mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2024-09-16 13:39:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

doc: Update capabilities readme to solve to open permissions

Browse Source 
Signed-off-by: Dmytro Alieksieiev <1865999+dragoangel@users.noreply.github.com>
This commit is contained in:
Dmitriy Alekseev 2024-03-03 12:45:14 +02:00 committed by mergify[bot]
parent 47b202554e
commit 6c43789de4
1 changed files with 27 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
docs/capabilities.md
View File

@ -12,43 +12,25 @@ Hence, those capabilities are documented below.
## RBD
We have provisioner, controller expand and node stage secrets in storageclass.
For the provisioner and controller expand stage secrets in storageclass, the
user needs to have the below Ceph capabilities.
For RBD the user needs to have the below Ceph capabilities:
```
"mon", "profile rbd",
"mgr", "allow rw",
"osd", "profile rbd"
```
And for the node stage secret in storageclass, the user needs to have the
below mentioned ceph capabilities.
```
"mon", "profile rbd",
"osd", "profile rbd",
"mgr", "allow rw"
mgr "profile rbd pool=csi"
osd "profile rbd pool=csi"
mon "profile rbd"
```
## CephFS
Similarly in CephFS, for the provisioner and controller expand stage secret in
storageclass, the user needs to have the below mentioned ceph capabilities.
Similarly in CephFS, we have provisioner, controller expand and node stage
secrets in storageclass, the user needs to have the below mentioned ceph
capabilities:
```
"mon", "allow r",
"mgr", "allow rw",
"osd", "allow rw tag cephfs metadata=*"
```
And for node stage secret in storageclass, the user needs to have
the below mentioned ceph capabilities.
```
"mon", "allow r",
"mgr", "allow rw",
"osd", "allow rw tag cephfs *=*",
"mds", "allow rw"
mgr "allow rw"
osd "allow rw tag cephfs metadata=cephfs, allow rw tag cephfs data=cephfs"
mds "allow r fsname=cephfs path=/volumes, allow rws fsname=cephfs path=/volumes/csi"
mon "allow r fsname=cephfs"
```
To get more insights on capabilities of CephFS you can refer
@ -56,8 +38,8 @@ To get more insights on capabilities of CephFS you can refer
## Command to a create user with required capabilities
`kubernetes` in the below commands represents an user which is subjected
to change as per your requirement.
`USER`, `POOL` and `FS_NAME` with `SUB_VOL` variables below is subject to
change, please adjust them to your needs.
### create user for RBD
@ -65,25 +47,23 @@ The command for provisioner and node stage secret for rbd will be same as
they have similar capability requirements.
```bash
ceph auth get-or-create client.kubernetes \
mon 'profile rbd' \
osd 'profile rbd' \
mgr 'allow rw'
USER=csi-rbd
POOL=csi
ceph auth get-or-create client.$USER \
mgr "profile rbd pool=$POOL" \
osd "profile rbd pool=$POOL"
mon "profile rbd"
```
### create user for CephFS
```bash
ceph auth get-or-create client.kubernetes \
mon 'allow r' \
osd 'allow rw tag cephfs metadata=*' \
mgr 'allow rw'
```
```bash
ceph auth get-or-create client.kubernetes \
mon 'allow r' \
osd 'allow rw tag cephfs *=*' \
mgr 'allow rw' \
mds 'allow rw'
USER=csi-cephfs
FS_NAME=cephfs
SUB_VOL=csi
ceph auth get-or-create client.$USER \
mgr "allow rw" \
osd "allow rw tag cephfs metadata=$FS_NAME, allow rw tag cephfs data=$FS_NAME" \
mds "allow r fsname=$FS_NAME path=/volumes, allow rws fsname=$FS_NAME path=/volumes/$SUB_VOL" \
mon "allow r fsname=$FS_NAME"
```