On Wed, Feb 18, 2015 at 1:58 PM, Florian Haas <florian@xxxxxxxxxxx> wrote: > On Wed, Feb 18, 2015 at 10:28 PM, Oliver Schulz <oschulz@xxxxxxxxxx> wrote: >> Dear Ceph Experts, >> >> is it possible to define a Ceph user/key with privileges >> that allow for read-only CephFS access but do not allow >> write or other modifications to the Ceph cluster? > > Warning, read this to the end, don't blindly do as I say. :) > > All you should need to do is define a CephX identity that has only r > capabilities on the data pool (assuming you're using a default > configuration where your CephFS uses the data and metadata pools): > > sudo ceph auth get-or-create client.readonly mds 'allow' osd 'allow r > pool=data' mon 'allow r' > > That identity should then be able to mount the filesystem but not > write any data (use "ceph-fuse -n client.readonly" or "mount -t ceph > -o name=readonly") > > That said, just touching files or creating them is only a metadata > operation that doesn't change anything in the data pool, so I think > that might still be allowed under these circumstances. ...and deletes, unfortunately. :( I don't think this is presently a thing it's possible to do until we get a much better user auth capabilities system into CephFS. > > However, I've just tried the above with ceph-fuse on firefly, and I > was able to mount the filesystem that way and then echo something into > a previously existing file. After unmounting, remounting, and trying > to cat that file, I/O just hangs. It eventually does complete, but > this looks really fishy. This is happening because the CephFS clients don't (can't, really, for all the time we've spent thinking about it) check whether they have read permissions on the underlying pool when buffering writes for a file. I believe if you ran an fsync on the file you'd get an EROFS or similar. Anyway, the client happily buffers up the writes. Depending on how exactly you remount then it might not be able to drop the MDS caps for file access (due to having dirty data it can't get rid of), and those caps have to time out before anybody else can access the file again. So you've found an unpleasant oddity of how the POSIX interfaces map onto this kind of distributed system, but nothing unexpected. :) -Greg _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |