Merge branch 'wip-osd-caps'

Conflicts: src/osd/OSDCap.cc src/test/osd/osdcap.cc Reviewed-by: Sage Weil <[email protected]>
dano · Oct 5, 2012 · c8721b9 · c8721b9
2 parents 48fc340 + 20496b8
commit c8721b9
Show file tree

Hide file tree

Showing 19 changed files with 494 additions and 194 deletions.
diff --git a/PendingReleaseNotes b/PendingReleaseNotes
@@ -0,0 +1,22 @@
+v0.54
+-----
+
+* The osd capabilities associated with a rados user have changed
+  syntax since 0.48 argonaut. The new format is mostly backwards
+  compatible, but there are two backwards-incompatible changes:
+
+  * specifying a list of pools in one grant, i.e.
+    'allow r pool=foo,bar' is now done in separate grants, i.e.
+    'allow r pool=foo, allow r pool=bar'.
+
+  * restricting pool access by pool owner ('allow r uid=foo') is
+    removed. This feature was not very useful and unused in practice.
+
+  The new format is documented in the ceph-authtool man page.
+
+* Bug fixes to the new osd capability format parsing properly validate
+  the allowed operations. If an existing rados user gets permissions
+  errors after upgrading, its capabilities were probably
+  misconfigured. See the ceph-authtool man page for details on osd
+  capabilities.
+
diff --git a/doc/man/8/ceph-authtool.rst b/doc/man/8/ceph-authtool.rst
@@ -89,6 +89,12 @@ A librados user restricted to a single pool might look like::
 
         osd = "allow rw pool foo"
 
+A client using rbd with read access to one pool and read/write access to another::
+
+        mon = "allow r"
+
+        osd = "allow pool templates r class-read, allow pool vms rwx"
+
 A client mounting the file system with minimal permissions would need caps like::
 
         mds = "allow"
@@ -105,15 +111,18 @@ In general, an osd capability follows the grammar::
 
         osdcap  := grant[,grant...]
         grant   := allow (match capspec | capspec match)
-        match   := [pool <poolname>]
-        capspec := * | [r][w][x]
+        match   := [pool[=]<poolname>]
+        capspec := * | [r][w][x] [class-read] [class-write]
 
 The capspec determines what kind of operations the entity can perform::
 
-    r = read access to objects
-    w = write access to objects
-    x = able to run class methods on objects
-    * = equivalent to rwx
+    r           = read access to objects
+    w           = write access to objects
+    x           = can call any class method (same as class-read class-write)
+    class-read  = can call class methods that are reads
+    class-write = can call class methods that are writes
+    *           = equivalent to rwx, plus the ability to run osd admin commands,
+                  i.e. ceph osd tell ...
 
 The match criteria restrict a grant based on the pool being accessed.
 Grants are additive if the client fulfills the match condition. For

diff --git a/man/ceph-authtool.8 b/man/ceph-authtool.8
@@ -1,4 +1,4 @@
-.TH "CEPH-AUTHTOOL" "8" "September 27, 2012" "dev" "Ceph"
+.TH "CEPH-AUTHTOOL" "8" "September 28, 2012" "dev" "Ceph"
 .SH NAME
 ceph-authtool \- ceph keyring manipulation tool
 .
@@ -123,6 +123,16 @@ osd = "allow rw pool foo"
 .ft P
 .fi
 .sp
+A client using rbd with read access to one pool and read/write access to another:
+.sp
+.nf
+.ft C
+mon = "allow r"
+
+osd = "allow pool templates r class\-read, allow pool vms rwx"
+.ft P
+.fi
+.sp
 A client mounting the file system with minimal permissions would need caps like:
 .sp
 .nf
@@ -142,19 +152,22 @@ In general, an osd capability follows the grammar:
 .ft C
 osdcap  := grant[,grant...]
 grant   := allow (match capspec | capspec match)
-match   := [pool <poolname>]
-capspec := * | [r][w][x]
+match   := [pool[=]<poolname>]
+capspec := * | [r][w][x] [class\-read] [class\-write]
 .ft P
 .fi
 .sp
 The capspec determines what kind of operations the entity can perform:
 .sp
 .nf
 .ft C
-r = read access to objects
-w = write access to objects
-x = able to run class methods on objects
-* = equivalent to rwx
+r           = read access to objects
+w           = write access to objects
+x           = can call any class method (same as class\-read class\-write)
+class\-read  = can call class methods that are reads
+class\-write = can call class methods that are writes
+*           = equivalent to rwx, plus the ability to run osd admin commands,
+              i.e. ceph osd tell ...
 .ft P
 .fi
 .sp

