On Wed, Mar 7, 2018 at 2:45 PM, Kenneth Waegeman <kenneth.waegeman@xxxxxxxx> wrote: > Hi all, > > I am playing with limiting client access to certain subdirectories of cephfs > running latest 12.2.4 and latest centos 7.4 kernel, both using kernel client > and fuse > > I am following http://docs.ceph.com/docs/luminous/cephfs/client-auth/: > > To completely restrict the client to the bar directory, omit the root > directory > > ceph fs authorize cephfs client.foo /bar rw > > When I mount this directory with fuse, this works. When I try to mount the > subdirectory directly with the kernel client, I get > > mount error 13 = Permission denied > > > This only seems to work when the root is readable. > > --> Is there a way to mount subdirectory with kernel client when parent in > cephfs is not readable ? The latest CentOS kernel isn't necessarily very recent: it sounds like the version in use there is a little older (at one point the subdir mount support had this quirk with the kclient that required the root be readable). > Then I checked the data pool with rados, but I can list/get/.. every object > in the data pool using the client.foo key. > > I saw in the docs of master > http://docs.ceph.com/docs/master/cephfs/client-auth/ that you can add a tag > cephfs, but if I add this I can't write anything to cephfs anymore, so I > guess this is not yet supported in luminous. > > --> Is there a way to limit the cephfs user to his data only (through > cephfs) instead of being able to do everything on the pool, without needing > a pool for every single cephfs client? Yes. You can do this with namespaces: set the ceph.dir.layout.pool_namespace on the restricted subdir (before any files are written in there), and then restrict the client's OSD caps to that namespace within the pool, with a cap like "allow rw pool=foo namespace=baz". John > > > Thanks!! > > Kenneth > > _______________________________________________ > ceph-users mailing list > ceph-users@xxxxxxxxxxxxxx > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |