Re: [ceph-users] CephFS Client Capabilities questions

[John Spray]

On Wed, Mar 7, 2018 at 2:45 PM, Kenneth Waegeman
 wrote:
> Hi all,
>
> I am playing with limiting client access to certain subdirectories of cephfs
> running latest 12.2.4 and latest centos 7.4 kernel, both using kernel client
> and fuse
>
> I am following  http://docs.ceph.com/docs/luminous/cephfs/client-auth/:
>
> To completely restrict the client to the bar directory, omit the root
> directory
>
> ceph fs authorize cephfs client.foo /bar rw
>
> When I mount this directory with fuse, this works. When I try to mount the
> subdirectory directly with the kernel client, I get
>
> mount error 13 = Permission denied
>
>
> This only seems to work when the root is readable.
>
> --> Is there a way to mount subdirectory with kernel client when parent in
> cephfs is not readable ?

The latest CentOS kernel isn't necessarily very recent: it sounds like
the version in use there is a little older (at one point the subdir
mount support had this quirk with the kclient that required the root
be readable).

> Then I checked the data pool with rados, but I can list/get/.. every object
> in the data pool using the client.foo key.
>
> I saw in the docs of master
> http://docs.ceph.com/docs/master/cephfs/client-auth/ that you can add a tag
> cephfs, but if I add this I can't write anything to cephfs anymore, so I
> guess this is not yet supported in luminous.
>
> --> Is there a way to limit the cephfs user to his data only (through
> cephfs) instead of being able to do everything on the pool, without needing
> a pool for every single cephfs client?

Yes.  You can do this with namespaces: set the
ceph.dir.layout.pool_namespace on the restricted subdir (before any
files are written in there), and then restrict the client's OSD caps
to that namespace within the pool, with a cap like "allow rw pool=foo
namespace=baz".

John

>
>
> Thanks!!
>
> Kenneth
>
> ___
> ceph-users mailing list
> ceph-users@lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

[ceph-users] CephFS Client Capabilities questions

[Kenneth Waegeman]

Hi all,

I am playing with limiting client access to certain subdirectories of 
cephfs running latest 12.2.4 and latest centos 7.4 kernel, both using 
kernel client and fuse


I am following http://docs.ceph.com/docs/luminous/cephfs/client-auth/:

/To completely restrict the client to the //|bar|//directory, omit the 
root directory/


//

///cephfsauthorizecephfsclient//.//foo///barrw///

When I mount this directory with fuse, this works. When I try to mount 
the subdirectory directly with the kernel client, I get


/mount error 13 = Permission denied /

This only seems to work when the root is readable.

--> Is there a way to mount subdirectory with kernel client when parent 
in cephfs is not readable ?



Then I checked the data pool with rados, but I can list/get/.. every 
object in the data pool using the client.foo key.


I saw in the docs of master 
http://docs.ceph.com/docs/master/cephfs/client-auth/ that you can add a 
tag cephfs, but if I add this I can't write anything to cephfs anymore, 
so I guess this is not yet supported in luminous.


--> Is there a way to limit the cephfs user to his data only (through 
cephfs) instead of being able to do everything on the pool, without 
needing a pool for every single cephfs client?




Thanks!!

Kenneth
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com