diff --git a/src/Makefile.am b/src/Makefile.am
@@ -746,9 +746,9 @@ unittest_daemon_config_LDADD =  ${UNITTEST_LDADD} ${LIBGLOBAL_LDA}
 unittest_daemon_config_CXXFLAGS = ${CRYPTO_CFLAGS} ${AM_CXXFLAGS} ${UNITTEST_CXXFLAGS}
 check_PROGRAMS += unittest_daemon_config
 
-unittest_osd_osdcap_SOURCES = test/osd/osdcap.cc
+unittest_osd_osdcap_SOURCES = test/osd/osdcap.cc osd/OSDCap.cc
 unittest_osd_osdcap_LDFLAGS = $(PTHREAD_CFLAGS) ${AM_LDFLAGS}
-unittest_osd_osdcap_LDADD =  ${UNITTEST_LDADD} ${LIBGLOBAL_LDA} libosd.a
+unittest_osd_osdcap_LDADD =  ${UNITTEST_LDADD} ${LIBGLOBAL_LDA}
 unittest_osd_osdcap_CXXFLAGS = ${CRYPTO_CFLAGS} ${AM_CXXFLAGS} ${UNITTEST_CXXFLAGS}
 check_PROGRAMS += unittest_osd_osdcap
 

diff --git a/src/cls/lock/cls_lock.cc b/src/cls/lock/cls_lock.cc
@@ -443,19 +443,19 @@ void __cls_init()
 
   cls_register("lock", &h_class);
   cls_register_cxx_method(h_class, "lock",
-                          CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC,
+                          CLS_METHOD_RD | CLS_METHOD_WR,
                           lock_op, &h_lock_op);
   cls_register_cxx_method(h_class, "unlock",
-                          CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC,
+                          CLS_METHOD_RD | CLS_METHOD_WR,
                           unlock_op, &h_unlock_op);
   cls_register_cxx_method(h_class, "break_lock",
-                          CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC,
+                          CLS_METHOD_RD | CLS_METHOD_WR,
                           break_lock, &h_break_lock);
   cls_register_cxx_method(h_class, "get_info",
-                          CLS_METHOD_RD | CLS_METHOD_PUBLIC,
+                          CLS_METHOD_RD,
                           get_info, &h_get_info);
   cls_register_cxx_method(h_class, "list_locks",
-                          CLS_METHOD_RD | CLS_METHOD_PUBLIC,
+                          CLS_METHOD_RD,
                           list_locks, &h_list_locks);
 
   return;

diff --git a/src/cls/refcount/cls_refcount.cc b/src/cls/refcount/cls_refcount.cc
@@ -233,10 +233,10 @@ void __cls_init()
   cls_register("refcount", &h_class);
 
   /* refcount */
-  cls_register_cxx_method(h_class, "get", CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC, cls_rc_refcount_get, &h_refcount_get);
-  cls_register_cxx_method(h_class, "put", CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC, cls_rc_refcount_put, &h_refcount_put);
-  cls_register_cxx_method(h_class, "set", CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC, cls_rc_refcount_set, &h_refcount_set);
-  cls_register_cxx_method(h_class, "read", CLS_METHOD_RD | CLS_METHOD_PUBLIC, cls_rc_refcount_read, &h_refcount_read);
+  cls_register_cxx_method(h_class, "get", CLS_METHOD_RD | CLS_METHOD_WR, cls_rc_refcount_get, &h_refcount_get);
+  cls_register_cxx_method(h_class, "put", CLS_METHOD_RD | CLS_METHOD_WR, cls_rc_refcount_put, &h_refcount_put);
+  cls_register_cxx_method(h_class, "set", CLS_METHOD_RD | CLS_METHOD_WR, cls_rc_refcount_set, &h_refcount_set);
+  cls_register_cxx_method(h_class, "read", CLS_METHOD_RD, cls_rc_refcount_read, &h_refcount_read);
 
   return;
 }

diff --git a/src/cls/rgw/cls_rgw.cc b/src/cls/rgw/cls_rgw.cc
@@ -1134,25 +1134,25 @@ void __cls_init()
   cls_register("rgw", &h_class);
 
   /* bucket index */
-  cls_register_cxx_method(h_class, "bucket_init_index", CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC, rgw_bucket_init_index, &h_rgw_bucket_init_index);
-  cls_register_cxx_method(h_class, "bucket_set_tag_timeout", CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC, rgw_bucket_set_tag_timeout, &h_rgw_bucket_set_tag_timeout);
-  cls_register_cxx_method(h_class, "bucket_list", CLS_METHOD_RD | CLS_METHOD_PUBLIC, rgw_bucket_list, &h_rgw_bucket_list);
-  cls_register_cxx_method(h_class, "bucket_check_index", CLS_METHOD_RD | CLS_METHOD_PUBLIC, rgw_bucket_check_index, &h_rgw_bucket_check_index);
-  cls_register_cxx_method(h_class, "bucket_rebuild_index", CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC, rgw_bucket_rebuild_index, &h_rgw_bucket_rebuild_index);
-  cls_register_cxx_method(h_class, "bucket_prepare_op", CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC, rgw_bucket_prepare_op, &h_rgw_bucket_prepare_op);
-  cls_register_cxx_method(h_class, "bucket_complete_op", CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC, rgw_bucket_complete_op, &h_rgw_bucket_complete_op);
-  cls_register_cxx_method(h_class, "dir_suggest_changes", CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC, rgw_dir_suggest_changes, &h_rgw_dir_suggest_changes);
+  cls_register_cxx_method(h_class, "bucket_init_index", CLS_METHOD_RD | CLS_METHOD_WR, rgw_bucket_init_index, &h_rgw_bucket_init_index);
+  cls_register_cxx_method(h_class, "bucket_set_tag_timeout", CLS_METHOD_RD | CLS_METHOD_WR, rgw_bucket_set_tag_timeout, &h_rgw_bucket_set_tag_timeout);
+  cls_register_cxx_method(h_class, "bucket_list", CLS_METHOD_RD, rgw_bucket_list, &h_rgw_bucket_list);
+  cls_register_cxx_method(h_class, "bucket_check_index", CLS_METHOD_RD, rgw_bucket_check_index, &h_rgw_bucket_check_index);
+  cls_register_cxx_method(h_class, "bucket_rebuild_index", CLS_METHOD_RD | CLS_METHOD_WR, rgw_bucket_rebuild_index, &h_rgw_bucket_rebuild_index);
+  cls_register_cxx_method(h_class, "bucket_prepare_op", CLS_METHOD_RD | CLS_METHOD_WR, rgw_bucket_prepare_op, &h_rgw_bucket_prepare_op);
+  cls_register_cxx_method(h_class, "bucket_complete_op", CLS_METHOD_RD | CLS_METHOD_WR, rgw_bucket_complete_op, &h_rgw_bucket_complete_op);
+  cls_register_cxx_method(h_class, "dir_suggest_changes", CLS_METHOD_RD | CLS_METHOD_WR, rgw_dir_suggest_changes, &h_rgw_dir_suggest_changes);
 
   /* usage logging */
-  cls_register_cxx_method(h_class, "user_usage_log_add", CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC, rgw_user_usage_log_add, &h_rgw_user_usage_log_add);
-  cls_register_cxx_method(h_class, "user_usage_log_read", CLS_METHOD_RD | CLS_METHOD_PUBLIC, rgw_user_usage_log_read, &h_rgw_user_usage_log_read);
-  cls_register_cxx_method(h_class, "user_usage_log_trim", CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC, rgw_user_usage_log_trim, &h_rgw_user_usage_log_trim);
+  cls_register_cxx_method(h_class, "user_usage_log_add", CLS_METHOD_RD | CLS_METHOD_WR, rgw_user_usage_log_add, &h_rgw_user_usage_log_add);
+  cls_register_cxx_method(h_class, "user_usage_log_read", CLS_METHOD_RD, rgw_user_usage_log_read, &h_rgw_user_usage_log_read);
+  cls_register_cxx_method(h_class, "user_usage_log_trim", CLS_METHOD_RD | CLS_METHOD_WR, rgw_user_usage_log_trim, &h_rgw_user_usage_log_trim);
 
