From: "Székelyi Szabolcs" <szekelyi@niif.hu>
To: ceph-devel@vger.kernel.org
Subject: Re: Keys & caps
Date: Mon, 09 Jul 2012 19:27:42 +0200 [thread overview]
Message-ID: <1968682.cis2SWxC6X@mranderson> (raw)
In-Reply-To: <Pine.LNX.4.64.1207090925370.20547@cobra.newdream.net>
On 2012. July 9. 09:33:22 Sage Weil wrote:
> On Mon, 9 Jul 2012, Székelyi Szabolcs wrote:
> > this far I accessed my Ceph (0.48) FS with the client.admin key, but I'd
> > like to change that since I don't want to allow clients to control the
> > cluster.
> >
> > I thought I should create a new key, give it some caps (don't exactly know
> > which ones), and distribute it to clients. Here are some things I don't
> > know/understand:
> >
> > * What do the r, w, x, and * caps ("permissions"?) mean on a mon, mds, or
> > osd?
>
> They roughly correspond to read, write, execute. The distinction is
> subtle and poorly specfied for mon caps; just use the documented values
> for now.
Does this mean that what I'm trying to achieve is not possible at the moment?
I'd like to give access to my clients to the data in the filesystem, but not
control over the cluster. My thought was that removing some mon caps from the
clients' keys will get me there. But from what you write, it looks to me like
if a client can access the data in the filesystem, it can also (for example)
bring the cluster down...
> The problem is that the mount.ceph command doesn't understand keyrings; it
> only understands secret= and secretfile=. There is a longstanding feature
> bug open for this
>
> http://tracker.newdream.net/issues/266
>
> but it hasn't been prioritized. Sorry for the confusion! It will happen
> soon.
>
> In the meantime, you need
>
> -o secretfile=/path/to/secretfile,name=access_fs
Is this also true for the FUSE client? I have obscure memories about big
differences between the kernel and the FUSE client, for example the latter
being able to read ceph.conf, and get the necessary info, including the
keyring file, from there. Maybe I didn't emphasize it, but that's what I'm
using.
Thanks,
--
cc
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2012-07-09 17:27 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-09 16:07 Keys & caps Székelyi Szabolcs
2012-07-09 16:33 ` Sage Weil
2012-07-09 17:27 ` Székelyi Szabolcs [this message]
2012-07-10 20:09 ` Gregory Farnum
2012-07-10 23:11 ` Székelyi Szabolcs
2012-07-10 23:25 ` Sage Weil
2012-07-10 23:30 ` Gregory Farnum
2012-07-10 23:36 ` Sage Weil
2012-07-10 23:57 ` Székelyi Szabolcs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1968682.cis2SWxC6X@mranderson \
--to=szekelyi@niif.hu \
--cc=ceph-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.