From bb14d7914ff6882b9a81a6e8f2ffb6535a552ebf Mon Sep 17 00:00:00 2001 From: Ilya Dryomov Date: Sat, 25 Jan 2025 11:11:14 +0100 Subject: [PATCH] doc/rados: pool and namespace are independent osdcap restrictions For the "profile {name}" syntax, pool and namespace restrictions are independent of each other (i.e. specifying namespace doesn't also require specifying pool like is currently suggested). A cap can look like "profile rbd namespace=myns", signifying that the RBD profile is to be allowed in myns namespace of any pool. For the "allow {access-spec}" syntax, pool restriction is optional. A cap can look like "allow r namespace=myns", "allow w object_prefix myprefix" or "allow rw namespace=myns object_prefix myprefix", for example. Signed-off-by: Ilya Dryomov (cherry picked from commit 67f5769ce6e110b89362763cfb41a0e00e595cdf) --- doc/rados/operations/user-management.rst | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/doc/rados/operations/user-management.rst b/doc/rados/operations/user-management.rst index 130c02002daf0..62ad41feb55ea 100644 --- a/doc/rados/operations/user-management.rst +++ b/doc/rados/operations/user-management.rst @@ -134,7 +134,7 @@ Capability syntax follows this form:: osd 'allow {access-spec} [{match-spec}] [network {network/prefix}]' - osd 'profile {name} [pool={pool-name} [namespace={namespace-name}]] [network {network/prefix}]' + osd 'profile {name} [pool={pool-name}] [namespace={namespace-name}] [network {network/prefix}]' There are two alternative forms of the ``{access-spec}`` syntax: :: @@ -142,10 +142,14 @@ Capability syntax follows this form:: class {class name} [{method name}] - There are two alternative forms of the optional ``{match-spec}`` syntax:: + There are four alternative forms of the optional ``{match-spec}`` syntax:: pool={pool-name} [namespace={namespace-name}] [object_prefix {prefix}] + [pool={pool-name}] namespace={namespace-name} [object_prefix {prefix}] + + [pool={pool-name}] [namespace={namespace-name}] object_prefix {prefix} + [namespace={namespace-name}] tag {application} {key}={value} The optional ``{network/prefix}`` is a standard network name and prefix -- 2.39.5