Merge branch 'wip-osd-caps'

Conflicts:
	src/osd/OSDCap.cc
	src/test/osd/osdcap.cc

Reviewed-by: Sage Weil <sage.weil@inktank.com>

1 files changed, 20 insertions, 7 deletions

diff --git a/man/ceph-authtool.8 b/man/ceph-authtool.8
index 281db9a7c93..36793fcdf5e 100644
--- a/man/ceph-authtool.8
+++ b/man/ceph-authtool.8
@@ -1,4 +1,4 @@
-.TH "CEPH-AUTHTOOL" "8" "September 27, 2012" "dev" "Ceph"
+.TH "CEPH-AUTHTOOL" "8" "September 28, 2012" "dev" "Ceph"
 .SH NAME
 ceph-authtool \- ceph keyring manipulation tool
 .
@@ -123,6 +123,16 @@ osd = "allow rw pool foo"
 .ft P
 .fi
 .sp
+A client using rbd with read access to one pool and read/write access to another:
+.sp
+.nf
+.ft C
+mon = "allow r"
+
+osd = "allow pool templates r class\-read, allow pool vms rwx"
+.ft P
+.fi
+.sp
 A client mounting the file system with minimal permissions would need caps like:
 .sp
 .nf
@@ -142,8 +152,8 @@ In general, an osd capability follows the grammar:
 .ft C
 osdcap  := grant[,grant...]
 grant   := allow (match capspec | capspec match)
-match   := [pool <poolname>]
-capspec := * | [r][w][x]
+match   := [pool[=]<poolname>]
+capspec := * | [r][w][x] [class\-read] [class\-write]
 .ft P
 .fi
 .sp
@@ -151,10 +161,13 @@ The capspec determines what kind of operations the entity can perform:
 .sp
 .nf
 .ft C
-r = read access to objects
-w = write access to objects
-x = able to run class methods on objects
-* = equivalent to rwx
+r           = read access to objects
+w           = write access to objects
+x           = can call any class method (same as class\-read class\-write)
+class\-read  = can call class methods that are reads
+class\-write = can call class methods that are writes
+*           = equivalent to rwx, plus the ability to run osd admin commands,
+              i.e. ceph osd tell ...
 .ft P
 .fi
 .sp