I think that is because of the older kernel client, like mentioned here? https://www.mail-archive.com/ceph-users@xxxxxxxxxxxxxx/msg39734.html -----Original Message----- From: Yoann Moulin [mailto:yoann.moulin@xxxxxxx] Sent: vrijdag 29 september 2017 10:00 To: ceph-users Subject: Re: Cephfs : security questions? >> We are working on a POC with containers (kubernetes) and cephfs (for >> permanent storage). >> >> The main idea is to give to a user access to a subdirectory of the >> cephfs but be sure he won't be able to access to the rest of the >> storage. As k8s works, the user will have access to the yml file >> where the cephfs mount point is defined. He will be able to change >> the subdirectory mounted inside the container (and set it to /). And >> inside the container, the user is root… >> >> So if even the user doesn't have access to the secret, he will be >> able to mount the whole cephfs volume with read access. >> >> Is there a possibility to have "root_squash" option on cephfs volume >> for a specific client.user + secret? >> >> Is it possible to allow a specific user to mount only /bla and >> disallow to mount the cephfs root "/"? >> >> Or is there another way to do that? > > Maybe this will get you started with the permissions for only this fs > path /smb > > sudo ceph auth get-or-create client.cephfs.smb mon 'allow r' mds > 'allow r, allow rw path=/smb' osd 'allow rwx pool=fs_meta,allow rwx > pool=fs_data' What I currently do is : mkdir /cephfs/foo chown nobody:foogrp /cephfs/foo chmod 770 /cephfs/foo ceph auth get-or-create client.foo mon "allow r" osd "allow rw pool=cephfs_data" mds "allow r, allow rw path=/foo" ceph fs authorize cephfs client.foo / r /foo rw so I have this for client.foo [client.foo] key = [secret] caps mds = "allow r, allow rw path=/foo" caps mon = "allow r" caps osd = "allow rw pool=cephfs_data" With this, the user foo is able to mount the root of the cephfs and read everything, of course, he cannot modify but my problem here is he is still able to have read access to everything with uid=0. -- Yoann Moulin EPFL IC-IT _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |