On Wed, Jan 11, 2017 at 11:39 AM, Boris Mattijssen <b.mattijssen@xxxxxxxxxxxxx> wrote: > Hi Brukhard, > > Thanks for your answer. I've tried two things now: > * ceph auth get-or-create client.boris mon 'allow r' mds 'allow r path=/, > allow rw path=/boris' osd 'allow rw pool=cephfs_data'. This is according to > your suggestion. I am however now still able to mount the root path and read > all containing subdirectories. > * ceph auth get-or-create client.boris mon 'allow r' mds 'allow rw > path=/boris' osd 'allow rw pool=cephfs_data'. So now I disallowed reading > the root at all. I am however now not able to mount the fs (even when using > the -r /boris) flag. The second one is correct, but some older clients (notably the kernel client before it was fixed in 4.x recently) don't work properly with it -- the older client code always tries to read the root inode, so fails to mount if it can't access it. John > > So to make it clear, I want to limit a given client (boris in this case) to > only read an write to a given subdirectory of the root (/boris in this > case). > > Thanks, > Boris > > On Wed, Jan 11, 2017 at 11:30 AM Burkhard Linke > <Burkhard.Linke@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote: >> >> Hi, >> >> >> On 01/11/2017 11:02 AM, Boris Mattijssen wrote: >> >> Hi all, >> >> I'm trying to use path restriction on CephFS, running a Ceph Jewel (ceph >> version 10.2.5) cluster. >> For this I'm using the command specified in the official docs >> (http://docs.ceph.com/docs/jewel/cephfs/client-auth/): >> ceph auth get-or-create client.boris mon 'allow r' mds 'allow r, allow rw >> path=/boris' osd 'allow rw pool=cephfs_data' >> >> When I mount the fs with boris user and the generated secret I can still >> see all files in the fs (not just the files in /boris). >> l am restricted to write to anything but /boris, so the problem is that I >> can still read anything outside of /boris. >> >> Can someone please clarify what's going on? >> >> >> As far as I understand the mds caps, mds 'allow r' allows read-only access >> to all files; 'allow rw path=/boris' restricts write access to the given >> path. So your observations reflect the given permissions. >> >> You can configure ceph-fuse and kcephfs to use a given directory as 'root' >> directory of the mount point (e.g. ceph-fuse -r /boris). But I'm not sure >> whether >> >> - you need access to the root directory to mount with -r option >> - you can restrict the read-only access to the root directory without sub >> directories >> (e.g. 'allow r path=/, allow rw path=/boris' to allow mounting a sub >> directory only) >> >> Unfortunately the -r option is a client side option, so you have to trust >> your clients. >> >> Regards, >> Burkhard >> _______________________________________________ >> ceph-users mailing list >> ceph-users@xxxxxxxxxxxxxx >> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > > > _______________________________________________ > ceph-users mailing list > ceph-users@xxxxxxxxxxxxxx > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |