Ceph

In many cases, a read-only keyring is needed for clients to just read data from the Ceph Cluster, but not write.

The following keyring achieves this, but only works fine when the OSD have full capabilities.

1. ceph auth get-or-create client.read-only mon 'allow r' osd 'allow *' > ceph.client.read-only.keyring

ie.. The below command fails (which is what we want) with the above keyring.

1. curl -v -X PUT "http://<Hostname>:5000/api/v0.1/osd/crush/reweight?name=osd.71&weight=1.0"

This feature request is to understand if a read-only access can be achieved when the OSDs are assigned 'read-only' capabilities, as with the following keyring.

1. ceph auth get-or-create client.read-only mon 'allow r' osd 'allow r' > ceph.client.read-only.keyring

The problem here is, when assigning read-only capabilities for OSDs, a test with 'ceph-rest-api' fails with a python traceback.

~~~

1. ceph auth get client.read-only

exported keyring for client.read-only
[client.read-only]
key = AQDho5VVqKUKNBAAg+I+9Tq5ENQ1IxGCENmfLg==
caps mon = "allow r"
caps osd = "allow r"

1. ceph-rest-api -n client.read-only

Traceback (most recent call last):
File "/usr/bin/ceph-rest-api", line 59, in <module>
rest,
File "/usr/lib/python2.7/dist-packages/ceph_rest_api.py", line 496, in generate_app
addr, port = api_setup(app, conf, cluster, clientname, clientid, args)
File "/usr/lib/python2.7/dist-packages/ceph_rest_api.py", line 144, in api_setup
target=('osd', int(osdid)))
File "/usr/lib/python2.7/dist-packages/ceph_rest_api.py", line 82, in get_command_descriptions
raise EnvironmentError(ret, err)
EnvironmentError: [Errno -1] Can't get command descriptions:
~~~

In short, a read-only access is only possible while using [mon 'allow r' osd 'allow *'] and not [ mon 'allow r' osd 'allow r']. This is a request to reduce the capabilities for the OSDs, for a read-only scenario. If this is not possible, may I know the reason on why we need full permissions please?

Thank you,

Vimal