Thanks for the explanation, that's what I suspected but needed the confirmation. ________________________________ From: Gregory Farnum <gfarnum@xxxxxxxxxx> Sent: Thursday, June 23, 2022 11:22 AM To: Wyll Ingersoll <wyllys.ingersoll@xxxxxxxxxxxxxx> Cc: ceph-users@xxxxxxx <ceph-users@xxxxxxx> Subject: Re: cephfs client permission restrictions? On Thu, Jun 23, 2022 at 8:18 AM Wyll Ingersoll <wyllys.ingersoll@xxxxxxxxxxxxxx> wrote: > > Is it possible to craft a cephfs client authorization key that will allow the client read/write access to a path within the FS, but NOT allow the client to modify the permissions of that path? > For example, allow RW access to /cephfs/foo (path=/foo) but prevent the client from modifying permissions on /foo. Cephx won't do this on its own.— it enforces subtree-based access and can restrict clients to acting as a specific (set of) uid/gids, but it doesn't add extra stuff on top of that. (Modifying permissions is, you know, a write.) This is part of the standard Linux security model though, right? So you can make somebody else the owner and give your restricted user access via a group. -Greg > > thanks, > Wyllys Ingersoll > > _______________________________________________ > ceph-users mailing list -- ceph-users@xxxxxxx > To unsubscribe send an email to ceph-users-leave@xxxxxxx > _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |