On Wed, Sep 11, 2024 at 9:21 PM Max Kellermann <max.kellermann@xxxxxxxxx> wrote: > > On Wed, Sep 11, 2024 at 8:04 PM Patrick Donnelly <pdonnell@xxxxxxxxxx> wrote: > > CephFS has many components that are cooperatively maintained by the > > MDS **and** the clients; i.e. the clients are trusted to follow the > > protocols and restrictions in the file system. For example, > > capabilities grant a client read/write permissions on an inode but a > > client could easily just open any file and write to it at will. There > > is no barrier preventing that misbehavior. > > To me, that sounds like you confirm my assumption on how Ceph works - > both file permissions and quotas. As a superuser (CAP_DAC_OVERRIDE), I > can write arbitrary files, and just as well CAP_SYS_RESOURCE should > allow me to exceed quotas - that's how both capabilities are > documented. Hi Max, I think Patrick is actually saying the reverse: having root or other _local_ user privileges on a particular node shouldn't subvert the CephFS caps system because there might be many other users involved. If you have a CephFS client that hasn't been tampered with, coming in with CAP_DAC_OVERRIDE wouldn't allow you to write to an arbitrary file directly or even buffer data for that file in memory unless the MDS grants the cap/permission. However a rigged CephFS client could absolutely do that. It could ignore those parts of the MDS protocol or bypass the MDS entirely and interact only with OSDs. The only thing that could stand in the way of a client like that is CephX, which is where I believe the suggestion to implement the quota override as a new CephX cap is coming from. If a particular user is to be allowed to go loose, the system needs to have a record of that. Thanks, Ilya