mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2024-09-19 15:09:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

doc: Update capabilities readme to solve to open permissions

Browse Source 
Signed-off-by: Dmytro Alieksieiev <1865999+dragoangel@users.noreply.github.com>
This commit is contained in:
Dmitriy Alekseev 2024-03-03 12:45:14 +02:00 committed by mergify[bot]
parent 47b202554e
commit 6c43789de4
1 changed files with 27 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
docs/capabilities.md
View File

@ -12,43 +12,25 @@ Hence, those capabilities are documented below.
## RBD ## RBD
We have provisioner, controller expand and node stage secrets in storageclass. We have provisioner, controller expand and node stage secrets in storageclass.
For the provisioner and controller expand stage secrets in storageclass, the For RBD the user needs to have the below Ceph capabilities:
user needs to have the below Ceph capabilities.
``` ```
"mon", "profile rbd", mgr "profile rbd pool=csi"
"mgr", "allow rw", osd "profile rbd pool=csi"
"osd", "profile rbd" mon "profile rbd"
```
And for the node stage secret in storageclass, the user needs to have the
below mentioned ceph capabilities.
```
"mon", "profile rbd",
"osd", "profile rbd",
"mgr", "allow rw"
``` ```
## CephFS ## CephFS
Similarly in CephFS, for the provisioner and controller expand stage secret in Similarly in CephFS, we have provisioner, controller expand and node stage
storageclass, the user needs to have the below mentioned ceph capabilities. secrets in storageclass, the user needs to have the below mentioned ceph
capabilities:
``` ```
"mon", "allow r", mgr "allow rw"
"mgr", "allow rw", osd "allow rw tag cephfs metadata=cephfs, allow rw tag cephfs data=cephfs"
"osd", "allow rw tag cephfs metadata=*" mds "allow r fsname=cephfs path=/volumes, allow rws fsname=cephfs path=/volumes/csi"
``` mon "allow r fsname=cephfs"
And for node stage secret in storageclass, the user needs to have
the below mentioned ceph capabilities.
```
"mon", "allow r",
"mgr", "allow rw",
"osd", "allow rw tag cephfs *=*",
"mds", "allow rw"
``` ```
To get more insights on capabilities of CephFS you can refer To get more insights on capabilities of CephFS you can refer
@ -56,8 +38,8 @@ To get more insights on capabilities of CephFS you can refer
## Command to a create user with required capabilities ## Command to a create user with required capabilities
`kubernetes` in the below commands represents an user which is subjected `USER`, `POOL` and `FS_NAME` with `SUB_VOL` variables below is subject to
to change as per your requirement. change, please adjust them to your needs.
### create user for RBD ### create user for RBD
@ -65,25 +47,23 @@ The command for provisioner and node stage secret for rbd will be same as
they have similar capability requirements. they have similar capability requirements.
```bash ```bash
ceph auth get-or-create client.kubernetes \ USER=csi-rbd
mon 'profile rbd' \ POOL=csi
osd 'profile rbd' \ ceph auth get-or-create client.$USER \
mgr 'allow rw' mgr "profile rbd pool=$POOL" \
osd "profile rbd pool=$POOL"
mon "profile rbd"
``` ```
### create user for CephFS ### create user for CephFS
```bash ```bash
ceph auth get-or-create client.kubernetes \ USER=csi-cephfs
mon 'allow r' \ FS_NAME=cephfs
osd 'allow rw tag cephfs metadata=*' \ SUB_VOL=csi
mgr 'allow rw' ceph auth get-or-create client.$USER \
``` mgr "allow rw" \
osd "allow rw tag cephfs metadata=$FS_NAME, allow rw tag cephfs data=$FS_NAME" \
```bash mds "allow r fsname=$FS_NAME path=/volumes, allow rws fsname=$FS_NAME path=/volumes/$SUB_VOL" \
ceph auth get-or-create client.kubernetes \ mon "allow r fsname=$FS_NAME"
mon 'allow r' \
osd 'allow rw tag cephfs *=*' \
mgr 'allow rw' \
mds 'allow rw'
``` ```