Re: [ceph-users] ceph client capabilities for the rados gateway
Gregiory Farnum wrote: > > > You've probably noticed the RGW will create pools if it needs them and > they don't exist. That's why it "needs" the extra monitor capabilities. Yes, I have noticed that - and yes, automatically creating the pools helpeda lot in a lab environment to setup my first gateway. However, in a production environment, I expect that at least the .rgw.buckets.data pool will need more placement groups and/or may reside in an EC pool, etc. - so I expect the pools to be created manually in advance. > The OSD capabilities are because 1) I don't think you could make them > as fine-grained when that documentation was written, 2) laziness about > specifying pools. :) OK. I was just wondering if there are any reasons to allow the gateway more or less global access - i.e. reasons which I did not understand. Of course, laziness is a very good reason :-) Thank you for your comments. best regards -- Diedrich Ehlerding, Fujitsu Technology Solutions GmbH, MIS ITST CE PS WST, Hildesheimer Str 25, D-30880 Laatzen Fon +49 511 8489-1806, Fax -251806, Mobil +49 173 2464758 Firmenangaben: http://de.ts.fujitsu.com/imprint.html ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] ceph client capabilities for the rados gateway
On Wed, May 31, 2017 at 11:20 PM Diedrich Ehlerding < diedrich.ehlerd...@ts.fujitsu.com> wrote: > Thank you for your response. Yes, as I wrote, the gateway seems to > work with these settings. > > The reason why I am considering the capabilities is: I am trying to > attach a Openstack environment and a gateway to the same cluster, > and I would like to prevent the Openstack admin to access the S3 > gateway data and vice versa to prevent the gateway admin to access > the Openstack data. I just wonder if there is a reason why the > documentation suggest these very global capabilities > You've probably noticed the RGW will create pools if it needs them and they don't exist. That's why it "needs" the extra monitor capabilities. The OSD capabilities are because 1) I don't think you could make them as fine-grained when that documentation was written, 2) laziness about specifying pools. :) So, you should be good to go! > > Gregory Farnum wrote on Wed, 31 May 2017 20:07:16 + > > > > > I don't work with the gateway but in general that should work. > > > > That said, the RGW also sees all your client data going in so I'm not > > sure how much you buy by locking it down. If you're just trying to > > protect against accidents with the pools, you might give it write access > > on the monitor; any failures due to capability mismatches there would > > likely be pretty annoying to debug! > > -Greg > > > > > > On Wed, May 31, 2017 at 12:21 AM Diedrich Ehlerding > >wrote: > > Hello. > > > > The documentation which I found proposes to create the ceph client > > for a rados gateway with very global capabilities, namely > > "mon allow rwx, osd allow rwx". > > > > Are there any reasons for these very global capabilities (allowing > > this client to access and modify (even remove) all pools, all rbds, > > etc., event thiose in use vy other ceph clients? I tried to > > restrict > > the rights, and my rados gateway seems to work with > > capabilities "mon allow r, osd allow rwx pool=.rgw.root, allow rwx > > pool=a.root, allow rwx pool=am.rgw.control [etc. for all the pools > > which this gateway uses]" > > > > Are there any reasons not to restrict the capabilities in this way? > -- > Diedrich Ehlerding, Fujitsu Technology Solutions GmbH, > MIS ITST CE PS WST, Hildesheimer Str 25, D-30880 Laatzen > Fon +49 511 8489-1806 <+49%20511%2084891806>, Fax -251806, Mobil +49 173 > 2464758 <+49%20173%202464758> > Firmenangaben: http://de.ts.fujitsu.com/imprint.html > > ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] ceph client capabilities for the rados gateway
Thank you for your response. Yes, as I wrote, the gateway seems to work with these settings. The reason why I am considering the capabilities is: I am trying to attach a Openstack environment and a gateway to the same cluster, and I would like to prevent the Openstack admin to access the S3 gateway data and vice versa to prevent the gateway admin to access the Openstack data. I just wonder if there is a reason why the documentation suggest these very global capabilities Gregory Farnum wrote on Wed, 31 May 2017 20:07:16 + > > I don't work with the gateway but in general that should work. > > That said, the RGW also sees all your client data going in so I'm not > sure how much you buy by locking it down. If you're just trying to > protect against accidents with the pools, you might give it write access > on the monitor; any failures due to capability mismatches there would > likely be pretty annoying to debug! > -Greg > > > On Wed, May 31, 2017 at 12:21 AM Diedrich Ehlerding >wrote: > Hello. > > The documentation which I found proposes to create the ceph client > for a rados gateway with very global capabilities, namely > "mon allow rwx, osd allow rwx". > > Are there any reasons for these very global capabilities (allowing > this client to access and modify (even remove) all pools, all rbds, > etc., event thiose in use vy other ceph clients? I tried to > restrict > the rights, and my rados gateway seems to work with > capabilities "mon allow r, osd allow rwx pool=.rgw.root, allow rwx > pool=a.root, allow rwx pool=am.rgw.control [etc. for all the pools > which this gateway uses]" > > Are there any reasons not to restrict the capabilities in this way? -- Diedrich Ehlerding, Fujitsu Technology Solutions GmbH, MIS ITST CE PS WST, Hildesheimer Str 25, D-30880 Laatzen Fon +49 511 8489-1806, Fax -251806, Mobil +49 173 2464758 Firmenangaben: http://de.ts.fujitsu.com/imprint.html ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
[ceph-users] ceph client capabilities for the rados gateway
Hello. The documentation which I found proposes to create the ceph client for a rados gateway with very global capabilities, namely "mon allow rwx, osd allow rwx". Are there any reasons for these very global capabilities (allowing this client to access and modify (even remove) all pools, all rbds, etc., event thiose in use vy other ceph clients? I tried to restrict the rights, and my rados gateway seems to work with capabilities "mon allow r, osd allow rwx pool=.rgw.root, allow rwx pool=a.root, allow rwx pool=am.rgw.control [etc. for all the pools which this gateway uses]" Are there any reasons not to restrict the capabilities in this way? Thank you. -- Diedrich Ehlerding, Fujitsu Technology Solutions GmbH, MIS ITST CE PS WST, Hildesheimer Str 25, D-30880 Laatzen Fon +49 511 8489-1806, Fax -251806, Mobil +49 173 2464758 Firmenangaben: http://de.ts.fujitsu.com/imprint.html ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com