Maybe this will get you started with the permissions for only this fs path /smb sudo ceph auth get-or-create client.cephfs.smb mon 'allow r' mds 'allow r, allow rw path=/smb' osd 'allow rwx pool=fs_meta,allow rwx pool=fs_data' -----Original Message----- From: Yoann Moulin [mailto:yoann.moulin@xxxxxxx] Sent: vrijdag 29 september 2017 9:36 To: ceph-users@xxxxxxxxxxxxxx Subject: Cephfs : security questions? Hello, We are working on a POC with containers (kubernetes) and cephfs (for permanent storage). The main idea is to give to a user access to a subdirectory of the cephfs but be sure he won't be able to access to the rest of the storage. As k8s works, the user will have access to the yml file where the cephfs mount point is defined. He will be able to change the subdirectory mounted inside the container (and set it to /). And inside the container, the user is root… So if even the user doesn't have access to the secret, he will be able to mount the whole cephfs volume with read access. Is there a possibility to have "root_squash" option on cephfs volume for a specific client.user + secret? Is it possible to allow a specific user to mount only /bla and disallow to mount the cephfs root "/"? Or is there another way to do that? Thanks, -- Yoann Moulin EPFL IC-IT _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |