On 20/10/2022 18:13, Jeff Layton wrote:
On Thu, 2022-10-20 at 09:29 +0800, Xiubo Li wrote:
[...]
I tend to agree with Max here. The .snap dir is a client-side fiction,
so trying to do something on the MDS to govern its use seems a bit odd.
cephx is really about authenticating clients. I know we do things like
enforce root squashing on the MDS, but this is a little different.
Now, all of that said, snapshot handling is an area where I'm just not
that knowledgeable. Feel free to ignore my opinion here as uninformed.
I am thinking currently the cephfs have the same issue we discussed
here. Because the cephfs is saving the UID/GID number in the CInode
metedata. While when there have multiple clients are sharing the same
cephfs, so in different client nodes another user could cross access a
specified user's files. For example:
In client nodeA:
user1's UID is 123, user2's UID is 321.
In client nodeB:
user1's UID is 321, user2's UID is 123.
And if user1 create a fileA in the client nodeA, then user2 could access
it from client nodeB.
Doesn't this also sound more like a client-side fiction ?
idmapping is a difficult issue and not at all confined to CephFS. NFSv4
has a whole upcall facility for mapping IDs, for instance. The MDS has
no way to know that 123 and 321 are the same user on different machines.
That sort of mapping must be set up by the administrator.
The real question is: Does it make sense for the MDS to use directory
permissions to enforce access on something that isn't really a
directory?
My "gut feeling" here is that the MDS ought to be in charge of governing
which _clients_ are allowed to make snapshots, but it's up to the client
to determine which _users_ are allowed to create them. With that concept
in mind, Max's proposal makes some sense.
Snapshots are not part of POSIX, and the ".snap" directory interface was
copied from Netapp (AFAICT). Maybe CephFS ought to enforce permissions
on snapshots the same way Netapps do? I don't know exactly how it works
there, so some research may be required.
I found this article but it's behind a paywall:
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS_7_Mode/How_to_control_access_to_a_Snapshot_directory
Yeah, these days I thought about this more. I will review this patch.
BTW, as we discussed in IRC to switch this to module parameters instead.
Then how about when the mounts are in different namespace groups, such
as the containers ? This couldn't be control that precise, maybe we will
hit the same idmapping issue as I mentioned above ?
So maybe the mount option approach is the best choice here as Max does ?
- Xiubo