This guide will show how to create a new user, set permissions, set quotas, mount the
share, and make them persistent on the client.
Assuming a cephfs directory setup with staging as a subdir, where cephx user:admin has
rights to everything and cephx user:staging only has access to staging dir
- Ceph cluster running filesystem
- Linux client to mount ceph shares
Creating the user:
The admin cephx user will have full access to all of the ceph filesystem. To allow another user to only access the “staging” dir.
First create the ceph x user and their keyring.
# Create the new users keyringceph-authtool –create-keyring /etc/ceph/ceph.client.staging.keyring –gen-key -n client.staging
After creating the user and keyring go to the new /etc/ceph/ceph.client.staging.keyring and edit the file to have the needed capabilities.
# Add the capabilities to the users keyring, the file should look likethe below when complete. Be sure to edit the file paths to the correctlocation depending on environment.# Also note the key will be different from the example below. This isnormal.[client.staging]key = AQDG1ypfl7roNBAAjPjUgpTNn93UB3jkTFEGjw==
caps mds = “allow r path=/, allow rwps path=/staging”caps mon = “allow r”caps osd = “allow *”
Note different permissions definitions:
r = read
w = write
p = Layout and Quota restriction (i.e data layouts like dir pinning, and quotas, essentially
you need this to set xattrs)
s = snapshots
After adding the new capabilities we now need to import the new client into the ceph cluster
# Import new client keyring into the ceph clusterceph auth import -i /etc/ceph/ceph.client.staging.keyring
# Creating a secretfile from the keyringceph auth get-key client.staging > staging.secret# Copy the secretfile to the clientscp staging.secret root@clientIP:/etc/ceph
Creating the CephFS share:
mount -t ceph OSD1:/ /mnt/cephfs -oname=admin,secretfile=/etc/ceph/admin.secret,noatime
Mount on Clients:
Make the directory for mounting on the client maching
mount -t ceph OSD1:/staging /mnt/staging -oname=staging,secretfile=/etc/ceph/staging.secret,noatime
To verify it is successful on the client create a new directory within the /mnt directory
now cd into the new dir
run an ls command and choose one to cd into.
now try to create a file with the touch command
if successful you should get a permission denied warning as the client only has access to the /mnt/cephfs/staging dir.