Re: Cephfs : security questions?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Sep 29, 2017 at 7:34 AM Yoann Moulin <yoann.moulin@xxxxxxx> wrote:
Hi,

>>>>> Kernels on client is 4.4.0-93 and on ceph node are 4.4.0-96
>>>>>
>>>>> What is exactly an older kernel client ? 4.4 is old ?
>>>>>
>>>>> See
>>>>> http://docs.ceph.com/docs/master/cephfs/best-practices/#which-kernel-version
>>>>>
>>>>> If you're on Ubuntu Xenial I would advise to use
>>>>> "linux-generic-hwe-16.04". Currently gives you 4.10.0-* kernel.
>>>>
>>>> OK, but I still cannot set caps without read access to "/" on cephfs volume, is there something else I must do ?
>>>>
>>>> # ceph auth get-or-create client.foo mon "allow r" osd "allow rw pool=cephfs_data" mds "allow rw path=/foo"
>>>> Error EINVAL: key for client.foo exists but cap mds does not match
>>>>
>>>> # ceph fs authorize cephfs client.foo /foo rw
>>>> Error EINVAL: key for client.foo exists but cap mds does not match
>>>
>>> Use "ceph auth list" to check the current caps for the client. With ceph
>>> auth caps (note, _not_ get-or-create) you can update the caps:
>>>
>>> ceph auth caps client.foo mon "allow r" osd "allow rw
>>> pool=cephfs_data" mds "allow rw path=/foo"
>>>
>>> The command should return "updated caps for client.foo"
>>
>>     oops, you're right I must use "ceph auth caps" and not "ceph auth get-or-create"
>>
>>     # ceph auth caps client.foo mon "allow r" osd "allow rw pool=cephfs_data" mds "allow rw path=/foo"
>>     updated caps for client.foo
>
> In cases like this you also want to set RADOS namespaces for each tenant’s directory in the CephFS layout and give them OSD access to only that
> namespace. That will prevent malicious users from tampering with the raw RADOS objects of other users.

You mean by doing something like :

ceph auth caps client.foo mon "allow r" osd "allow rw pool=cephfs_data namespace=foo" mds "allow rw path=/foo" ?

[client.foo]
        key = [snip]
        caps mds = "allow rw path=/foo"
        caps mon = "allow r"
        caps osd = "allow rw pool=cephfs_data namespace=foo"

or you are referring also to :

http://docs.ceph.com/docs/master/cephfs/file-layouts/

Yes, both of those. The "auth caps" portion gives the client permission on the OSD to access the namespace "foo". The file layouts place the CephFS file data into that namespace.
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux