Keep in mind you can also do prefix-based cephx with caps. That was set up so you can give a key ring access to specific RBD images (although you can’t do live updates on what the client can access without making him reconnect). On Tue, Sep 26, 2017 at 7:44 AM Jason Dillaman <jdill...@redhat.com> wrote:
> On Tue, Sep 26, 2017 at 9:36 AM, Yoann Moulin <yoann.mou...@epfl.ch> > wrote: > > > >>> ok, I don't know where I read the -o option to write the key but the > file was empty I do a ">" and seems to work to list or create rbd now. > >>> > >>> and for what I have tested then, the good syntax is « mon 'profile > rbd' osd 'profile rbd pool=rbd' » > >>> > >>>> In the case we give access to those rbd inside the container, how I > can be sure users in each container do not have access to others rbd ? Is > >>>> the namespace good to isolate each user ? > >>> > >>> The question about namespace is still open, if I have a namespace in > the osd caps, I can't create rbd volume. How I can isolate each client to > >>> only his own volumes ? > >> > >> Unfortunately, RBD doesn't currently support namespaces, but it's on > >> our backlog. > > > > So if I want to separate data between each container, I need to create a > pool per user (one user can have multiple containers). > > Definitely don't want to create a pool per user assuming you have more > than a handful of users. Usually the higher level container management > system handles the user separation since the end-user cannot directly > access the Ceph storage system and instead the RBD image is mapped > into the container. That's why RBD support for namespaces has been > low-priority since there hasn't been a lot of end-user demand. > > > I'm gonna give a look to cephfs, it seems possible to allow access only > to a subdirectory per user, could you confirm it ? > > Yes, I believe that is correct. > > > Thanks, > > > > Best regards, > > > > -- > > Yoann Moulin > > EPFL IC-IT > > _______________________________________________ > > ceph-users mailing list > > ceph-users@lists.ceph.com > > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > > > > -- > Jason > _______________________________________________ > ceph-users mailing list > ceph-users@lists.ceph.com > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com >
_______________________________________________ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
