Re: Cephfs : security questions?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

In cases like this you also want to set RADOS namespaces for each tenant’s directory in the CephFS layout and give them OSD access to only that namespace. That will prevent malicious users from tampering with the raw RADOS objects of other users.
-Greg
On Fri, Sep 29, 2017 at 4:33 AM Yoann Moulin <yoann.moulin@xxxxxxx> wrote:

>>>> Kernels on client is 4.4.0-93 and on ceph node are 4.4.0-96
>>>>
>>>> What is exactly an older kernel client ? 4.4 is old ?
>>>
>>> See
>>> http://docs.ceph.com/docs/master/cephfs/best-practices/#which-kernel-version
>>>
>>> If you're on Ubuntu Xenial I would advise to use
>>> "linux-generic-hwe-16.04". Currently gives you 4.10.0-* kernel.
>>
>> OK, but I still cannot set caps without read access to "/" on cephfs volume, is there something else I must do ?
>>
>> # ceph auth get-or-create client.foo mon "allow r" osd "allow rw pool=cephfs_data" mds "allow rw path=/foo"
>> Error EINVAL: key for client.foo exists but cap mds does not match
>>
>> # ceph fs authorize cephfs client.foo /foo rw
>> Error EINVAL: key for client.foo exists but cap mds does not match
>
> Use "ceph auth list" to check the current caps for the client. With ceph
> auth caps (note, _not_ get-or-create) you can update the caps:
>
> ceph auth caps client.foo mon "allow r" osd "allow rw
> pool=cephfs_data" mds "allow rw path=/foo"
>
> The command should return "updated caps for client.foo"

oops, you're right I must use "ceph auth caps" and not "ceph auth get-or-create"

so finally I did that :

# ceph auth caps client.foo mon "allow r" osd "allow rw pool=cephfs_data" mds "allow rw path=/foo"
updated caps for client.foo

# ceph fs authorize cephfs client.foo /foo rw
[client.foo]
        key = [snip]

On the client :

# uname -a
Linux ntxvm006 4.10.0-33-generic #37~16.04.1-Ubuntu SMP Fri Aug 11 14:07:24 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

# mount.ceph iccluster041,iccluster042,iccluster054:/ /mnt -v -o name=foo,secret=[snip]
parsing options: name=foo,secret=[snip]
mount error 13 = Permission denied

# mount.ceph iccluster041,iccluster042,iccluster054:/foo /mnt -v -o name=foo,secret=[snip]
parsing options: name=foo,secret=[snip]

# df /mnt
Filesystem                                1K-blocks     Used   Available Use% Mounted on
10.90.38.17,10.90.38.18,10.90.39.5:/foo 70324469760 26267648 70298202112   1% /mnt

It seems to work as I want.

Thanks a lot !

Cheers,

--
Yoann Moulin
EPFL IC-IT
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux