From d7596a74e141764c589fc569cde2cfc94cf42d32 Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Thu, 5 Jul 2018 11:44:25 -0500 Subject: [PATCH] doc/rados/operations/user-management: document 'network' clause of moncap and osdcap Signed-off-by: Sage Weil --- doc/cephfs/client-auth.rst | 16 ++++++++++++++++ doc/rados/operations/user-management.rst | 16 +++++++++++++--- 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/doc/cephfs/client-auth.rst b/doc/cephfs/client-auth.rst index 851da5246e466..bd0ad1326a8c1 100644 --- a/doc/cephfs/client-auth.rst +++ b/doc/cephfs/client-auth.rst @@ -130,3 +130,19 @@ in the ``bar`` directory of filesystem ``cephfs_a``. .. _User Management - Add a User to a Keyring: ../../rados/operations/user-management/#add-a-user-to-a-keyring + +Network restriction +=================== + +:: + + client.foo + key: *key* + caps: [mds] allow r network 10.0.0.0/8, allow rw path=/bar network 10.0.0.0/8 + caps: [mon] allow r network 10.0.0.0/8 + caps: [osd] allow rw tag cephfs data=cephfs_a network 10.0.0.0/8 + +The optional ``{network/prefix}`` is a standard network name and +prefix length in CIDR notation (e.g., ``10.3.0.0/16``). If present, +the use of this capability is restricted to clients connecting from +this network. diff --git a/doc/rados/operations/user-management.rst b/doc/rados/operations/user-management.rst index 5f057c6fbda96..dac87d397a906 100644 --- a/doc/rados/operations/user-management.rst +++ b/doc/rados/operations/user-management.rst @@ -104,7 +104,7 @@ Capability syntax follows the form:: - **Monitor Caps:** Monitor capabilities include ``r``, ``w``, ``x`` access settings or ``profile {name}``. For example:: - mon 'allow {access-spec}' + mon 'allow {access-spec} [network {network/prefix}]' mon 'profile {name}' @@ -112,13 +112,18 @@ Capability syntax follows the form:: * | all | [r][w][x] + The optional ``{network/prefix}`` is a standard network name and + prefix length in CIDR notation (e.g., ``10.3.0.0/16``). If present, + the use of this capability is restricted to clients connecting from + this network. + - **OSD Caps:** OSD capabilities include ``r``, ``w``, ``x``, ``class-read``, ``class-write`` access settings or ``profile {name}``. Additionally, OSD capabilities also allow for pool and namespace settings. :: - osd 'allow {access-spec} [{match-spec}]' + osd 'allow {access-spec} [{match-spec}] [network {network/prefix}]' - osd 'profile {name} [pool={pool-name} [namespace={namespace-name}]]' + osd 'profile {name} [pool={pool-name} [namespace={namespace-name}]] [network {network/prefix}]' The ``{access-spec}`` syntax is either of the following: :: @@ -132,6 +137,11 @@ Capability syntax follows the form:: [namespace={namespace-name}] tag {application} {key}={value} + The optional ``{network/prefix}`` is a standard network name and + prefix length in CIDR notation (e.g., ``10.3.0.0/16``). If present, + the use of this capability is restricted to clients connecting from + this network. + - **Metadata Server Caps:** For administrators, use ``allow *``. For all other users, such as CephFS clients, consult :doc:`/cephfs/client-auth` -- 2.39.5