doc/cephfs: add note about deletion from OSD restricted pool

As described in http://tracker.ceph.com/issues/17937, a client with restricted pool access can still delete files unless a corresponding MDS path restriction is also in place. Signed-off-by: David Disseldorp <[email protected]>
areed · Nov 17, 2016 · f00546f · f00546f
1 parent 588d631
commit f00546f
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/doc/cephfs/client-auth.rst b/doc/cephfs/client-auth.rst
@@ -78,6 +78,12 @@ restricts access to the CephFS data pool(s):
         caps: [mon] allow r
         caps: [osd] allow rw pool=data1, allow rw pool=data2
 
+.. note::
+
+    Without a corresponding MDS path restriction, the OSD capabilities above do
+    **not** restrict file deletions outside of the ``data1`` and ``data2``
+    pools.
+
 You may also restrict clients from writing data by using 'r' instead of
 'rw' in OSD capabilities.  This does not affect the ability of the client
 to update filesystem metadata for these files, but it will prevent them