Hello, > I am trying to follow the instructions at: > http://docs.ceph.com/docs/master/cephfs/client-auth/ > to restrict a client to a subdirectory of Ceph filesystem, but always get an error. > > We are running the latest stable release of Ceph (v12.2.1) on CentOS 7 servers. The user 'hydra' has the following capabilities: > # ceph auth get client.hydra > exported keyring for client.hydra > [client.hydra] > key = AQxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx== > caps mds = "allow rw" > caps mgr = "allow r" > caps mon = "allow r" > caps osd = "allow rw" > > When I tried to restrict the client to only mount and work within the directory /hydra of the Ceph filesystem 'pulpos', I got an error: > # ceph fs authorize pulpos client.hydra /hydra rw > Error EINVAL: key for client.dong exists but cap mds does not match > > I've tried a few combinations of user caps and CephFS client caps; but always got the same error! > > Has anyone able to get this to work? What is your recipe? In the case, the client runs an old kernel (at least 4.4 is old, 4.10 is not), you need to give a read access to the entire cephfs fs, if not, you won't be able to mount the subdirectory. 1/ give read access to the mds and rw to the subdirectory : # ceph auth get-or-create client.foo mon "allow r" osd "allow rw pool=cephfs_data" mds "allow r, allow rw path=/foo" or, if client.foo already exist : # ceph auth caps client.foo mon "allow r" osd "allow rw pool=cephfs_data" mds "allow r, allow rw path=/foo" [client.foo] key = XXX caps mds = "allow r, allow rw path=/foo" caps mon = "allow r" caps osd = "allow rw pool=cephfs_data" 2/ you give read access to / and rw access to the subdirectory : # ceph fs authorize cephfs client.foo / r /foo rw Then you get the secret key and mount : # ceph --cluster container auth get-key client.foo > foo.secret # mount.ceph mds1,mds2,mds3:/foo /foo -v -o name=foo,secretfile=/path/to/foo.secret With an old kernel, you will always be able to mount the root of the cephfs fs. # mount.ceph mds1,mds2,mds3:/ /foo -v -o name=foo,secretfile=/path/to/foo.secret if your client runs a not so old kernel you can do this : 1/ you need to give an access to the specific path like : # ceph auth get-or-create client.bar mon "allow r" osd "allow rw pool=cephfs_data" mds "allow rw path=/bar" or, if the client.bar already exist : # ceph auth caps client.bar mon "allow r" osd "allow rw pool=cephfs_data" mds "allow rw path=/bar" [client.bar] key = XXX caps mds = "allow rw path=/bar" caps mon = "allow r" caps osd = "allow rw pool=cephfs_data" 2/ you give rw access only on the subdirectory : # ceph fs authorize cephfs client.bar /bar rw Then you get the secret key and mount : # ceph --cluster container auth get-key client.bar > bar.secret # mount.ceph mds1,mds2,mds3:/bar /bar -v -o name=bar,secretfile=/path/to/bar.secret if you try to mount the cephfs root, you should get an access denied # mount.ceph mds1,mds2,mds3:/ /bar -v -o name=bar,secretfile=/path/to/bar.secret In the case you want to increase the security, you might give a look to namespace and file layout http://docs.ceph.com/docs/master/cephfs/file-layouts/ I don't have given a look at yet but looks like really interesting ! > > Thanks, > Shaw > > > _______________________________________________ > ceph-users mailing list > ceph-users@xxxxxxxxxxxxxx > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > -- Yoann Moulin EPFL IC-IT _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |