> On Sep 2, 2015, at 16:44, Gregory Farnum <gfarnum@xxxxxxxxxx> wrote: > > On Tue, Sep 1, 2015 at 9:20 PM, Erming Pei <erming@xxxxxxxxxxx> wrote: >> Hi, >> >> I tried to set up a read-only permission for a client but it looks always >> writable. >> >> I did the following: >> >> ==Server end== >> >> [client.cephfs_data_ro] >> key = AQxxxxxxxxxx== >> caps mon = "allow r" >> caps osd = "allow r pool=cephfs_data, allow r pool=cephfs_metadata" > > The clients don't directly access the metadata pool at all so you > don't need to grant that. :) And I presume you have an MDS cap in > there as well? > >> >> >> ==Client end== >> mount -v -t ceph hostname.domainname:6789:/ /cephfs -o >> name=cephfs_data_ro,secret=AQxxxxxxxxxx== >> >> But I still can touch, delete, overwrite. >> >> I read that touch/delete could be only meta data operations, but why I still >> can overwrite? >> >> Is there anyway I could test/check the data pool (instead of meta data) to >> see if any effect on it? > > What you're seeing here is an unfortunate artifact of the page cache > and the way these user capabilities work in Ceph. As you surmise, > touch/delete are metadata operations through the MDS and in current > code you can't block the client off from that (although we have work > in progress to improve things). I think you'll find that the data > you've overwritten isn't really written to the OSDs — you wrote it in > the local page cache, but the OSDs will reject the writes with EPERM. > I don't remember the kernel's exact behavior here though — we updated > the userspace client to preemptively check access permissions on new > pools but I don't think the kernel ever got that. Zheng? 4.2 and later kernels include that. Yan, Zheng > -Greg _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |