Hi Brukhard, Thanks for your answer. I've tried two things now: * ceph auth get-or-create client.boris mon 'allow r' mds 'allow r path=/, allow rw path=/boris' osd 'allow rw pool=cephfs_data'. This is according to your suggestion. I am however now still able to mount the root path and read all containing subdirectories. * ceph auth get-or-create client.boris mon 'allow r' mds 'allow rw path=/boris' osd 'allow rw pool=cephfs_data'. So now I disallowed reading the root at all. I am however now not able to mount the fs (even when using the -r /boris) flag.
So to make it clear, I want to limit a given client (boris in this case) to only read an write to a given subdirectory of the root (/boris in this case). Thanks, Boris On Wed, Jan 11, 2017 at 11:30 AM Burkhard Linke < burkhard.li...@computational.bio.uni-giessen.de> wrote: > Hi, > > On 01/11/2017 11:02 AM, Boris Mattijssen wrote: > > Hi all, > > I'm trying to use *path restriction* on CephFS, running a Ceph Jewel > (ceph version 10.2.5) cluster. > For this I'm using the command specified in the official docs ( > <http://docs.ceph.com/docs/jewel/cephfs/client-auth/> > http://docs.ceph.com/docs/jewel/cephfs/client-auth/): > ceph auth get-or-create client.boris mon 'allow r' mds 'allow r, allow rw > path=/boris' osd 'allow rw pool=cephfs_data' > > When I mount the fs with *boris* user and the generated secret I can > still see all files in the fs (not just the files in /boris). > l am restricted to write to anything but /boris, so the problem is that I > can still read anything outside of /boris. > > Can someone please clarify what's going on? > > > As far as I understand the mds caps, mds 'allow r' allows read-only access > to all files; 'allow rw path=/boris' restricts write access to the given > path. So your observations reflect the given permissions. > > You can configure ceph-fuse and kcephfs to use a given directory as 'root' > directory of the mount point (e.g. ceph-fuse -r /boris). But I'm not sure > whether > > - you need access to the root directory to mount with -r option > - you can restrict the read-only access to the root directory without sub > directories > (e.g. 'allow r path=/, allow rw path=/boris' to allow mounting a sub > directory only) > > Unfortunately the -r option is a client side option, so you have to trust > your clients. > > Regards, > Burkhard > _______________________________________________ > ceph-users mailing list > ceph-users@lists.ceph.com > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com >
_______________________________________________ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
