Hi,
On 01/11/2017 11:02 AM, Boris Mattijssen wrote:
Hi all,
I'm trying to use/path restriction/ on CephFS, running a Ceph Jewel
(ceph version 10.2.5) cluster.
For this I'm using the command specified in the official docs
(http://docs.ceph.com/docs/jewel/cephfs/client-auth/):
ceph auth get-or-create client.boris mon 'allow r' mds 'allow r, allow
rw path=/boris' osd 'allow rw pool=cephfs_data'
When I mount the fs with/boris/user and the generated secret I can
still see all files in the fs (not just the files in /boris).
l am restricted to write to anything but /boris, so the problem is
that I can still read anything outside of /boris.
Can someone please clarify what's going on?
As far as I understand the mds caps, mds 'allow r' allows read-only
access to all files; 'allow rw path=/boris' restricts write access to
the given path. So your observations reflect the given permissions.
You can configure ceph-fuse and kcephfs to use a given directory as
'root' directory of the mount point (e.g. ceph-fuse -r /boris). But I'm
not sure whether
- you need access to the root directory to mount with -r option
- you can restrict the read-only access to the root directory without
sub directories
(e.g. 'allow r path=/, allow rw path=/boris' to allow mounting a sub
directory only)
Unfortunately the -r option is a client side option, so you have to
trust your clients.
Regards,
Burkhard
_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com