Hi, Gregory Farnum wrote: >> 1. Can you confirm to me that currently it's impossible to restrict the read >> and write access of a ceph account to a specific directory of a cephfs? > > It's sadly impossible to restrict access to the filesystem hierarchy > at this time, yes. By making use of the file layouts and assigning > each user their own pool you can restrict access to the actual file > data. In fact, according to my test and with the precious help of John Spray in IRC (thanks to him), it seems that file-layouts features can't protect a cephfs directory against the deletion from a specific ceph account. I try to be more precise. In a client node if I mount the cephfs with a specific ceph account, with the file-layouts features it's possible to configure a cephfs directory so that "root" (in the node) will be not able to *read* and to *modify* the files contained in the directory but "root" will always be able to *remove* the files because "root" will always has the capability "to send unlink operations to the MDS and the MDS will purge the files" (I take the liberty of quoting John Spray from IRC ;) and I have noticed indeed this behaviour). >> 2. Is it planned to implement a such feature in a next release of Ceph? > > There are a couple students working on these features this summer, and > many discussions amongst the core team about how to enable secure > multi-tenancy in CephFS. Ok, cool. I'm ready to test this feature with pleasure when it will be released (I have a good feeling to fall in bugs by accident ;)). > Just the file layout/multiple-pool one, right now. Or you could do > something like set up an NFS export that each user mounts of the > CephFS, but then you lose all the CephFS goodness on the clients... Ok, I see. Many thanks Greg for your answer. -- François Lafont _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |