>> In cases like this you also want to set RADOS namespaces for each tenant’s >> directory in the CephFS layout and give them OSD access to only that >> namespace. That will prevent malicious users from tampering with the raw >> RADOS objects of other users. > > You mean by doing something like : > > ceph auth caps client.foo mon "allow r" osd "allow rw pool=cephfs_data > namespace=foo" mds "allow rw path=/foo" ? > > [client.foo] > key = [snip] > caps mds = "allow rw path=/foo" > caps mon = "allow r" > caps osd = "allow rw pool=cephfs_data namespace=foo" > > or you are referring also to : > > http://docs.ceph.com/docs/master/cephfs/file-layouts/ > > Yes, both of those. The "auth caps" portion gives the client permission on > the OSD to access the namespace "foo". The file layouts place the > CephFS file data into that namespace.
OK, I will give a look next week. Thank you. -- Yoann Moulin EPFL IC-IT _______________________________________________ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
