Accessing capabilities

Understand the different access or entity capabilities that can be given to a Ceph user or a Ceph client such as Block Device, Object Storage, File System, and native API.

Additionally, you can describe the capability profiles while assigning roles to clients.

allow
Description: Precedes access settings for a daemon. Implies rw for MDS only
r
Description: Gives the user read access. Required with monitors to retrieve the CRUSH map.
w
Description: Gives the user write access to objects.
x
Description: Gives the user the capability to call class methods, that is, both read and write, and to conduct auth operations on monitors.
class-read
Description: Gives the user the capability to call class read methods. Subset of x.
class-write
Description: Gives the user the capability to call class write methods. Subset of x.
*, all
Description: Gives the user read, write, and execute permissions for a particular daemon or a pool, as well as the ability to run admin commands.

The following entries describe valid capability profile:

profile osd
Description: This is applicable to Ceph Monitor only. Gives a user permissions to connect as an OSD to other OSDs or monitors. Conferred on OSDs to enable OSDs to handle replication heartbeat traffic and status reporting.
profile mds
Description: This is applicable to Ceph Monitor only. Gives a user permissions to connect as an MDS to other MDSs or monitors.
profile bootstrap-osd
Description: This is applicable to Ceph Monitor only. Gives a user permissions to bootstrap an OSD. Conferred on deployment tools, such as ceph-volume and cephadm, so that they have permissions to add keys when bootstrapping an OSD.
profile bootstrap-mds
Description: This is applicable to Ceph Monitor only. Gives a user permissions to bootstrap a metadata server. Conferred on deployment tools, such as cephadm, so that they have permissions to add keys when bootstrapping a metadata server.
profile bootstrap-rbd
Description: This is applicable to Ceph Monitor only. Gives a user permissions to bootstrap an RBD user. Conferred on deployment tools, such as cephadm, so that they have permissions to add keys when bootstrapping an RBD user.
profile bootstrap-rbd-mirror
Description: This is applicable to Ceph Monitor only. Gives a user permissions to bootstrap an rbd-mirror daemon user. Conferred on deployment tools, such as cephadm, so that they have permissions to add keys when bootstrapping an rbd-mirror daemon.
profile rbd
Description: This is applicable to Ceph Monitor, Ceph Manager, and Ceph OSDs. Gives a user permissions to manipulate RBD images. When used as a Monitor cap, it provides the user with the minimal privileges required by an RBD client application; such privileges include the ability to blocklist other client users. When used as an OSD cap, it provides an RBD client application with read-write access to the specified pool. The Manager cap supports optional pool and namespace keyword arguments.
profile rbd-mirror
Description: This is applicable to Ceph Monitor only. Gives a user permissions to manipulate RBD images and retrieve RBD mirroring config-key secrets. It provides the minimal privileges required for the user to manipulate the rbd-mirror daemon.
profile rbd-read-only
Description: This is applicable to Ceph Monitor and Ceph OSDS. Gives a user read-only permissions to RBD images. The Manager cap supports optional pool and namespace keyword arguments.
profile simple-rados-client
Description: This is applicable to Ceph Monitor only. Gives a user read-only permissions for monitor, OSD, and PG data. Intended for use by direct librados client applications.
profile simple-rados-client-with-blocklist
Description: This is applicable to Ceph Monitor only. Gives a user read-only permissions for monitor, OSD, and PG data. Intended for use by direct librados client applications. Also includes permissions to add blocklist entries to build high-availability (HA) applications.
profile fs-client
Description: This is applicable to Ceph Monitor only. Gives a user read-only permissions for monitor, OSD, PG, and MDS data. Intended for CephFS clients.
profile role-definer
Description: This is applicable to Ceph Monitor and Auth. Gives user all permissions for the auth subsystem, read-only access to monitors, and nothing else. Useful for automation tools. WARNING: Do not assign this unless you really, know what you are doing, as the security ramifications are substantial and pervasive.
profile crash
Description: This is applicable to Ceph Monitor and Ceph Manager. Gives a user read-only access to monitors. Used in conjunction with the manager crash module to upload daemon crash dumps into monitor storage for later analysis.

Reference

User capabilities