[ceph-users] Problem with radosgw-admin subuser rm

2014-11-12 Thread Seth Mason 
Hi --

I'm trying to remove a subuser but it's not removing the S3 keys when I
pass in --purge-keys.

First I create a sub-user:
$ radosgw-admin subuser create --uid=smason --subuser='smason:test' \
--access=full --key-type=s3 --gen-secret

subusers: [
{ id: smason:test,
  permissions: full-control}],
  keys: [
{ user: smason,
  access_key: B8D062SWPB560CBA3HHX,
  secret_key: snip},
{ user: smason:test,
  access_key: ERKTY5JJ1H2IXE9T5TY3,
  secret_key: snip}],


Then I try to remove the user and the keys:
$ radosgw-admin subuser rm --subuser='smason:test' --purge-keys
 subusers: [],
  keys: [
{ user: smason,
  access_key: B8D062SWPB560CBA3HHX,
  secret_key: snip},
{ user: smason:test,
  access_key: ERKTY5JJ1H2IXE9T5TY3,
  secret_key: snip}],

I'm running ceph version 0.80.5
(38b73c67d375a2552d8ed67843c8a65c2c0feba6). FWIW, I've observed the same
behavior when I use the admin ops REST API.

Let me know if I can provide any more information.

Thanks in advance,

___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] Encryption/Multi-tennancy

2014-03-09 Thread Seth Mason (setmason) 
Why not have the application encrypt the data or at the compute server's file 
system? That way you don't have to manage keys.




Seth

On Mar 9, 2014, at 6:09 PM, Mark s2c 
m...@stuff2cloud.commailto:m...@stuff2cloud.com wrote:

Ceph is seriously badass, but my requirements are to create a cluster in which 
I can host my customer's data in separate areas which are independently 
encrypted, with passphrases which we as cloud admins do not have access to.

My current thoughts are:
1. Create an OSD per machine stretching over all installed disks, then create a 
user-sized block device per customer.  Mount this block device on an access VM 
and create a LUKS container in to it followed by a zpool and then I can allow 
the users to create separate bins of data as separate ZFS filesystems in the 
container which is actually a blockdevice striped across the OSDs.
2. Create an OSD per customer and use dm-crypt, then store the dm-crypt key 
somewhere which is rendered in some way so that we cannot access it, such as a 
pgp-encrypted file using a passphrase which only the customer knows.

My questions are:
1. What are people's comments regarding this problem (irrespective of my 
thoughts)
2. Which would be the most efficient of (1) and (2) above?
3. As per (1), would it be easy to stretch a created block dev over more OSDs 
dynamically should we increase the size of one or more? Also, what if we had 
millions of customers/block devices?

Any advice on the above would be deluxe.

M


___
ceph-users mailing list
ceph-users@lists.ceph.commailto:ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com