From 6c43789de4af2d0054552333f94e50eac32c6b43 Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Sun, 3 Mar 2024 12:45:14 +0200 Subject: [PATCH] doc: Update capabilities readme to solve to open permissions Signed-off-by: Dmytro Alieksieiev <1865999+dragoangel@users.noreply.github.com> --- docs/capabilities.md | 74 ++++++++++++++++---------------------------- 1 file changed, 27 insertions(+), 47 deletions(-) diff --git a/docs/capabilities.md b/docs/capabilities.md index 6c1454313e2..00ca2147260 100644 --- a/docs/capabilities.md +++ b/docs/capabilities.md @@ -12,43 +12,25 @@ Hence, those capabilities are documented below. ## RBD We have provisioner, controller expand and node stage secrets in storageclass. -For the provisioner and controller expand stage secrets in storageclass, the -user needs to have the below Ceph capabilities. +For RBD the user needs to have the below Ceph capabilities: ``` -"mon", "profile rbd", -"mgr", "allow rw", -"osd", "profile rbd" -``` - -And for the node stage secret in storageclass, the user needs to have the -below mentioned ceph capabilities. - -``` -"mon", "profile rbd", -"osd", "profile rbd", -"mgr", "allow rw" +mgr "profile rbd pool=csi" +osd "profile rbd pool=csi" +mon "profile rbd" ``` ## CephFS -Similarly in CephFS, for the provisioner and controller expand stage secret in -storageclass, the user needs to have the below mentioned ceph capabilities. +Similarly in CephFS, we have provisioner, controller expand and node stage +secrets in storageclass, the user needs to have the below mentioned ceph +capabilities: ``` -"mon", "allow r", -"mgr", "allow rw", -"osd", "allow rw tag cephfs metadata=*" -``` - -And for node stage secret in storageclass, the user needs to have -the below mentioned ceph capabilities. - -``` -"mon", "allow r", -"mgr", "allow rw", -"osd", "allow rw tag cephfs *=*", -"mds", "allow rw" +mgr "allow rw" +osd "allow rw tag cephfs metadata=cephfs, allow rw tag cephfs data=cephfs" +mds "allow r fsname=cephfs path=/volumes, allow rws fsname=cephfs path=/volumes/csi" +mon "allow r fsname=cephfs" ``` To get more insights on capabilities of CephFS you can refer @@ -56,8 +38,8 @@ To get more insights on capabilities of CephFS you can refer ## Command to a create user with required capabilities -`kubernetes` in the below commands represents an user which is subjected -to change as per your requirement. +`USER`, `POOL` and `FS_NAME` with `SUB_VOL` variables below is subject to +change, please adjust them to your needs. ### create user for RBD @@ -65,25 +47,23 @@ The command for provisioner and node stage secret for rbd will be same as they have similar capability requirements. ```bash -ceph auth get-or-create client.kubernetes \ -mon 'profile rbd' \ -osd 'profile rbd' \ -mgr 'allow rw' +USER=csi-rbd +POOL=csi +ceph auth get-or-create client.$USER \ + mgr "profile rbd pool=$POOL" \ + osd "profile rbd pool=$POOL" + mon "profile rbd" ``` ### create user for CephFS ```bash -ceph auth get-or-create client.kubernetes \ -mon 'allow r' \ -osd 'allow rw tag cephfs metadata=*' \ -mgr 'allow rw' -``` - -```bash -ceph auth get-or-create client.kubernetes \ -mon 'allow r' \ -osd 'allow rw tag cephfs *=*' \ -mgr 'allow rw' \ -mds 'allow rw' +USER=csi-cephfs +FS_NAME=cephfs +SUB_VOL=csi +ceph auth get-or-create client.$USER \ + mgr "allow rw" \ + osd "allow rw tag cephfs metadata=$FS_NAME, allow rw tag cephfs data=$FS_NAME" \ + mds "allow r fsname=$FS_NAME path=/volumes, allow rws fsname=$FS_NAME path=/volumes/$SUB_VOL" \ + mon "allow r fsname=$FS_NAME" ```