All of lore.kernel.org
 help / color / mirror / Atom feed
* Does radosgw really need to talk to an MDS?
@ 2012-07-02 11:41 Florian Haas
  2012-07-02 11:44 ` Wido den Hollander
  0 siblings, 1 reply; 6+ messages in thread
From: Florian Haas @ 2012-07-02 11:41 UTC (permalink / raw)
  To: ceph-devel

Hi everyone,

radosgw(8) states that the following capabilities must be granted to
the user that radosgw uses to connect to RADOS.

ceph-authtool -n client.radosgw.gateway --cap mon 'allow r' --cap osd
'allow rwx' --cap mds 'allow' /etc/ceph/keyring.radosgw.gateway

Could someone explain why we need an "mds 'allow'" in here? I thought
only CephFS clients talked to MDSs, and at first glance configuring
client.radosgw.gateway without any MDS capability seems not to break
anything (at least with my limited S3 tests). Am I missing something?

Cheers,
Florian

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: Does radosgw really need to talk to an MDS?
  2012-07-02 11:41 Does radosgw really need to talk to an MDS? Florian Haas
@ 2012-07-02 11:44 ` Wido den Hollander
  2012-07-02 11:56   ` Florian Haas
  2012-07-02 16:23   ` Gregory Farnum
  0 siblings, 2 replies; 6+ messages in thread
From: Wido den Hollander @ 2012-07-02 11:44 UTC (permalink / raw)
  To: Florian Haas; +Cc: ceph-devel

Hi,

On 02-07-12 13:41, Florian Haas wrote:
> Hi everyone,
>
> radosgw(8) states that the following capabilities must be granted to
> the user that radosgw uses to connect to RADOS.
>
> ceph-authtool -n client.radosgw.gateway --cap mon 'allow r' --cap osd
> 'allow rwx' --cap mds 'allow' /etc/ceph/keyring.radosgw.gateway
>
> Could someone explain why we need an "mds 'allow'" in here? I thought
> only CephFS clients talked to MDSs, and at first glance configuring
> client.radosgw.gateway without any MDS capability seems not to break
> anything (at least with my limited S3 tests). Am I missing something?
>

You are not allowing the RADOS Gateway to do anything on the MDS.

There is no 'r',  'w' or 'x' permission which you are allowing. So there 
is nothing the rgw has access to on the MDS.

Wido

> Cheers,
> Florian
> --
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>


^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: Does radosgw really need to talk to an MDS?
  2012-07-02 11:44 ` Wido den Hollander
@ 2012-07-02 11:56   ` Florian Haas
  2012-07-02 13:22     ` Wido den Hollander
  2012-07-02 16:23   ` Gregory Farnum
  1 sibling, 1 reply; 6+ messages in thread
From: Florian Haas @ 2012-07-02 11:56 UTC (permalink / raw)
  To: Wido den Hollander; +Cc: ceph-devel

On Mon, Jul 2, 2012 at 1:44 PM, Wido den Hollander <wido@widodh.nl> wrote:
> You are not allowing the RADOS Gateway to do anything on the MDS.
>
> There is no 'r',  'w' or 'x' permission which you are allowing. So there is
> nothing the rgw has access to on the MDS.

Yep, so we might as well leave off "--cap mds 'allow'"?

Florian

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: Does radosgw really need to talk to an MDS?
  2012-07-02 11:56   ` Florian Haas
@ 2012-07-02 13:22     ` Wido den Hollander
  2012-07-02 14:51       ` Sage Weil
  0 siblings, 1 reply; 6+ messages in thread
From: Wido den Hollander @ 2012-07-02 13:22 UTC (permalink / raw)
  To: Florian Haas; +Cc: ceph-devel



On 02-07-12 13:56, Florian Haas wrote:
> On Mon, Jul 2, 2012 at 1:44 PM, Wido den Hollander <wido@widodh.nl> wrote:
>> You are not allowing the RADOS Gateway to do anything on the MDS.
>>
>> There is no 'r',  'w' or 'x' permission which you are allowing. So there is
>> nothing the rgw has access to on the MDS.
>
> Yep, so we might as well leave off "--cap mds 'allow'"?

I think so. You can always give it a try.

The RGW doesn't talk to the MDS anyway, so probably nothing will break.

Wido

>
> Florian
> --
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>


^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: Does radosgw really need to talk to an MDS?
  2012-07-02 13:22     ` Wido den Hollander
@ 2012-07-02 14:51       ` Sage Weil
  0 siblings, 0 replies; 6+ messages in thread
From: Sage Weil @ 2012-07-02 14:51 UTC (permalink / raw)
  To: Wido den Hollander; +Cc: Florian Haas, ceph-devel, john.wilkins

On Mon, 2 Jul 2012, Wido den Hollander wrote:
> On 02-07-12 13:56, Florian Haas wrote:
> > On Mon, Jul 2, 2012 at 1:44 PM, Wido den Hollander <wido@widodh.nl> wrote:
> > > You are not allowing the RADOS Gateway to do anything on the MDS.
> > > 
> > > There is no 'r',  'w' or 'x' permission which you are allowing. So there
> > > is
> > > nothing the rgw has access to on the MDS.
> > 
> > Yep, so we might as well leave off "--cap mds 'allow'"?
> 
> I think so. You can always give it a try.
> 
> The RGW doesn't talk to the MDS anyway, so probably nothing will break.

Yep, that's an error in the documentation!  The mds cap should be left 
off.

sage

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: Does radosgw really need to talk to an MDS?
  2012-07-02 11:44 ` Wido den Hollander
  2012-07-02 11:56   ` Florian Haas
@ 2012-07-02 16:23   ` Gregory Farnum
  1 sibling, 0 replies; 6+ messages in thread
From: Gregory Farnum @ 2012-07-02 16:23 UTC (permalink / raw)
  To: Wido den Hollander; +Cc: Florian Haas, ceph-devel

On Mon, Jul 2, 2012 at 4:44 AM, Wido den Hollander <wido@widodh.nl> wrote:
> Hi,
>
>
> On 02-07-12 13:41, Florian Haas wrote:
>>
>> Hi everyone,
>>
>> radosgw(8) states that the following capabilities must be granted to
>> the user that radosgw uses to connect to RADOS.
>>
>> ceph-authtool -n client.radosgw.gateway --cap mon 'allow r' --cap osd
>> 'allow rwx' --cap mds 'allow' /etc/ceph/keyring.radosgw.gateway
>>
>> Could someone explain why we need an "mds 'allow'" in here? I thought
>> only CephFS clients talked to MDSs, and at first glance configuring
>> client.radosgw.gateway without any MDS capability seems not to break
>> anything (at least with my limited S3 tests). Am I missing something?
>>
>
> You are not allowing the RADOS Gateway to do anything on the MDS.
>
> There is no 'r',  'w' or 'x' permission which you are allowing. So there is
> nothing the rgw has access to on the MDS.

Actually, that is an MDS cap — it's the "allow" cap, and that's all
that the MDS checks right now. But it is indeed completely unnecessary
for the MDS. (Thanks for the doc fix, Florian!)
-Greg
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-07-02 16:23 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-07-02 11:41 Does radosgw really need to talk to an MDS? Florian Haas
2012-07-02 11:44 ` Wido den Hollander
2012-07-02 11:56   ` Florian Haas
2012-07-02 13:22     ` Wido den Hollander
2012-07-02 14:51       ` Sage Weil
2012-07-02 16:23   ` Gregory Farnum

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.