mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2024-09-19 15:09:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
release-v3.2
ceph-csi/docs/capabilities.md
Prasanna Kumar Kalever 817edfd1c7 cleanup: remove the use of text in markdown 
We do not have `text` in the new section of the MarkDown Rules. Hence
dropping them.

Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
2020-11-11 13:18:05 +00:00

2.3 KiB
Raw Permalink Blame History

Capabilities of a user required for ceph-csi in a Ceph cluster

Ceph uses the term capabilities to describe authorizing an authenticated user to exercise the functionality of the monitors, OSDs and metadata servers. Capabilities can also restrict access to data within a pool or pool namespace. A Ceph administrative user sets a user's capabilities when creating or updating a user. In secret we have user id and user key and in order to perform certain actions, the user needs to have some specific capabilities. Hence, those capabilities are documented below.

RBD

We have provisioner, controller expand and node stage secrets in storage class. For the provisioner and controller expand stage secret in storageclass, the user needs to have the below mentioned ceph capabilities.

"mon", "profile rbd",
"mgr", "allow rw",
"osd", "profile rbd"

And for the node stage secret in storageclass, the user needs to have the below mentioned ceph capabilities.

"mon", "profile rbd",
"osd", "profile rbd",
"mgr", "allow rw"

CephFS

Similarly in CephFS, for the provisioner and controller expand stage secret in storageclass, the user needs to have the below mentioned ceph capabilities.

"mon", "allow r",
"mgr", "allow rw",
"osd", "allow rw tag cephfs metadata=*"

And for node stage secret in storageclass, the user needs to have the below mentioned ceph capabilities.

"mon", "allow r",
"mgr", "allow rw",
"osd", "allow rw tag cephfs *=*",
"mds", "allow rw"

To get more insights on capabilities of cephfs you can refer this document

Command to a create user with required capabilities

kubernetes in the below commands represents an user which is subjected to change as per your requirement.

create user for RBD

The command for provisioner and node stage secret for rbd will be same as they have similar capability requirements.

ceph auth get-or-create client.kubernetes \
mon 'profile rbd' \
osd 'profile rbd' \
mgr 'allow rw'

create user for CephFS

ceph auth get-or-create client.kubernetes \
mon 'allow r' \
osd 'allow rw tag cephfs metadata=*' \
mgr 'allow rw'

ceph auth get-or-create client.kubernetes \
mon 'allow r' \
osd 'allow rw tag cephfs *=*' \
mgr 'allow rw' \
mds 'allow rw'