Re: What would be ideal option for 'auth.allow' to support subdir mount?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Jul 20, 2017 at 07:11:29PM +0530, Amar Tumballi wrote:
> Hi,
> 
> I was working on subdir mount for fuse clients [1], and was able to handle
> pieces just fine in filesystem part of gluster. [2]
> 
> What is pending is, how will we handle the authentication options for this
> at each subdir level?
> 
> I propose to keep the current option and extending it to handle new feature
> with proper backward compatibility.
> 
> Currently, the option auth.allow (and auth.reject) are of the type
> GF_OPTION_TYPE_INTERNET_ADDRESS_LIST. Which expects valid internet
> addresses with comma separation.
> 
> For example the current option looks likes this:
> 
>  'option auth.addr.brick-name.allow *' OR 'option
> auth.addr.brick-name.allow "192.168.*.* ,10.10.*.*"'.
> 
> In future, it may look like:
> 
> `option auth.addr.brick-name.allow "10.0.1.13;192.168.1.*
> =/subdir1;192.168.10.* ,192.168.11.104 =/subdir2"`
> 
> so each entries will be separated by ';'. And in each entry, first part ("
> =") is address list and second part is directory. If directory is empty,
> its assumed as '/'. (Handles the backward compatibility). And if there is
> no entry for a $subdir here, that $subdir won't be mountable.

IIRC Gluster/NFS allows you to set permissions for subdir mounting with
a format like this:

  /subdir/next/dir(IP,IP-range,...) /subdir2(IP)

It would be best to use the existing format if we can to prevent
confusion among our users.

Thanks,
Niels


> 
> (The above format is handled properly already at [2] in addr.c, the pending
> thing is to handle the option properly in options.c's validate).
> 
> [1] - https://github.com/gluster/glusterfs/issues/175
> [2] - https://review.gluster.org/17141
> 
> If everyone agrees to this, I guess we can pull it off before absolute
> feature freeze date for 3.12 branch.
> 
> Let me know the feedback. (I am updating the same content in github, so
> feel free to comment there too).
> 
> NOTE: I thought of using ':' (colon) as field separator between addr_list
> and subdir entry, but with IPv6 ':' is valid character in string. Hence
> using ' ='.
> -- 
> Amar Tumballi (amarts)

> _______________________________________________
> Gluster-devel mailing list
> Gluster-devel@xxxxxxxxxxx
> http://lists.gluster.org/mailman/listinfo/gluster-devel

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Gluster-devel mailing list
Gluster-devel@xxxxxxxxxxx
http://lists.gluster.org/mailman/listinfo/gluster-devel
[Index of Archives]     [Gluster Users]     [Ceph Users]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux