Ah right, I was using the the kernel client on kernel 3.x
Thanks for the answer. I'll try updating tomorrow and will let you know if it works!
Cheers,
Boris
On Wed, Jan 11, 2017 at 1:03 PM John Spray <jspray@xxxxxxxxxx> wrote:
On Wed, Jan 11, 2017 at 11:39 AM, Boris Mattijssen
<b.mattijssen@xxxxxxxxxxxxx> wrote:
> Hi Brukhard,
>
> Thanks for your answer. I've tried two things now:
> * ceph auth get-or-create client.boris mon 'allow r' mds 'allow r path=/,
> allow rw path=/boris' osd 'allow rw pool=cephfs_data'. This is according to
> your suggestion. I am however now still able to mount the root path and read
> all containing subdirectories.
> * ceph auth get-or-create client.boris mon 'allow r' mds 'allow rw
> path=/boris' osd 'allow rw pool=cephfs_data'. So now I disallowed reading
> the root at all. I am however now not able to mount the fs (even when using
> the -r /boris) flag.
The second one is correct, but some older clients (notably the kernel
client before it was fixed in 4.x recently) don't work properly with
it -- the older client code always tries to read the root inode, so
fails to mount if it can't access it.
John
>
> So to make it clear, I want to limit a given client (boris in this case) to
> only read an write to a given subdirectory of the root (/boris in this
> case).
>
> Thanks,
> Boris
>
> On Wed, Jan 11, 2017 at 11:30 AM Burkhard Linke
> <Burkhard.Linke@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>>
>> Hi,
>>
>>
>> On 01/11/2017 11:02 AM, Boris Mattijssen wrote:
>>
>> Hi all,
>>
>> I'm trying to use path restriction on CephFS, running a Ceph Jewel (ceph
>> version 10.2.5) cluster.
>> For this I'm using the command specified in the official docs
>> (http://docs.ceph.com/docs/jewel/cephfs/client-auth/):
>> ceph auth get-or-create client.boris mon 'allow r' mds 'allow r, allow rw
>> path=/boris' osd 'allow rw pool=cephfs_data'
>>
>> When I mount the fs with boris user and the generated secret I can still
>> see all files in the fs (not just the files in /boris).
>> l am restricted to write to anything but /boris, so the problem is that I
>> can still read anything outside of /boris.
>>
>> Can someone please clarify what's going on?
>>
>>
>> As far as I understand the mds caps, mds 'allow r' allows read-only access
>> to all files; 'allow rw path=/boris' restricts write access to the given
>> path. So your observations reflect the given permissions.
>>
>> You can configure ceph-fuse and kcephfs to use a given directory as 'root'
>> directory of the mount point (e.g. ceph-fuse -r /boris). But I'm not sure
>> whether
>>
>> - you need access to the root directory to mount with -r option
>> - you can restrict the read-only access to the root directory without sub
>> directories
>> (e.g. 'allow r path=/, allow rw path=/boris' to allow mounting a sub
>> directory only)
>>
>> Unfortunately the -r option is a client side option, so you have to trust
>> your clients.
>>
>> Regards,
>> Burkhard
>> _______________________________________________
>> ceph-users mailing list
>> ceph-users@xxxxxxxxxxxxxx
>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>
>
> _______________________________________________
> ceph-users mailing list
> ceph-users@xxxxxxxxxxxxxx
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>
_______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
