Re: Cephfs : security questions?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



 
I think that is because of the older kernel client, like mentioned here?
https://www.mail-archive.com/ceph-users@xxxxxxxxxxxxxx/msg39734.html





-----Original Message-----
From: Yoann Moulin [mailto:yoann.moulin@xxxxxxx] 
Sent: vrijdag 29 september 2017 10:00
To: ceph-users
Subject: Re:  Cephfs : security questions?


>> We are working on a POC with containers (kubernetes) and cephfs (for 
>> permanent storage).
>> 
>> The main idea is to give to a user access to a subdirectory of the 
>> cephfs but be sure he won't be able to access to the rest of the 
>> storage. As k8s works, the user will have access to the yml file 
>> where the cephfs mount point is defined. He will be able to change 
>> the subdirectory mounted inside the container (and set it to /). And 
>> inside the container, the user is root…
>> 
>> So if even the user doesn't have access to the secret, he will be 
>> able to mount the whole cephfs volume with read access.
>> 
>> Is there a possibility to have "root_squash" option on cephfs volume 
>> for a specific client.user + secret?
>> 
>> Is it possible to allow a specific user to mount only /bla and 
>> disallow to mount the cephfs root "/"?
>> 
>> Or is there another way to do that?
>
> Maybe this will get you started with the permissions for only this fs 
> path /smb
>
> sudo ceph auth get-or-create client.cephfs.smb mon 'allow r' mds 
> 'allow r, allow rw path=/smb' osd 'allow rwx pool=fs_meta,allow rwx 
> pool=fs_data'

What I currently do is :

mkdir /cephfs/foo
chown nobody:foogrp /cephfs/foo
chmod 770 /cephfs/foo
ceph auth get-or-create client.foo mon "allow r" osd "allow rw 
pool=cephfs_data" mds "allow r, allow rw path=/foo"
ceph fs authorize cephfs client.foo / r /foo rw

so I have this for client.foo

[client.foo]
	key = [secret]
	caps mds = "allow r, allow rw path=/foo"
	caps mon = "allow r"
	caps osd = "allow rw pool=cephfs_data"

With this, the user foo is able to mount the root of the cephfs and read 
everything, of course, he cannot modify but my problem here is he is 
still able to have read access to everything with uid=0.

--
Yoann Moulin
EPFL IC-IT
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com


_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com




[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux