ceph-csi/docs/capabilities.md

# Capabilities of a user required for ceph-csi in a Ceph cluster

Ceph uses the term _capabilities_ to describe authorizations for an
authenticated user
to exercise the functionality of the monitors, OSDs and metadata servers.
Capabilities can also restrict access to data within a pool or pool namespace.
A Ceph administrative user sets a user's capabilities when creating or
updating a user. In secret we have user id and user key and in order to
perform certain actions, the user needs to have some specific capabilities.
Hence, those capabilities are documented below.

## RBD

We have provisioner, controller expand and node stage secrets in storageclass.
For RBD the user needs to have the below Ceph capabilities:

```
mgr "profile rbd pool=csi"
osd "profile rbd pool=csi"
mon "profile rbd"
```

## CephFS

Similarly in CephFS, we have provisioner, controller expand and node stage
secrets in storageclass, the user needs to have the below mentioned ceph
capabilities:

```
mgr "allow rw"
osd "allow rw tag cephfs metadata=cephfs, allow rw tag cephfs data=cephfs"
mds "allow r fsname=cephfs path=/volumes, allow rws fsname=cephfs path=/volumes/csi"
mon "allow r fsname=cephfs"
```

To get more insights on capabilities of CephFS you can refer
[this document](https://ceph.readthedocs.io/en/latest/cephfs/client-auth/)

## Command to a create user with required capabilities

`USER`, `POOL` and `FS_NAME` with `SUB_VOL` variables below is subject to
change, please adjust them to your needs.

### create user for RBD

The command for provisioner and node stage secret for rbd will be same as
they have similar capability requirements.

```bash
USER=csi-rbd
POOL=csi
ceph auth get-or-create client.$USER \
  mgr "profile rbd pool=$POOL" \
  osd "profile rbd pool=$POOL"
  mon "profile rbd"
```

### create user for CephFS

```bash
USER=csi-cephfs
FS_NAME=cephfs
SUB_VOL=csi
ceph auth get-or-create client.$USER \
  mgr "allow rw" \
  osd "allow rw tag cephfs metadata=$FS_NAME, allow rw tag cephfs data=$FS_NAME" \
  mds "allow r fsname=$FS_NAME path=/volumes, allow rws fsname=$FS_NAME path=/volumes/$SUB_VOL" \
  mon "allow r fsname=$FS_NAME"
```
doc: Correct title of capabilities doc Correct capabilities doc with minor nits. Signed-off-by: Yug <yuggupta27@gmail.com> 2020-08-21 10:10:15 +00:00			`# Capabilities of a user required for ceph-csi in a Ceph cluster`
doc: documentation updates on capabilities Documents exact capabilities a id requires against a Ceph cluster for RBD and CephFS plugins. Signed-off-by: yati1998 <ypadia@redhat.com> 2020-07-27 05:37:17 +00:00
doc: minor cleanup Signed-off-by: Anthony D'Atri <anthonyeleven@users.noreply.github.com> 2022-07-31 08:24:26 +00:00			`Ceph uses the term _capabilities_ to describe authorizations for an`
			`authenticated user`
doc: documentation updates on capabilities Documents exact capabilities a id requires against a Ceph cluster for RBD and CephFS plugins. Signed-off-by: yati1998 <ypadia@redhat.com> 2020-07-27 05:37:17 +00:00			`to exercise the functionality of the monitors, OSDs and metadata servers.`
			`Capabilities can also restrict access to data within a pool or pool namespace.`
			`A Ceph administrative user sets a user's capabilities when creating or`
			`updating a user. In secret we have user id and user key and in order to`
			`perform certain actions, the user needs to have some specific capabilities.`
			`Hence, those capabilities are documented below.`

			`## RBD`

doc: minor cleanup Signed-off-by: Anthony D'Atri <anthonyeleven@users.noreply.github.com> 2022-07-31 08:24:26 +00:00			`We have provisioner, controller expand and node stage secrets in storageclass.`
doc: Update capabilities readme to solve to open permissions Signed-off-by: Dmytro Alieksieiev <1865999+dragoangel@users.noreply.github.com> 2024-03-03 10:45:14 +00:00			`For RBD the user needs to have the below Ceph capabilities:`
doc: documentation updates on capabilities Documents exact capabilities a id requires against a Ceph cluster for RBD and CephFS plugins. Signed-off-by: yati1998 <ypadia@redhat.com> 2020-07-27 05:37:17 +00:00
cleanup: remove the use of text in markdown We do not have `text` in the new section of the MarkDown Rules. Hence dropping them. Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com> 2020-11-11 07:27:40 +00:00			```
doc: Update capabilities readme to solve to open permissions Signed-off-by: Dmytro Alieksieiev <1865999+dragoangel@users.noreply.github.com> 2024-03-03 10:45:14 +00:00			`mgr "profile rbd pool=csi"`
			`osd "profile rbd pool=csi"`
			`mon "profile rbd"`
doc: documentation updates on capabilities Documents exact capabilities a id requires against a Ceph cluster for RBD and CephFS plugins. Signed-off-by: yati1998 <ypadia@redhat.com> 2020-07-27 05:37:17 +00:00			```

