After updating to Cuttlefish I was able to set up two rados gateways using
distinct pools and users. (Thanks Yehuda!) Now I'd like to make it so the user
for each gateway can only access its own pools and nothing else. The reasons
include security and preventing foot-shooting.
Instead of simply having this: caps osd = "allow rwx"
I tried:
caps osd = "allow class-read, allow pool .intent-log rwx, allow pool
.log rwx, allow pool .rgw rwx, allow pool .rgw.buckets rwx, allow pool
.rgw.control rwx, allow pool .rgw.gc rwx, allow pool .usage rwx, allow pool
.users rwx, allow pool .users.email rwx, allow pool .users.swift rwx, allow
pool .users.uid rwx"
Unfortunately, the radosgw won't run with those settings. It starts but then
exits, with this in the logs:
2013-06-12 11:51:39.574693 7f61de950820 0 ceph version 0.61.3
(92b1e398576d55df8e5888dd1a9545ed3fd99532), process radosgw, pid 32182
2013-06-12 11:51:39.591093 7f61cb5fe700 2 garbage collection: start
2013-06-12 11:51:39.594462 7f61cb5fe700 0 ERROR: garbage collection process()
returned error r=-1
2013-06-12 11:51:39.594472 7f61cb5fe700 2 garbage collection: stop
2013-06-12 11:51:39.596405 7f61de950820 -1 Couldn't init storage provider
(RADOS)
Can someone tell me what permissions I might need or if I'm doing something
wrong? If for some reason this kind of per-user partitioning can't be done
(meaning rgw needs 'caps osd = "allow rwx"') I'd like to know why, and see
about changing that in a future release.
Thanks,
JN
_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
