding a data pool, any cephfs client can access the new pool without changing and updating the caps. To this end, the fs-caps must include 2 pieces of information, the application name "cephfs" and the file system name (ceph can have multiple file systems). Any cephfs enabled pool with the correct file system name will be accessible to a properly authorized client of that file system without having to add that pool to the client caps explicitly, as was necessary in older versions.
>
> The 2 pieces of information are provided like:
>
> application name cephfs: "tag cephfs"
> file system name: "data=con-fs2"
>
> One can check what is encoded for each pool using
>
> ceph osd pool ls detail --format=json | jq '.[] | .pool_name, .application_metadata'
>
> For a ceph-fs pool, it will look something like
>
> "con-fs2-data2"
> {
> "cephfs": {
> "data": "con-fs2"
> }
> }
>
> As of today, it seems indeed undocumented black magic and you need to search very carefully to find ceph-user cases that discuss (issues with) these tags, thereby explaining it as a side effect.
>
> Best regards,
> =================
> Frank Schilder
> AIT Risø Campus
> Bygning 109, rum S14
>
> ________________________________________
> From: Eugen Block eblock@xxxxxx
>
> Sent: Tuesday, June 11, 2024 2:14 PM
> To: ceph-users@xxxxxxx
> Subject: Re: Documentation for meaning of "tag cephfs" in OSD caps
>
> I assume it means that pools with an enabled application "cephfs" can
> be targeted by specifying this tag instead of listing each pool
> separately. Browsing through the code [1] seems to confirm that
> (somehow, I'm not a dev):
>
> > if (g.match.pool_tag.application == ng.match.pool_tag.application
>
>
> But I agree, it's worth adding that to the docs.
>
> [1]
> https://github.com/ceph/ceph/blob/09e81319648dd504cfd94edfdd321c7163cefa98/src/osd/OSDCap.cc#L549
>
> Zitat von Petr Bena petr@bena.rocks:
>
> > Hello
> >
> > In https://docs.ceph.com/en/latest/cephfs/client-auth/ we can find that
> >
> > ceph fs authorize cephfs_a client.foo / r /bar rw Results in
> >
> > client.foo
> > key: key
> > caps: [mds] allow r, allow rw path=/bar
> > caps: [mon] allow r
> > caps: [osd] allow rw tag cephfs data=cephfs_a
> >
> > What is this "tag cephfs" thing? It seems like some undocumented
> > black magic to me, since I can't find anything that documents it.
> > Can someone explain how it works under the hood? What does it expand
> > to? What does it limit and how?
> > _______________________________________________
> > ceph-users mailing list -- ceph-users@xxxxxxx
> > To unsubscribe send an email to ceph-users-leave@xxxxxxx
>
>
>
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx
> To unsubscribe send an email to ceph-users-leave@xxxxxxx
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx
> To unsubscribe send an email to ceph-users-leave@xxxxxxx
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
