Merge pull request #12993 from jcsp/wip-cephfs-doc-authcaps

doc: clarify the path restriction mds cap example Reviewed-by: Patrick Donnelly <pdonnell@redhat.com>
2025-02-21 01:47:25 +00:00 · 2017-02-06 12:59:22 +00:00 · 2017-02-06 12:59:22 +00:00 · f1c3eeda38
commit f1c3eeda38
parent 7511564b88 936bab6d59
1 changed files with 12 additions and 1 deletions
--- a/doc/cephfs/client-auth.rst
+++ b/doc/cephfs/client-auth.rst
@ -29,10 +29,21 @@ directory while creating key for a client following the undermentioned syntax. :

 ./ceph auth get-or-create client.*client_name* mon 'allow r' mds 'allow r, allow rw path=/*specified_directory*' osd 'allow rw pool=data'

-for example, to restrict client ``foo`` to ``bar`` directory, we will use. ::
+for example, to restrict client ``foo`` to writing only in the ``bar`` directory,
+we will use: ::

 ./ceph auth get-or-create client.foo mon 'allow r' mds 'allow r, allow rw path=/bar' osd 'allow rw pool=data'

+To completely restrict the client to the ``bar`` directory, omit the
+unqualified "allow r" clause: ::
+
+./ceph auth get-or-create client.foo mon 'allow r' mds 'allow rw path=/bar' osd 'allow rw pool=data'
+
+Note that if a client's read access is restricted to a path, they will only
+be able to mount the filesystem when specifying a readable path in the
+mount command (see below).
+
+
 See `User Management - Add a User to a Keyring`_. for additional details on user management

 To restrict a client to the specfied sub-directory only, we mention the specified