On Fri, Jan 24, 2020 at 1:43 PM Frank Schilder <frans(a)dtu.dk> wrote:
Dear Ilya,
I had exactly the same problem with authentication of cephfs clients on a mimic-13.2.2
cluster. The key created with "ceph fs authorize ..." did not grant access to
the data pool. I ended up adding "rw" access to this pool by hand.
Following up on your remark about pool tags, could you please point me to any
documentation about how this tagging is used and what key-value pair you are referring to?
It sounds like this is the new way to go, but I cannot find anything useful about it in
here:
https://docs.ceph.com/docs/mimic/cephfs/client-auth/
Hi Frank,
This is the correct page, but this key-value pair is more or less an
internal implementation detail. "ceph fs authorize" is all the users
should know about, but there seems to be a bug lurking there.
In general, for a cap that looks like
allow <r/w/x> tag <tag name> <key>=<value>
the OSD will allow <r/w/x> access to the pool iff a) the pool is tagged
with <tag name> and b) the tag metadata has that <key>: <value> pair in
it. In the cephfs case, the key is "data" for data pool and
"metadata"
for metadata pools, the value is the name of the filesystem.
Thanks,
Ilya