On Wed, Mar 7, 2018 at 2:45 PM, Kenneth Waegeman
> Hi all,
> I am playing with limiting client access to certain subdirectories of cephfs
> running latest 12.2.4 and latest centos 7.4 kernel, both using kernel client
> and fuse
> I am following http://docs.ceph.com/docs/luminous/cephfs/client-auth/:
> To completely restrict the client to the bar directory, omit the root
> ceph fs authorize cephfs client.foo /bar rw
> When I mount this directory with fuse, this works. When I try to mount the
> subdirectory directly with the kernel client, I get
> mount error 13 = Permission denied
> This only seems to work when the root is readable.
> --> Is there a way to mount subdirectory with kernel client when parent in
> cephfs is not readable ?
The latest CentOS kernel isn't necessarily very recent: it sounds like
the version in use there is a little older (at one point the subdir
mount support had this quirk with the kclient that required the root
> Then I checked the data pool with rados, but I can list/get/.. every object
> in the data pool using the client.foo key.
> I saw in the docs of master
> http://docs.ceph.com/docs/master/cephfs/client-auth/ that you can add a tag
> cephfs, but if I add this I can't write anything to cephfs anymore, so I
> guess this is not yet supported in luminous.
> --> Is there a way to limit the cephfs user to his data only (through
> cephfs) instead of being able to do everything on the pool, without needing
> a pool for every single cephfs client?
Yes. You can do this with namespaces: set the
ceph.dir.layout.pool_namespace on the restricted subdir (before any
files are written in there), and then restrict the client's OSD caps
to that namespace within the pool, with a cap like "allow rw pool=foo
> ceph-users mailing list
ceph-users mailing list