>>>> We are working on a POC with containers (kubernetes) and cephfs (for
>>>> permanent storage).
>>>>
>>>> The main idea is to give to a user access to a subdirectory of the
>>>> cephfs but be sure he won't be able to access to the rest of the
>>>> storage. As k8s works, the user will have access to the yml file
>>>> where the cephfs mount point is defined. He will be able to change
>>>> the subdirectory mounted inside the container (and set it to /). And
>>>> inside the container, the user is root…
>>>>
>>>> So if even the user doesn't have access to the secret, he will be
>>>> able to mount the whole cephfs volume with read access.
>>>>
>>>> Is there a possibility to have "root_squash" option on cephfs volume
>>>> for a specific client.user + secret?
>>>>
>>>> Is it possible to allow a specific user to mount only /bla and
>>>> disallow to mount the cephfs root "/"?
>>>>
>>>> Or is there another way to do that?
>>>
>>> Maybe this will get you started with the permissions for only this fs
>>> path /smb
>>>
>>> sudo ceph auth get-or-create client.cephfs.smb mon 'allow r' mds
>>> 'allow r, allow rw path=/smb' osd 'allow rwx pool=fs_meta,allow rwx
>>> pool=fs_data'
>>
>> What I currently do is :
>>
>> mkdir /cephfs/foo
>> chown nobody:foogrp /cephfs/foo
>> chmod 770 /cephfs/foo
>> ceph auth get-or-create client.foo mon "allow r" osd "allow rw
>> pool=cephfs_data" mds "allow r, allow rw path=/foo"
>> ceph fs authorize cephfs client.foo / r /foo rw
>>
>> so I have this for client.foo
>>
>> [client.foo]
>> key = [secret]
>> caps mds = "allow r, allow rw path=/foo"
>> caps mon = "allow r"
>> caps osd = "allow rw pool=cephfs_data"
>>
>> With this, the user foo is able to mount the root of the cephfs and read
>> everything, of course, he cannot modify but my problem here is he is
>> still able to have read access to everything with uid=0.
>
> I think that is because of the older kernel client, like mentioned here?>
> https://www.mail-archive.com/[email protected]/msg39734.html
Kernels on client is 4.4.0-93 and on ceph node are 4.4.0-96
What is exactly an older kernel client ? 4.4 is old ?
if I remove "/ r" in the "auth caps" or "fs authorize" :
# ceph auth get-or-create client.foo mon "allow r" osd "allow rw
pool=cephfs_data" mds "allow rw path=/foo"
Error EINVAL: key for client.foo exists but cap mds does not match
# ceph fs authorize cephfs client.foo /foo rw
Error EINVAL: key for client.foo exists but cap mds does not match
# ceph fs authorize cephfs client.foo / r /foo rw
[client.foo]
key = [secret]
--
Yoann Moulin
EPFL IC-IT
_______________________________________________
ceph-users mailing list
[email protected]
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
