Re: Cephfs : security questions?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>>>> Kernels on client is 4.4.0-93 and on ceph node are 4.4.0-96
>>>>
>>>> What is exactly an older kernel client ? 4.4 is old ?
>>>
>>> See
>>> http://docs.ceph.com/docs/master/cephfs/best-practices/#which-kernel-version
>>>
>>> If you're on Ubuntu Xenial I would advise to use
>>> "linux-generic-hwe-16.04". Currently gives you 4.10.0-* kernel.
>>
>> OK, but I still cannot set caps without read access to "/" on cephfs volume, is there something else I must do ?
>>
>> # ceph auth get-or-create client.foo mon "allow r" osd "allow rw pool=cephfs_data" mds "allow rw path=/foo"
>> Error EINVAL: key for client.foo exists but cap mds does not match
>>
>> # ceph fs authorize cephfs client.foo /foo rw
>> Error EINVAL: key for client.foo exists but cap mds does not match
> 
> Use "ceph auth list" to check the current caps for the client. With ceph
> auth caps (note, _not_ get-or-create) you can update the caps:
> 
> ceph auth caps client.foo mon "allow r" osd "allow rw
> pool=cephfs_data" mds "allow rw path=/foo"
> 
> The command should return "updated caps for client.foo"

oops, you're right I must use "ceph auth caps" and not "ceph auth get-or-create"

so finally I did that :

# ceph auth caps client.foo mon "allow r" osd "allow rw pool=cephfs_data" mds "allow rw path=/foo"
updated caps for client.foo

# ceph fs authorize cephfs client.foo /foo rw
[client.foo]
	key = [snip]

On the client :

# uname -a
Linux ntxvm006 4.10.0-33-generic #37~16.04.1-Ubuntu SMP Fri Aug 11 14:07:24 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

# mount.ceph iccluster041,iccluster042,iccluster054:/ /mnt -v -o name=foo,secret=[snip]
parsing options: name=foo,secret=[snip]
mount error 13 = Permission denied

# mount.ceph iccluster041,iccluster042,iccluster054:/foo /mnt -v -o name=foo,secret=[snip]
parsing options: name=foo,secret=[snip]

# df /mnt
Filesystem                                1K-blocks     Used   Available Use% Mounted on
10.90.38.17,10.90.38.18,10.90.39.5:/foo 70324469760 26267648 70298202112   1% /mnt

It seems to work as I want.

Thanks a lot !

Cheers,

-- 
Yoann Moulin
EPFL IC-IT
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux