mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-18 02:50:30 +00:00
doc: Update capabilities readme to solve to open permissions
Signed-off-by: Dmytro Alieksieiev <1865999+dragoangel@users.noreply.github.com>
This commit is contained in:
parent
47b202554e
commit
6c43789de4
@ -12,43 +12,25 @@ Hence, those capabilities are documented below.
|
||||
## RBD
|
||||
|
||||
We have provisioner, controller expand and node stage secrets in storageclass.
|
||||
For the provisioner and controller expand stage secrets in storageclass, the
|
||||
user needs to have the below Ceph capabilities.
|
||||
For RBD the user needs to have the below Ceph capabilities:
|
||||
|
||||
```
|
||||
"mon", "profile rbd",
|
||||
"mgr", "allow rw",
|
||||
"osd", "profile rbd"
|
||||
```
|
||||
|
||||
And for the node stage secret in storageclass, the user needs to have the
|
||||
below mentioned ceph capabilities.
|
||||
|
||||
```
|
||||
"mon", "profile rbd",
|
||||
"osd", "profile rbd",
|
||||
"mgr", "allow rw"
|
||||
mgr "profile rbd pool=csi"
|
||||
osd "profile rbd pool=csi"
|
||||
mon "profile rbd"
|
||||
```
|
||||
|
||||
## CephFS
|
||||
|
||||
Similarly in CephFS, for the provisioner and controller expand stage secret in
|
||||
storageclass, the user needs to have the below mentioned ceph capabilities.
|
||||
Similarly in CephFS, we have provisioner, controller expand and node stage
|
||||
secrets in storageclass, the user needs to have the below mentioned ceph
|
||||
capabilities:
|
||||
|
||||
```
|
||||
"mon", "allow r",
|
||||
"mgr", "allow rw",
|
||||
"osd", "allow rw tag cephfs metadata=*"
|
||||
```
|
||||
|
||||
And for node stage secret in storageclass, the user needs to have
|
||||
the below mentioned ceph capabilities.
|
||||
|
||||
```
|
||||
"mon", "allow r",
|
||||
"mgr", "allow rw",
|
||||
"osd", "allow rw tag cephfs *=*",
|
||||
"mds", "allow rw"
|
||||
mgr "allow rw"
|
||||
osd "allow rw tag cephfs metadata=cephfs, allow rw tag cephfs data=cephfs"
|
||||
mds "allow r fsname=cephfs path=/volumes, allow rws fsname=cephfs path=/volumes/csi"
|
||||
mon "allow r fsname=cephfs"
|
||||
```
|
||||
|
||||
To get more insights on capabilities of CephFS you can refer
|
||||
@ -56,8 +38,8 @@ To get more insights on capabilities of CephFS you can refer
|
||||
|
||||
## Command to a create user with required capabilities
|
||||
|
||||
`kubernetes` in the below commands represents an user which is subjected
|
||||
to change as per your requirement.
|
||||
`USER`, `POOL` and `FS_NAME` with `SUB_VOL` variables below is subject to
|
||||
change, please adjust them to your needs.
|
||||
|
||||
### create user for RBD
|
||||
|
||||
@ -65,25 +47,23 @@ The command for provisioner and node stage secret for rbd will be same as
|
||||
they have similar capability requirements.
|
||||
|
||||
```bash
|
||||
ceph auth get-or-create client.kubernetes \
|
||||
mon 'profile rbd' \
|
||||
osd 'profile rbd' \
|
||||
mgr 'allow rw'
|
||||
USER=csi-rbd
|
||||
POOL=csi
|
||||
ceph auth get-or-create client.$USER \
|
||||
mgr "profile rbd pool=$POOL" \
|
||||
osd "profile rbd pool=$POOL"
|
||||
mon "profile rbd"
|
||||
```
|
||||
|
||||
### create user for CephFS
|
||||
|
||||
```bash
|
||||
ceph auth get-or-create client.kubernetes \
|
||||
mon 'allow r' \
|
||||
osd 'allow rw tag cephfs metadata=*' \
|
||||
mgr 'allow rw'
|
||||
```
|
||||
|
||||
```bash
|
||||
ceph auth get-or-create client.kubernetes \
|
||||
mon 'allow r' \
|
||||
osd 'allow rw tag cephfs *=*' \
|
||||
mgr 'allow rw' \
|
||||
mds 'allow rw'
|
||||
USER=csi-cephfs
|
||||
FS_NAME=cephfs
|
||||
SUB_VOL=csi
|
||||
ceph auth get-or-create client.$USER \
|
||||
mgr "allow rw" \
|
||||
osd "allow rw tag cephfs metadata=$FS_NAME, allow rw tag cephfs data=$FS_NAME" \
|
||||
mds "allow r fsname=$FS_NAME path=/volumes, allow rws fsname=$FS_NAME path=/volumes/$SUB_VOL" \
|
||||
mon "allow r fsname=$FS_NAME"
|
||||
```
|
||||
|
Loading…
Reference in New Issue
Block a user