Re: [ceph-users] ceph client capabilities for the rados gateway

2017-06-01 Thread Diedrich Ehlerding 
Gregiory Farnum wrote:
> 
> 
> You've probably noticed the RGW will create pools if it needs them and
> they don't exist. That's why it "needs" the extra monitor capabilities.


Yes, I have noticed that - and yes, automatically creating the pools  
helpeda lot  in a lab environment to setup my first gateway. 
However, in a production environment, I expect that at least the 
.rgw.buckets.data pool will need more placement groups and/or may 
reside in an EC pool, etc. - so I expect the pools to be created 
manually in advance.

> The OSD capabilities are because 1) I don't think you could make them
> as fine-grained when that documentation was written, 2) laziness about
> specifying pools. :) 


OK. I was just wondering if there are any reasons to allow the 
gateway more or less global access - i.e. reasons which I did not 
understand. Of course, laziness is a very good reason :-)

Thank you for your comments. 

best regards
-- 
Diedrich Ehlerding, Fujitsu Technology Solutions GmbH, 
MIS ITST CE PS WST, Hildesheimer Str 25, D-30880 Laatzen
Fon +49 511 8489-1806, Fax -251806, Mobil +49 173 2464758
Firmenangaben: http://de.ts.fujitsu.com/imprint.html

___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] ceph client capabilities for the rados gateway

2017-06-01 Thread Gregory Farnum 
On Wed, May 31, 2017 at 11:20 PM Diedrich Ehlerding <
diedrich.ehlerd...@ts.fujitsu.com> wrote:

> Thank you for your response. Yes, as I wrote, the gateway seems to
> work with these settings.
>
> The reason why I am considering the capabilities is: I am trying to
> attach a Openstack environment and a gateway to the same cluster,
> and I would like to prevent the Openstack admin to access the S3
> gateway data and vice versa to prevent the gateway admin to access
> the Openstack data. I just wonder if there is a reason why the
> documentation suggest these very global capabilities
>

You've probably noticed the RGW will create pools if it needs them and they
don't exist. That's why it "needs" the extra monitor capabilities. The OSD
capabilities are because 1) I don't think you could make them as
fine-grained when that documentation was written, 2) laziness about
specifying pools. :)

So, you should be good to go!


>
> Gregory Farnum wrote on Wed, 31 May 2017 20:07:16 +
>
> >
> > I don't work with the gateway but in general that should work.
> >
> > That said, the RGW also sees all your client data going in so I'm not
> > sure how much you buy by locking it down. If you're just trying to
> > protect against accidents with the pools, you might give it write access
> > on the monitor; any failures due to capability mismatches there would
> > likely be pretty annoying to debug!
> > -Greg
> >
> >
> > On Wed, May 31, 2017 at 12:21 AM Diedrich Ehlerding
> >  wrote:
> > Hello.
> >
> > The documentation which I found proposes to create the ceph client
> > for a rados gateway with very global capabilities, namely
> > "mon allow rwx, osd allow rwx".
> >
> > Are there any reasons for these very global capabilities (allowing
> > this client to access and modify (even remove) all pools, all rbds,
> > etc., event thiose in use vy other ceph clients? I tried to
> > restrict
> > the rights, and my rados gateway seems to work with
> > capabilities "mon allow r, osd allow rwx pool=.rgw.root, allow rwx
> > pool=a.root, allow rwx pool=am.rgw.control [etc. for all the pools
> > which this gateway uses]"
> >
> > Are there any reasons not to restrict the capabilities in this way?
> --
> Diedrich Ehlerding, Fujitsu Technology Solutions GmbH,
> MIS ITST CE PS WST, Hildesheimer Str 25, D-30880 Laatzen
> Fon +49 511 8489-1806 <+49%20511%2084891806>, Fax -251806, Mobil +49 173
> 2464758 <+49%20173%202464758>
> Firmenangaben: http://de.ts.fujitsu.com/imprint.html
>
>
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] ceph client capabilities for the rados gateway

2017-06-01 Thread Diedrich Ehlerding 
Thank you for your response. Yes, as I wrote, the gateway seems to 
work with these settings.

The reason why I am considering the capabilities is: I am trying to 
attach a Openstack environment and a gateway to the same cluster, 
and I would like to prevent the Openstack admin to access the S3 
gateway data and vice versa to prevent the gateway admin to access 
the Openstack data. I just wonder if there is a reason why the 
documentation suggest these very global capabilities

Gregory Farnum wrote on Wed, 31 May 2017 20:07:16 +

> 
> I don't work with the gateway but in general that should work. 
> 
> That said, the RGW also sees all your client data going in so I'm not 
> sure how much you buy by locking it down. If you're just trying to 
> protect against accidents with the pools, you might give it write access 
> on the monitor; any failures due to capability mismatches there would 
> likely be pretty annoying to debug!
> -Greg
> 
> 
> On Wed, May 31, 2017 at 12:21 AM Diedrich Ehlerding 
>  wrote:
> Hello.
> 
> The documentation which I found proposes to create the ceph client
> for a rados gateway with very global capabilities, namely
> "mon allow rwx, osd allow rwx".
> 
> Are there any reasons for these very global capabilities (allowing
> this client to access and modify (even remove) all pools, all rbds,
> etc., event thiose in use vy other ceph clients? I tried to 
> restrict
> the rights, and my rados gateway seems to work with
> capabilities "mon allow r, osd allow rwx pool=.rgw.root, allow rwx
> pool=a.root, allow rwx pool=am.rgw.control [etc. for all the pools
> which this gateway uses]"
> 
> Are there any reasons not to restrict the capabilities in this way?
-- 
Diedrich Ehlerding, Fujitsu Technology Solutions GmbH, 
MIS ITST CE PS WST, Hildesheimer Str 25, D-30880 Laatzen
Fon +49 511 8489-1806, Fax -251806, Mobil +49 173 2464758
Firmenangaben: http://de.ts.fujitsu.com/imprint.html

___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

[ceph-users] ceph client capabilities for the rados gateway

2017-05-31 Thread Diedrich Ehlerding 
Hello.

The documentation which I found proposes to create the ceph client 
for a rados gateway with very global capabilities, namely
"mon allow rwx, osd allow rwx". 

Are there any reasons for these very global capabilities (allowing 
this client to access and modify (even remove) all pools, all rbds, 
etc., event thiose in use vy other ceph clients? I tried to restrict 
the rights, and my rados gateway seems to work with 
capabilities "mon allow r, osd allow rwx pool=.rgw.root, allow rwx 
pool=a.root, allow rwx pool=am.rgw.control [etc. for all the pools 
which this gateway uses]" 

Are there any reasons not to restrict the capabilities in this way?

Thank you.
-- 
Diedrich Ehlerding, Fujitsu Technology Solutions GmbH, 
MIS ITST CE PS WST, Hildesheimer Str 25, D-30880 Laatzen
Fon +49 511 8489-1806, Fax -251806, Mobil +49 173 2464758
Firmenangaben: http://de.ts.fujitsu.com/imprint.html

___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com