   /* garbage collection */
-  cls_register_cxx_method(h_class, "gc_set_entry", CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC, rgw_cls_gc_set_entry, &h_rgw_gc_set_entry);
-  cls_register_cxx_method(h_class, "gc_defer_entry", CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC, rgw_cls_gc_defer_entry, &h_rgw_gc_set_entry);
-  cls_register_cxx_method(h_class, "gc_list", CLS_METHOD_RD | CLS_METHOD_PUBLIC, rgw_cls_gc_list, &h_rgw_gc_list);
-  cls_register_cxx_method(h_class, "gc_remove", CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC, rgw_cls_gc_remove, &h_rgw_gc_remove);
+  cls_register_cxx_method(h_class, "gc_set_entry", CLS_METHOD_RD | CLS_METHOD_WR, rgw_cls_gc_set_entry, &h_rgw_gc_set_entry);
+  cls_register_cxx_method(h_class, "gc_defer_entry", CLS_METHOD_RD | CLS_METHOD_WR, rgw_cls_gc_defer_entry, &h_rgw_gc_set_entry);
+  cls_register_cxx_method(h_class, "gc_list", CLS_METHOD_RD, rgw_cls_gc_list, &h_rgw_gc_list);
+  cls_register_cxx_method(h_class, "gc_remove", CLS_METHOD_RD | CLS_METHOD_WR, rgw_cls_gc_remove, &h_rgw_gc_remove);
 
   return;
 }

diff --git a/src/cls_rbd.cc b/src/cls_rbd.cc
@@ -1888,107 +1888,107 @@ void __cls_init()
 
   cls_register("rbd", &h_class);
   cls_register_cxx_method(h_class, "create",
-			  CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD | CLS_METHOD_WR,
 			  create, &h_create);
   cls_register_cxx_method(h_class, "get_features",
-			  CLS_METHOD_RD | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD,
 			  get_features, &h_get_features);
   cls_register_cxx_method(h_class, "get_size",
-			  CLS_METHOD_RD | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD,
 			  get_size, &h_get_size);
   cls_register_cxx_method(h_class, "set_size",
-			  CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD | CLS_METHOD_WR,
 			  set_size, &h_set_size);
   cls_register_cxx_method(h_class, "get_snapcontext",
-			  CLS_METHOD_RD | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD,
 			  get_snapcontext, &h_get_snapcontext);
   cls_register_cxx_method(h_class, "get_object_prefix",
-			  CLS_METHOD_RD | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD,
 			  get_object_prefix, &h_get_object_prefix);
   cls_register_cxx_method(h_class, "get_snapshot_name",
-			  CLS_METHOD_RD | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD,
 			  get_snapshot_name, &h_get_snapshot_name);
   cls_register_cxx_method(h_class, "snapshot_add",
-			  CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD | CLS_METHOD_WR,
 			  snapshot_add, &h_snapshot_add);
   cls_register_cxx_method(h_class, "snapshot_remove",
-			  CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD | CLS_METHOD_WR,
 			  snapshot_remove, &h_snapshot_remove);
   cls_register_cxx_method(h_class, "get_all_features",
-			  CLS_METHOD_RD | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD,
 			  get_all_features, &h_get_all_features);
   cls_register_cxx_method(h_class, "copyup",
-			  CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD | CLS_METHOD_WR,
 			  copyup, &h_copyup);
   cls_register_cxx_method(h_class, "get_parent",
-			  CLS_METHOD_RD | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD,
 			  get_parent, &h_get_parent);
   cls_register_cxx_method(h_class, "set_parent",
-			  CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD | CLS_METHOD_WR,
 			  set_parent, &h_set_parent);
   cls_register_cxx_method(h_class, "remove_parent",
-			  CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD | CLS_METHOD_WR,
 			  remove_parent, &h_remove_parent);
   cls_register_cxx_method(h_class, "set_protection_status",
-			  CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD | CLS_METHOD_WR,
 			  set_protection_status, &h_set_protection_status);
   cls_register_cxx_method(h_class, "get_protection_status",
-			  CLS_METHOD_RD | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD,
 			  get_protection_status, &h_get_protection_status);
 
