Managing user capabilities
Ceph stores data RADOS objects within pools irrespective of the Ceph client used. Ceph users must have access to a given pool to read and write data, and must have executable permissions to use Ceph administrative commands. Creating users allows you to control their access to your IBM Storage Ceph cluster, its pools, and the data within the pools.
Ceph has a concept of type of user which is always client. You need to define the user with the TYPE.ID where ID is the user ID, for example, client.admin. This user typing is because the Cephx protocol is used not only by clients but also non-clients, such as Ceph Monitors, OSDs, and Metadata Servers. Distinguishing the user type helps to distinguish between client users and other users. This distinction streamlines access control, user monitoring, and traceability.
Capabilities
Ceph uses capabilities (caps) to describe the permissions granted to an authenticated user to exercise the functionality of the monitors, OSDs, and metadata servers. The capabilities restrict access to data within a pool, a namespace within a pool, or a set of pools based on their applications tags. A Ceph administrative user specifies the capabilities of a user when creating or updating the user.
You can set the capabilities to monitors, managers, OSDs, and metadata servers.
-
The Ceph Monitor capabilities include
r,w, andxaccess settings. These can be applied in aggregate from pre-defined profiles withprofile NAME. -
The OSD capabilities include
r,w,x,class-read, andclass-writeaccess settings. These can be applied in aggregate from pre-defined profiles withprofile NAME. -
The Ceph Manager capabilities include
r,w, andxaccess settings. These can be applied in aggregate from pre-defined profiles withprofile NAME. -
For administrators, the metadata server (MDS) capabilities include
allow *.
radosgw) is a client of the IBM Storage Ceph cluster and is not represented as a Ceph storage cluster daemon type.