			`## CephFS`

doc: Update capabilities readme to solve to open permissions Signed-off-by: Dmytro Alieksieiev <1865999+dragoangel@users.noreply.github.com> 2024-03-03 10:45:14 +00:00			`Similarly in CephFS, we have provisioner, controller expand and node stage`
			`secrets in storageclass, the user needs to have the below mentioned ceph`
			`capabilities:`
doc: documentation updates on capabilities Documents exact capabilities a id requires against a Ceph cluster for RBD and CephFS plugins. Signed-off-by: yati1998 <ypadia@redhat.com> 2020-07-27 05:37:17 +00:00
cleanup: remove the use of text in markdown We do not have `text` in the new section of the MarkDown Rules. Hence dropping them. Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com> 2020-11-11 07:27:40 +00:00			```
doc: Update capabilities readme to solve to open permissions Signed-off-by: Dmytro Alieksieiev <1865999+dragoangel@users.noreply.github.com> 2024-03-03 10:45:14 +00:00			`mgr "allow rw"`
			`osd "allow rw tag cephfs metadata=cephfs, allow rw tag cephfs data=cephfs"`
			`mds "allow r fsname=cephfs path=/volumes, allow rws fsname=cephfs path=/volumes/csi"`
			`mon "allow r fsname=cephfs"`
doc: documentation updates on capabilities Documents exact capabilities a id requires against a Ceph cluster for RBD and CephFS plugins. Signed-off-by: yati1998 <ypadia@redhat.com> 2020-07-27 05:37:17 +00:00			```

doc: minor cleanup Signed-off-by: Anthony D'Atri <anthonyeleven@users.noreply.github.com> 2022-07-31 08:24:26 +00:00			`To get more insights on capabilities of CephFS you can refer`
doc: documentation updates on capabilities Documents exact capabilities a id requires against a Ceph cluster for RBD and CephFS plugins. Signed-off-by: yati1998 <ypadia@redhat.com> 2020-07-27 05:37:17 +00:00			`[this document](https://ceph.readthedocs.io/en/latest/cephfs/client-auth/)`

			`## Command to a create user with required capabilities`

doc: Update capabilities readme to solve to open permissions Signed-off-by: Dmytro Alieksieiev <1865999+dragoangel@users.noreply.github.com> 2024-03-03 10:45:14 +00:00			`USER`, `POOL` and `FS_NAME` with `SUB_VOL` variables below is subject to
			`change, please adjust them to your needs.`
doc: documentation updates on capabilities Documents exact capabilities a id requires against a Ceph cluster for RBD and CephFS plugins. Signed-off-by: yati1998 <ypadia@redhat.com> 2020-07-27 05:37:17 +00:00
			`### create user for RBD`

			`The command for provisioner and node stage secret for rbd will be same as`
doc: Correct title of capabilities doc Correct capabilities doc with minor nits. Signed-off-by: Yug <yuggupta27@gmail.com> 2020-08-21 10:10:15 +00:00			`they have similar capability requirements.`
doc: documentation updates on capabilities Documents exact capabilities a id requires against a Ceph cluster for RBD and CephFS plugins. Signed-off-by: yati1998 <ypadia@redhat.com> 2020-07-27 05:37:17 +00:00
			```bash
doc: Update capabilities readme to solve to open permissions Signed-off-by: Dmytro Alieksieiev <1865999+dragoangel@users.noreply.github.com> 2024-03-03 10:45:14 +00:00			`USER=csi-rbd`
			`POOL=csi`
			`ceph auth get-or-create client.$USER \`
			`mgr "profile rbd pool=$POOL" \`
			`osd "profile rbd pool=$POOL"`
			`mon "profile rbd"`
doc: documentation updates on capabilities Documents exact capabilities a id requires against a Ceph cluster for RBD and CephFS plugins. Signed-off-by: yati1998 <ypadia@redhat.com> 2020-07-27 05:37:17 +00:00			```

			`### create user for CephFS`

			```bash
doc: Update capabilities readme to solve to open permissions Signed-off-by: Dmytro Alieksieiev <1865999+dragoangel@users.noreply.github.com> 2024-03-03 10:45:14 +00:00			`USER=csi-cephfs`
			`FS_NAME=cephfs`
			`SUB_VOL=csi`
			`ceph auth get-or-create client.$USER \`
			`mgr "allow rw" \`
			`osd "allow rw tag cephfs metadata=$FS_NAME, allow rw tag cephfs data=$FS_NAME" \`
			`mds "allow r fsname=$FS_NAME path=/volumes, allow rws fsname=$FS_NAME path=/volumes/$SUB_VOL" \`
			`mon "allow r fsname=$FS_NAME"`
doc: Correct title of capabilities doc Correct capabilities doc with minor nits. Signed-off-by: Yug <yuggupta27@gmail.com> 2020-08-21 10:10:15 +00:00			```