From f00546fee02e3b769a38e1fd471252765db703da Mon Sep 17 00:00:00 2001
From: David Disseldorp <ddiss@suse.de>
Date: Thu, 17 Nov 2016 17:55:26 +0100
Subject: [PATCH] doc/cephfs: add note about deletion from OSD restricted pool

As described in http://tracker.ceph.com/issues/17937, a client with
restricted pool access can still delete files unless a corresponding
MDS path restriction is also in place.

Signed-off-by: David Disseldorp <ddiss@suse.de>
---
 doc/cephfs/client-auth.rst | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/doc/cephfs/client-auth.rst b/doc/cephfs/client-auth.rst
index 9e20032d58c..8d6db4e4e4a 100644
--- a/doc/cephfs/client-auth.rst
+++ b/doc/cephfs/client-auth.rst
@@ -78,6 +78,12 @@ restricts access to the CephFS data pool(s):
         caps: [mon] allow r
         caps: [osd] allow rw pool=data1, allow rw pool=data2
 
+.. note::
+
+    Without a corresponding MDS path restriction, the OSD capabilities above do
+    **not** restrict file deletions outside of the ``data1`` and ``data2``
+    pools.
+
 You may also restrict clients from writing data by using 'r' instead of
 'rw' in OSD capabilities.  This does not affect the ability of the client
 to update filesystem metadata for these files, but it will prevent them
-- 
2.47.3