   /* methods for the rbd_children object */
   cls_register_cxx_method(h_class, "add_child",
-			  CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD | CLS_METHOD_WR,
 			  add_child, &h_add_child);
   cls_register_cxx_method(h_class, "remove_child",
-			  CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD | CLS_METHOD_WR,
 			  remove_child, &h_remove_child);
   cls_register_cxx_method(h_class, "get_children",
-			  CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD | CLS_METHOD_WR,
 			  get_children, &h_get_children);
 
   /* methods for the rbd_id.$image_name objects */
   cls_register_cxx_method(h_class, "get_id",
-			  CLS_METHOD_RD | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD,
 			  get_id, &h_get_id);
   cls_register_cxx_method(h_class, "set_id",
-			  CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD | CLS_METHOD_WR,
 			  set_id, &h_set_id);
 
   /* methods for the rbd_directory object */
   cls_register_cxx_method(h_class, "dir_get_id",
-			  CLS_METHOD_RD | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD,
 			  dir_get_id, &h_dir_get_id);
   cls_register_cxx_method(h_class, "dir_get_name",
-			  CLS_METHOD_RD | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD,
 			  dir_get_name, &h_dir_get_name);
   cls_register_cxx_method(h_class, "dir_list",
-			  CLS_METHOD_RD | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD,
 			  dir_list, &h_dir_list);
   cls_register_cxx_method(h_class, "dir_add_image",
-			  CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD | CLS_METHOD_WR,
 			  dir_add_image, &h_dir_add_image);
   cls_register_cxx_method(h_class, "dir_remove_image",
-			  CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD | CLS_METHOD_WR,
 			  dir_remove_image, &h_dir_remove_image);
   cls_register_cxx_method(h_class, "dir_rename_image",
-			  CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD | CLS_METHOD_WR,
 			  dir_rename_image, &h_dir_rename_image);
 
   /* methods for the old format */
   cls_register_cxx_method(h_class, "snap_list",
-			  CLS_METHOD_RD | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD,
 			  old_snapshots_list, &h_old_snapshots_list);
   cls_register_cxx_method(h_class, "snap_add",
-			  CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD | CLS_METHOD_WR,
 			  old_snapshot_add, &h_old_snapshot_add);
   cls_register_cxx_method(h_class, "snap_remove",
-			  CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD | CLS_METHOD_WR,
 			  old_snapshot_remove, &h_old_snapshot_remove);
 
   /* assign a unique block id for rbd blocks */
   cls_register_cxx_method(h_class, "assign_bid",
-			  CLS_METHOD_RD | CLS_METHOD_WR | CLS_METHOD_PUBLIC,
+			  CLS_METHOD_RD | CLS_METHOD_WR,
 			  rbd_assign_bid, &h_assign_bid);
 
   return;

diff --git a/src/include/rados.h b/src/include/rados.h
@@ -282,11 +282,11 @@ static inline int ceph_osd_op_mode_subop(int op)
 }
 static inline int ceph_osd_op_mode_read(int op)
 {
-	return (op & CEPH_OSD_OP_MODE) == CEPH_OSD_OP_MODE_RD;
+	return op & CEPH_OSD_OP_MODE_RD;
 }
 static inline int ceph_osd_op_mode_modify(int op)
 {
-	return (op & CEPH_OSD_OP_MODE) == CEPH_OSD_OP_MODE_WR;
+	return op & CEPH_OSD_OP_MODE_WR;
 }
 
 /*
@@ -318,7 +318,7 @@ enum {
 	CEPH_OSD_FLAG_PARALLELEXEC =   0x0200,  /* execute op in parallel */
 	CEPH_OSD_FLAG_PGOP =           0x0400,  /* pg op, no object */
 	CEPH_OSD_FLAG_EXEC =           0x0800,  /* op may exec */
-	CEPH_OSD_FLAG_EXEC_PUBLIC =    0x1000,  /* op may exec (public) */
+	CEPH_OSD_FLAG_EXEC_PUBLIC =    0x1000,  /* DEPRECATED op may exec (public) */
 	CEPH_OSD_FLAG_LOCALIZE_READS = 0x2000,  /* read from nearby replica, if any */
 	CEPH_OSD_FLAG_RWORDERED =      0x4000,  /* order wrt concurrent reads */
 };