On Jun 12, 2013, at 2:02 PM, Yehuda Sadeh <yeh...@inktank.com> wrote:
> On Wed, Jun 12, 2013 at 12:59 PM, John Nielsen <li...@jnielsen.net> wrote: >> After updating to Cuttlefish I was able to set up two rados gateways using >> distinct pools and users. (Thanks Yehuda!) Now I'd like to make it so the >> user for each gateway can only access its own pools and nothing else. The >> reasons include security and preventing foot-shooting. >> >> Instead of simply having this: caps osd = "allow rwx" >> >> I tried: >> >> caps osd = "allow class-read, allow pool .intent-log rwx, allow pool >> .log rwx, allow pool .rgw rwx, allow pool .rgw.buckets rwx, allow pool >> .rgw.control rwx, allow pool .rgw.gc rwx, allow pool .usage rwx, allow pool >> .users rwx, allow pool .users.email rwx, allow pool .users.swift rwx, allow >> pool .users.uid rwx" > > You'll need more than just class-read. Can you be more specific? >> Unfortunately, the radosgw won't run with those settings. It starts but then >> exits, with this in the logs: >> >> 2013-06-12 11:51:39.574693 7f61de950820 0 ceph version 0.61.3 >> (92b1e398576d55df8e5888dd1a9545ed3fd99532), process radosgw, pid 32182 >> 2013-06-12 11:51:39.591093 7f61cb5fe700 2 garbage collection: start >> 2013-06-12 11:51:39.594462 7f61cb5fe700 0 ERROR: garbage collection >> process() returned error r=-1 >> 2013-06-12 11:51:39.594472 7f61cb5fe700 2 garbage collection: stop >> 2013-06-12 11:51:39.596405 7f61de950820 -1 Couldn't init storage provider >> (RADOS) >> >> Can someone tell me what permissions I might need or if I'm doing something >> wrong? If for some reason this kind of per-user partitioning can't be done >> (meaning rgw needs 'caps osd = "allow rwx"') I'd like to know why, and see >> about changing that in a future release. >> >> Thanks, >> >> JN >> >> _______________________________________________ >> ceph-users mailing list >> ceph-users@lists.ceph.com >> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > _______________________________________________ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
