mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-18 11:00:25 +00:00
doc: Update capabilities readme to solve to open permissions
Signed-off-by: Dmytro Alieksieiev <1865999+dragoangel@users.noreply.github.com>
This commit is contained in:
parent
47b202554e
commit
6c43789de4
@ -12,43 +12,25 @@ Hence, those capabilities are documented below.
|
|||||||
## RBD
|
## RBD
|
||||||
|
|
||||||
We have provisioner, controller expand and node stage secrets in storageclass.
|
We have provisioner, controller expand and node stage secrets in storageclass.
|
||||||
For the provisioner and controller expand stage secrets in storageclass, the
|
For RBD the user needs to have the below Ceph capabilities:
|
||||||
user needs to have the below Ceph capabilities.
|
|
||||||
|
|
||||||
```
|
```
|
||||||
"mon", "profile rbd",
|
mgr "profile rbd pool=csi"
|
||||||
"mgr", "allow rw",
|
osd "profile rbd pool=csi"
|
||||||
"osd", "profile rbd"
|
mon "profile rbd"
|
||||||
```
|
|
||||||
|
|
||||||
And for the node stage secret in storageclass, the user needs to have the
|
|
||||||
below mentioned ceph capabilities.
|
|
||||||
|
|
||||||
```
|
|
||||||
"mon", "profile rbd",
|
|
||||||
"osd", "profile rbd",
|
|
||||||
"mgr", "allow rw"
|
|
||||||
```
|
```
|
||||||
|
|
||||||
## CephFS
|
## CephFS
|
||||||
|
|
||||||
Similarly in CephFS, for the provisioner and controller expand stage secret in
|
Similarly in CephFS, we have provisioner, controller expand and node stage
|
||||||
storageclass, the user needs to have the below mentioned ceph capabilities.
|
secrets in storageclass, the user needs to have the below mentioned ceph
|
||||||
|
capabilities:
|
||||||
|
|
||||||
```
|
```
|
||||||
"mon", "allow r",
|
mgr "allow rw"
|
||||||
"mgr", "allow rw",
|
osd "allow rw tag cephfs metadata=cephfs, allow rw tag cephfs data=cephfs"
|
||||||
"osd", "allow rw tag cephfs metadata=*"
|
mds "allow r fsname=cephfs path=/volumes, allow rws fsname=cephfs path=/volumes/csi"
|
||||||
```
|
mon "allow r fsname=cephfs"
|
||||||
|
|
||||||
And for node stage secret in storageclass, the user needs to have
|
|
||||||
the below mentioned ceph capabilities.
|
|
||||||
|
|
||||||
```
|
|
||||||
"mon", "allow r",
|
|
||||||
"mgr", "allow rw",
|
|
||||||
"osd", "allow rw tag cephfs *=*",
|
|
||||||
"mds", "allow rw"
|
|
||||||
```
|
```
|
||||||
|
|
||||||
To get more insights on capabilities of CephFS you can refer
|
To get more insights on capabilities of CephFS you can refer
|
||||||
@ -56,8 +38,8 @@ To get more insights on capabilities of CephFS you can refer
|
|||||||
|
|
||||||
## Command to a create user with required capabilities
|
## Command to a create user with required capabilities
|
||||||
|
|
||||||
`kubernetes` in the below commands represents an user which is subjected
|
`USER`, `POOL` and `FS_NAME` with `SUB_VOL` variables below is subject to
|
||||||
to change as per your requirement.
|
change, please adjust them to your needs.
|
||||||
|
|
||||||
### create user for RBD
|
### create user for RBD
|
||||||
|
|
||||||
@ -65,25 +47,23 @@ The command for provisioner and node stage secret for rbd will be same as
|
|||||||
they have similar capability requirements.
|
they have similar capability requirements.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ceph auth get-or-create client.kubernetes \
|
USER=csi-rbd
|
||||||
mon 'profile rbd' \
|
POOL=csi
|
||||||
osd 'profile rbd' \
|
ceph auth get-or-create client.$USER \
|
||||||
mgr 'allow rw'
|
mgr "profile rbd pool=$POOL" \
|
||||||
|
osd "profile rbd pool=$POOL"
|
||||||
|
mon "profile rbd"
|
||||||
```
|
```
|
||||||
|
|
||||||
### create user for CephFS
|
### create user for CephFS
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ceph auth get-or-create client.kubernetes \
|
USER=csi-cephfs
|
||||||
mon 'allow r' \
|
FS_NAME=cephfs
|
||||||
osd 'allow rw tag cephfs metadata=*' \
|
SUB_VOL=csi
|
||||||
mgr 'allow rw'
|
ceph auth get-or-create client.$USER \
|
||||||
```
|
mgr "allow rw" \
|
||||||
|
osd "allow rw tag cephfs metadata=$FS_NAME, allow rw tag cephfs data=$FS_NAME" \
|
||||||
```bash
|
mds "allow r fsname=$FS_NAME path=/volumes, allow rws fsname=$FS_NAME path=/volumes/$SUB_VOL" \
|
||||||
ceph auth get-or-create client.kubernetes \
|
mon "allow r fsname=$FS_NAME"
|
||||||
mon 'allow r' \
|
|
||||||
osd 'allow rw tag cephfs *=*' \
|
|
||||||
mgr 'allow rw' \
|
|
||||||
mds 'allow rw'
|
|
||||||
```
|
```
|
||||||
|
Loading…
Reference in New Issue
Block a user