doc/cephfs: add note about deletion from OSD restricted pool

As described in http://tracker.ceph.com/issues/17937, a client with
restricted pool access can still delete files unless a corresponding
MDS path restriction is also in place.

Signed-off-by: David Disseldorp <ddiss@suse.de>

diff --git a/doc/cephfs/client-auth.rst b/doc/cephfs/client-auth.rst
index 9e20032d58c787bd658ea52969d804294638128c..8d6db4e4e4ad5faedd5763c65ac9aa604da1e038 100644 (file)
--- a/doc/cephfs/client-auth.rst
+++ b/doc/cephfs/client-auth.rst
@@ -78,6 +78,12 @@ restricts access to the CephFS data pool(s):
         caps: [mon] allow r
         caps: [osd] allow rw pool=data1, allow rw pool=data2
 
+.. note::
+
+    Without a corresponding MDS path restriction, the OSD capabilities above do
+    **not** restrict file deletions outside of the ``data1`` and ``data2``
+    pools.
+
 You may also restrict clients from writing data by using 'r' instead of
 'rw' in OSD capabilities.  This does not affect the ability of the client
 to update filesystem metadata for these files, but it will prevent them