From: Sage Weil <sage@redhat.com>
Date: Thu, 5 Jul 2018 16:44:25 +0000 (-0500)
Subject: doc/rados/operations/user-management: document 'network' clause of moncap and osdcap
X-Git-Tag: v14.0.1~601^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F22879%2Fhead;p=ceph.git

doc/rados/operations/user-management: document 'network' clause of moncap and osdcap

Signed-off-by: Sage Weil <sage@redhat.com>
---

diff --git a/doc/cephfs/client-auth.rst b/doc/cephfs/client-auth.rst
index 851da5246e466..bd0ad1326a8c1 100644
--- a/doc/cephfs/client-auth.rst
+++ b/doc/cephfs/client-auth.rst
@@ -130,3 +130,19 @@ in the ``bar`` directory of filesystem ``cephfs_a``.
 
 
 .. _User Management - Add a User to a Keyring: ../../rados/operations/user-management/#add-a-user-to-a-keyring
+
+Network restriction
+===================
+
+::
+
+ client.foo
+   key: *key*
+   caps: [mds] allow r network 10.0.0.0/8, allow rw path=/bar network 10.0.0.0/8
+   caps: [mon] allow r network 10.0.0.0/8
+   caps: [osd] allow rw tag cephfs data=cephfs_a network 10.0.0.0/8
+
+The optional ``{network/prefix}`` is a standard network name and
+prefix length in CIDR notation (e.g., ``10.3.0.0/16``).  If present,
+the use of this capability is restricted to clients connecting from
+this network.
diff --git a/doc/rados/operations/user-management.rst b/doc/rados/operations/user-management.rst
index 5f057c6fbda96..dac87d397a906 100644
--- a/doc/rados/operations/user-management.rst
+++ b/doc/rados/operations/user-management.rst
@@ -104,7 +104,7 @@ Capability syntax follows the form::
 - **Monitor Caps:** Monitor capabilities include ``r``, ``w``, ``x`` access
   settings or ``profile {name}``. For example::
 
-	mon 'allow {access-spec}'
+	mon 'allow {access-spec} [network {network/prefix}]'
 
 	mon 'profile {name}'
 
@@ -112,13 +112,18 @@ Capability syntax follows the form::
 
         * | all | [r][w][x]
 
+  The optional ``{network/prefix}`` is a standard network name and
+  prefix length in CIDR notation (e.g., ``10.3.0.0/16``).  If present,
+  the use of this capability is restricted to clients connecting from
+  this network.
+
 - **OSD Caps:** OSD capabilities include ``r``, ``w``, ``x``, ``class-read``,
   ``class-write`` access settings or ``profile {name}``. Additionally, OSD
   capabilities also allow for pool and namespace settings. ::
 
-	osd 'allow {access-spec} [{match-spec}]'
+	osd 'allow {access-spec} [{match-spec}] [network {network/prefix}]'
 
-	osd 'profile {name} [pool={pool-name} [namespace={namespace-name}]]'
+	osd 'profile {name} [pool={pool-name} [namespace={namespace-name}]] [network {network/prefix}]'
 
   The ``{access-spec}`` syntax is either of the following: ::
 
@@ -132,6 +137,11 @@ Capability syntax follows the form::
 
         [namespace={namespace-name}] tag {application} {key}={value}
 
+  The optional ``{network/prefix}`` is a standard network name and
+  prefix length in CIDR notation (e.g., ``10.3.0.0/16``).  If present,
+  the use of this capability is restricted to clients connecting from
+  this network.
+
 - **Metadata Server Caps:** For administrators, use ``allow *``.  For all
   other users, such as CephFS clients, consult :doc:`/cephfs/client-auth`