>>>> We are working on a POC with containers (kubernetes) and cephfs (for >>>> permanent storage). >>>> >>>> The main idea is to give to a user access to a subdirectory of the >>>> cephfs but be sure he won't be able to access to the rest of the >>>> storage. As k8s works, the user will have access to the yml file >>>> where the cephfs mount point is defined. He will be able to change >>>> the subdirectory mounted inside the container (and set it to /). And >>>> inside the container, the user is root… >>>> >>>> So if even the user doesn't have access to the secret, he will be >>>> able to mount the whole cephfs volume with read access. >>>> >>>> Is there a possibility to have "root_squash" option on cephfs volume >>>> for a specific client.user + secret? >>>> >>>> Is it possible to allow a specific user to mount only /bla and >>>> disallow to mount the cephfs root "/"? >>>> >>>> Or is there another way to do that? >>> >>> Maybe this will get you started with the permissions for only this fs >>> path /smb >>> >>> sudo ceph auth get-or-create client.cephfs.smb mon 'allow r' mds >>> 'allow r, allow rw path=/smb' osd 'allow rwx pool=fs_meta,allow rwx >>> pool=fs_data' >> >> What I currently do is : >> >> mkdir /cephfs/foo >> chown nobody:foogrp /cephfs/foo >> chmod 770 /cephfs/foo >> ceph auth get-or-create client.foo mon "allow r" osd "allow rw >> pool=cephfs_data" mds "allow r, allow rw path=/foo" >> ceph fs authorize cephfs client.foo / r /foo rw >> >> so I have this for client.foo >> >> [client.foo] >> key = [secret] >> caps mds = "allow r, allow rw path=/foo" >> caps mon = "allow r" >> caps osd = "allow rw pool=cephfs_data" >> >> With this, the user foo is able to mount the root of the cephfs and read >> everything, of course, he cannot modify but my problem here is he is >> still able to have read access to everything with uid=0. > > I think that is because of the older kernel client, like mentioned here?> > https://www.mail-archive.com/ceph-users@xxxxxxxxxxxxxx/msg39734.html Kernels on client is 4.4.0-93 and on ceph node are 4.4.0-96 What is exactly an older kernel client ? 4.4 is old ? if I remove "/ r" in the "auth caps" or "fs authorize" : # ceph auth get-or-create client.foo mon "allow r" osd "allow rw pool=cephfs_data" mds "allow rw path=/foo" Error EINVAL: key for client.foo exists but cap mds does not match # ceph fs authorize cephfs client.foo /foo rw Error EINVAL: key for client.foo exists but cap mds does not match # ceph fs authorize cephfs client.foo / r /foo rw [client.foo] key = [secret] -- Yoann Moulin EPFL IC-IT _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |