doc/rados/operations/user-management: document 'network' clause of moncap and osdcap

Signed-off-by: Sage Weil <sage@redhat.com>

diff --git a/doc/cephfs/client-auth.rst b/doc/cephfs/client-auth.rst
index 851da5246e466f2448bbb97e0ef7023045bc64e3..bd0ad1326a8c18e7afcbb8c22cc50abd133ecd72 100644 (file)
--- a/doc/cephfs/client-auth.rst
+++ b/doc/cephfs/client-auth.rst
@@ -130,3 +130,19 @@ in the ``bar`` directory of filesystem ``cephfs_a``.
 
 
 .. _User Management - Add a User to a Keyring: ../../rados/operations/user-management/#add-a-user-to-a-keyring
+
+Network restriction
+===================
+
+::
+
+ client.foo
+   key: *key*
+   caps: [mds] allow r network 10.0.0.0/8, allow rw path=/bar network 10.0.0.0/8
+   caps: [mon] allow r network 10.0.0.0/8
+   caps: [osd] allow rw tag cephfs data=cephfs_a network 10.0.0.0/8
+
+The optional ``{network/prefix}`` is a standard network name and
+prefix length in CIDR notation (e.g., ``10.3.0.0/16``).  If present,
+the use of this capability is restricted to clients connecting from
+this network.

diff --git a/doc/rados/operations/user-management.rst b/doc/rados/operations/user-management.rst
index 5f057c6fbda967e9d51fd32923f75cc37f4fa2a9..dac87d397a9066c02670fcab1c46663f333e96f1 100644 (file)
--- a/doc/rados/operations/user-management.rst
+++ b/doc/rados/operations/user-management.rst
@@ -104,7 +104,7 @@ Capability syntax follows the form::
 - **Monitor Caps:** Monitor capabilities include ``r``, ``w``, ``x`` access
   settings or ``profile {name}``. For example::
 
-       mon 'allow {access-spec}'
+       mon 'allow {access-spec} [network {network/prefix}]'
 
        mon 'profile {name}'
 
@@ -112,13 +112,18 @@ Capability syntax follows the form::
 
         * | all | [r][w][x]
 
+  The optional ``{network/prefix}`` is a standard network name and
+  prefix length in CIDR notation (e.g., ``10.3.0.0/16``).  If present,
+  the use of this capability is restricted to clients connecting from
+  this network.
+
 - **OSD Caps:** OSD capabilities include ``r``, ``w``, ``x``, ``class-read``,
   ``class-write`` access settings or ``profile {name}``. Additionally, OSD
   capabilities also allow for pool and namespace settings. ::
 
-       osd 'allow {access-spec} [{match-spec}]'
+       osd 'allow {access-spec} [{match-spec}] [network {network/prefix}]'
 
-       osd 'profile {name} [pool={pool-name} [namespace={namespace-name}]]'
+       osd 'profile {name} [pool={pool-name} [namespace={namespace-name}]] [network {network/prefix}]'
 
   The ``{access-spec}`` syntax is either of the following: ::
 
@@ -132,6 +137,11 @@ Capability syntax follows the form::
 
         [namespace={namespace-name}] tag {application} {key}={value}
 
+  The optional ``{network/prefix}`` is a standard network name and
+  prefix length in CIDR notation (e.g., ``10.3.0.0/16``).  If present,
+  the use of this capability is restricted to clients connecting from
+  this network.
+
 - **Metadata Server Caps:** For administrators, use ``allow *``.  For all
   other users, such as CephFS clients, consult :doc:`/cephfs/client-auth`