On Fri, Aug 12, 2016 at 9:35 PM, Matthew Walster <matthew@xxxxxxxxxxx> wrote: > I've been following Ceph (and in particular CephFS) for some time now, and > glad to see it coming on in leaps and bounds! > > I've been running a small OpenAFS Cell for a while now, and it's really > starting to show its age. I thought I'd ask whether anyone's considered > CephFS for a similar role? > > As I understand it, Ceph authentication/authorization is very coarse (i.e. > granularity down to the mount point level only) and doesn't operate any form > of encryption between client and server, so I was wondering whether anyone > was using a form of intermediary proxy to provide these semantics to the end > user? I haven't heard of anybody doing much with this *yet*. Do note that you can do a little better than mount point; we provide server-side checking of UIDs and GIDs now — although I suddenly see it doesn't seem to be documented at http://docs.ceph.com/docs/master/cephfs/client-auth/#path-restriction. Just use an "allow uid <number>, allow gids <a> <b> <c>" bit like it shows with paths. We're doing sporadic spurts on enabling CephFS to work nicely through an NFS Ganesha export as well, since that's our long-term model for supporting OpenStack Manila. We've found a few problems around anonymous users and things that are being worked on as well. -Greg > > I was thinking perhaps of a WebDAV gateway (via radosgw or cephfs, and https > via davfs2 for the client side) or NFSv4 (via cephfs... but obviously then > you have to generate keytabs for the client machines, which I don't have to > do for AFS at present) or whether this is just something that isn't anywhere > near the front of mind for developers/users yet? > > I realise this is not the current intended use cases, but I'm interested in > people's opinions, and whether anyone implements such a scheme today. > > Many thanks in advance, > > Matthew Walster > > _______________________________________________ > ceph-users mailing list > ceph-users@xxxxxxxxxxxxxx > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com