On Wed, Jun 12, 2013 at 1:48 PM, John Nielsen <li...@jnielsen.net> wrote: > On Jun 12, 2013, at 2:02 PM, Yehuda Sadeh <yeh...@inktank.com> wrote: > >> On Wed, Jun 12, 2013 at 12:59 PM, John Nielsen <li...@jnielsen.net> wrote: >>> After updating to Cuttlefish I was able to set up two rados gateways using >>> distinct pools and users. (Thanks Yehuda!) Now I'd like to make it so the >>> user for each gateway can only access its own pools and nothing else. The >>> reasons include security and preventing foot-shooting. >>> >>> Instead of simply having this: caps osd = "allow rwx" >>> >>> I tried: >>> >>> caps osd = "allow class-read, allow pool .intent-log rwx, allow pool >>> .log rwx, allow pool .rgw rwx, allow pool .rgw.buckets rwx, allow pool >>> .rgw.control rwx, allow pool .rgw.gc rwx, allow pool .usage rwx, allow pool >>> .users rwx, allow pool .users.email rwx, allow pool .users.swift rwx, allow >>> pool .users.uid rwx" >> >> You'll need more than just class-read. > > Can you be more specific? >
Try adding class-write. Yehuda _______________________________________________ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
