Re: [ceph-users] restrict user access to certain rbd image

Fri, 02 Feb 2018 08:24:16 -0800 

Hi,

We use this on our side:

$ rbd create rbd-image --size 1048576 --pool rbd --image-feature layering
$ rbd create rbd-other-image --size 1048576 --pool rbd --image-feature layering 

$ rbd info rbd/rbd-image
rbd image 'rbd-image':
    size 1024 GB in 262144 objects
    order 22 (4096 kB objects)
    block_name_prefix: rbd_data.2b36cf238e1f29
    format: 2
    features: layering
    flags:
$ ceph auth get-or-create client.rbd.image mon 'allow r' osd 'allow rwx pool rbd object_prefix rbd_data.2b36cf238e1f29; allow rwx pool rbd object_prefix rbd_header.2b36cf238e1f29; allow rx pool rbd object_prefix rbd_id.rbd-image' -o /etc/ceph/ceph.client.rbd.image.keyring
$ rbd -p rbd --keyring=/etc/ceph/ceph.client.rbd.image.keyring --id=rbd.image info rbd-image 
rbd image 'rbd-image':
    size 1024 GB in 262144 objects
    order 22 (4096 kB objects)
    block_name_prefix: rbd_data.2b36cf238e1f29
    format: 2
    features: layering
    flags:
$ rbd -p rbd --keyring=/etc/ceph/ceph.client.rbd.image.keyring --id=rbd.image info rbd-other-image 
rbd: error opening image rbd-other-image: (1) Operation not permitted
2018-02-02 17:19:13.758624 7f38d76fd700 -1 librbd::image::OpenRequest: failed to stat v2 image header: (1) Operation not permitted 2018-02-02 17:19:13.758724 7f38d6efc700 -1 librbd::ImageState: 0x55ac0ea6b7f0 failed to open image: (1) Operation not permitted
$ rbd --keyring=/etc/ceph/ceph.client.rbd.image.keyring --id=rbd.image -p rbd ls 
rbd: list: (1) Operation not permitted

Regards,

Frédéric.

Le 02/02/2018 à 17:05, Gregory Farnum a écrit :
I don't think it's well-integrated with the tooling, but check out the cephx docs for the "prefix" level of access. It lets you grant access only to objects whose name matches a prefix, which for rbd would be the rbd volume ID (or name? Something easy to identify). 
-Greg
On Fri, Feb 2, 2018 at 7:42 AM <kna...@gmail.com <mailto:kna...@gmail.com>> wrote: 

    Hello!

    I wonder if it's possible in ceph Luminous to manage user access
    to rbd images on per image (but not
    the whole rbd pool) basis?
    I need to provide rbd images for my users but would like to
    disable their ability to list all images
    in a pool as well as to somehow access/use ones if a ceph admin
    didn't authorize that.
    _______________________________________________
    ceph-users mailing list
    ceph-users@lists.ceph.com <mailto:ceph-users@lists.ceph.com>
    http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com



_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com



_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Reply via email to