On Thu, Jan 12, 2017 at 9:27 AM, Boris Mattijssen <b.mattijssen@xxxxxxxxxxxxx> wrote: > John, > > Do you know which kernel version I need? It seems to be not working with > 4.8.15 on coreos (4.8.15-coreos) (I also tested on 4.7.3). > I can confirm that it works using the ceph-fuse client, but I need the > kernel client to work since I want to mount using Kubernetes ;) The ticket (links to commits) was: http://tracker.ceph.com/issues/17191 Looks like it's in 4.9. John > > Btw, this is the error I get: > mount: x.x.x.x:6789:/boris is write-protected, mounting read-only > mount: cannot mount x.x.x.x:6789:/boris read-only > > Thanks, > Boris > > On Wed, Jan 11, 2017 at 3:05 PM Boris Mattijssen > <b.mattijssen@xxxxxxxxxxxxx> wrote: >> >> Ah right, I was using the the kernel client on kernel 3.x >> Thanks for the answer. I'll try updating tomorrow and will let you know if >> it works! >> >> Cheers, >> Boris >> >> >> On Wed, Jan 11, 2017 at 1:03 PM John Spray <jspray@xxxxxxxxxx> wrote: >>> >>> On Wed, Jan 11, 2017 at 11:39 AM, Boris Mattijssen >>> <b.mattijssen@xxxxxxxxxxxxx> wrote: >>> > Hi Brukhard, >>> > >>> > Thanks for your answer. I've tried two things now: >>> > * ceph auth get-or-create client.boris mon 'allow r' mds 'allow r >>> > path=/, >>> > allow rw path=/boris' osd 'allow rw pool=cephfs_data'. This is >>> > according to >>> > your suggestion. I am however now still able to mount the root path and >>> > read >>> > all containing subdirectories. >>> > * ceph auth get-or-create client.boris mon 'allow r' mds 'allow rw >>> > path=/boris' osd 'allow rw pool=cephfs_data'. So now I disallowed >>> > reading >>> > the root at all. I am however now not able to mount the fs (even when >>> > using >>> > the -r /boris) flag. >>> >>> The second one is correct, but some older clients (notably the kernel >>> client before it was fixed in 4.x recently) don't work properly with >>> it -- the older client code always tries to read the root inode, so >>> fails to mount if it can't access it. >>> >>> John >>> >>> > >>> > So to make it clear, I want to limit a given client (boris in this >>> > case) to >>> > only read an write to a given subdirectory of the root (/boris in this >>> > case). >>> > >>> > Thanks, >>> > Boris >>> > >>> > On Wed, Jan 11, 2017 at 11:30 AM Burkhard Linke >>> > <Burkhard.Linke@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote: >>> >> >>> >> Hi, >>> >> >>> >> >>> >> On 01/11/2017 11:02 AM, Boris Mattijssen wrote: >>> >> >>> >> Hi all, >>> >> >>> >> I'm trying to use path restriction on CephFS, running a Ceph Jewel >>> >> (ceph >>> >> version 10.2.5) cluster. >>> >> For this I'm using the command specified in the official docs >>> >> (http://docs.ceph.com/docs/jewel/cephfs/client-auth/): >>> >> ceph auth get-or-create client.boris mon 'allow r' mds 'allow r, allow >>> >> rw >>> >> path=/boris' osd 'allow rw pool=cephfs_data' >>> >> >>> >> When I mount the fs with boris user and the generated secret I can >>> >> still >>> >> see all files in the fs (not just the files in /boris). >>> >> l am restricted to write to anything but /boris, so the problem is >>> >> that I >>> >> can still read anything outside of /boris. >>> >> >>> >> Can someone please clarify what's going on? >>> >> >>> >> >>> >> As far as I understand the mds caps, mds 'allow r' allows read-only >>> >> access >>> >> to all files; 'allow rw path=/boris' restricts write access to the >>> >> given >>> >> path. So your observations reflect the given permissions. >>> >> >>> >> You can configure ceph-fuse and kcephfs to use a given directory as >>> >> 'root' >>> >> directory of the mount point (e.g. ceph-fuse -r /boris). But I'm not >>> >> sure >>> >> whether >>> >> >>> >> - you need access to the root directory to mount with -r option >>> >> - you can restrict the read-only access to the root directory without >>> >> sub >>> >> directories >>> >> (e.g. 'allow r path=/, allow rw path=/boris' to allow mounting a sub >>> >> directory only) >>> >> >>> >> Unfortunately the -r option is a client side option, so you have to >>> >> trust >>> >> your clients. >>> >> >>> >> Regards, >>> >> Burkhard >>> >> _______________________________________________ >>> >> ceph-users mailing list >>> >> ceph-users@xxxxxxxxxxxxxx >>> >> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com >>> > >>> > >>> > _______________________________________________ >>> > ceph-users mailing list >>> > ceph-users@xxxxxxxxxxxxxx >>> > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com >>> > > > > _______________________________________________ > ceph-users mailing list > ceph-users@xxxxxxxxxxxxxx > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |