On Fri, Sep 29, 2017 at 7:34 AM Yoann Moulin <yoann.mou...@epfl.ch> wrote:
> Hi, > > >>>>> Kernels on client is 4.4.0-93 and on ceph node are 4.4.0-96 > >>>>> > >>>>> What is exactly an older kernel client ? 4.4 is old ? > >>>>> > >>>>> See > >>>>> > http://docs.ceph.com/docs/master/cephfs/best-practices/#which-kernel-version > >>>>> > >>>>> If you're on Ubuntu Xenial I would advise to use > >>>>> "linux-generic-hwe-16.04". Currently gives you 4.10.0-* kernel. > >>>> > >>>> OK, but I still cannot set caps without read access to "/" on cephfs > volume, is there something else I must do ? > >>>> > >>>> # ceph auth get-or-create client.foo mon "allow r" osd "allow rw > pool=cephfs_data" mds "allow rw path=/foo" > >>>> Error EINVAL: key for client.foo exists but cap mds does not match > >>>> > >>>> # ceph fs authorize cephfs client.foo /foo rw > >>>> Error EINVAL: key for client.foo exists but cap mds does not match > >>> > >>> Use "ceph auth list" to check the current caps for the client. With > ceph > >>> auth caps (note, _not_ get-or-create) you can update the caps: > >>> > >>> ceph auth caps client.foo mon "allow r" osd "allow rw > >>> pool=cephfs_data" mds "allow rw path=/foo" > >>> > >>> The command should return "updated caps for client.foo" > >> > >> oops, you're right I must use "ceph auth caps" and not "ceph auth > get-or-create" > >> > >> # ceph auth caps client.foo mon "allow r" osd "allow rw > pool=cephfs_data" mds "allow rw path=/foo" > >> updated caps for client.foo > > > > In cases like this you also want to set RADOS namespaces for each > tenant’s directory in the CephFS layout and give them OSD access to only > that > > namespace. That will prevent malicious users from tampering with the raw > RADOS objects of other users. > > You mean by doing something like : > > ceph auth caps client.foo mon "allow r" osd "allow rw pool=cephfs_data > namespace=foo" mds "allow rw path=/foo" ? > > [client.foo] > key = [snip] > caps mds = "allow rw path=/foo" > caps mon = "allow r" > caps osd = "allow rw pool=cephfs_data namespace=foo" > > or you are referring also to : > > http://docs.ceph.com/docs/master/cephfs/file-layouts/ > Yes, both of those. The "auth caps" portion gives the client permission on the OSD to access the namespace "foo". The file layouts place the CephFS file data into that namespace.
_______________________________________________ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
