John, Do you know which kernel version I need? It seems to be not working with 4.8.15 on coreos (4.8.15-coreos) (I also tested on 4.7.3). I can confirm that it works using the ceph-fuse client, but I need the kernel client to work since I want to mount using Kubernetes ;)
Btw, this is the error I get: mount: x.x.x.x:6789:/boris is write-protected, mounting read-only mount: cannot mount x.x.x.x:6789:/boris read-only Thanks, Boris On Wed, Jan 11, 2017 at 3:05 PM Boris Mattijssen <b.mattijs...@nerdalize.com> wrote: > Ah right, I was using the the kernel client on kernel 3.x > Thanks for the answer. I'll try updating tomorrow and will let you know if > it works! > > Cheers, > Boris > > > On Wed, Jan 11, 2017 at 1:03 PM John Spray <jsp...@redhat.com> wrote: > > On Wed, Jan 11, 2017 at 11:39 AM, Boris Mattijssen > <b.mattijs...@nerdalize.com> wrote: > > Hi Brukhard, > > > > Thanks for your answer. I've tried two things now: > > * ceph auth get-or-create client.boris mon 'allow r' mds 'allow r path=/, > > allow rw path=/boris' osd 'allow rw pool=cephfs_data'. This is according > to > > your suggestion. I am however now still able to mount the root path and > read > > all containing subdirectories. > > * ceph auth get-or-create client.boris mon 'allow r' mds 'allow rw > > path=/boris' osd 'allow rw pool=cephfs_data'. So now I disallowed reading > > the root at all. I am however now not able to mount the fs (even when > using > > the -r /boris) flag. > > The second one is correct, but some older clients (notably the kernel > client before it was fixed in 4.x recently) don't work properly with > it -- the older client code always tries to read the root inode, so > fails to mount if it can't access it. > > John > > > > > So to make it clear, I want to limit a given client (boris in this case) > to > > only read an write to a given subdirectory of the root (/boris in this > > case). > > > > Thanks, > > Boris > > > > On Wed, Jan 11, 2017 at 11:30 AM Burkhard Linke > > <burkhard.li...@computational.bio.uni-giessen.de> wrote: > >> > >> Hi, > >> > >> > >> On 01/11/2017 11:02 AM, Boris Mattijssen wrote: > >> > >> Hi all, > >> > >> I'm trying to use path restriction on CephFS, running a Ceph Jewel (ceph > >> version 10.2.5) cluster. > >> For this I'm using the command specified in the official docs > >> (http://docs.ceph.com/docs/jewel/cephfs/client-auth/): > >> ceph auth get-or-create client.boris mon 'allow r' mds 'allow r, allow > rw > >> path=/boris' osd 'allow rw pool=cephfs_data' > >> > >> When I mount the fs with boris user and the generated secret I can still > >> see all files in the fs (not just the files in /boris). > >> l am restricted to write to anything but /boris, so the problem is that > I > >> can still read anything outside of /boris. > >> > >> Can someone please clarify what's going on? > >> > >> > >> As far as I understand the mds caps, mds 'allow r' allows read-only > access > >> to all files; 'allow rw path=/boris' restricts write access to the given > >> path. So your observations reflect the given permissions. > >> > >> You can configure ceph-fuse and kcephfs to use a given directory as > 'root' > >> directory of the mount point (e.g. ceph-fuse -r /boris). But I'm not > sure > >> whether > >> > >> - you need access to the root directory to mount with -r option > >> - you can restrict the read-only access to the root directory without > sub > >> directories > >> (e.g. 'allow r path=/, allow rw path=/boris' to allow mounting a sub > >> directory only) > >> > >> Unfortunately the -r option is a client side option, so you have to > trust > >> your clients. > >> > >> Regards, > >> Burkhard > >> _______________________________________________ > >> ceph-users mailing list > >> ceph-users@lists.ceph.com > >> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > > > > > > _______________________________________________ > > ceph-users mailing list > > ceph-users@lists.ceph.com > > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > > > >
_______________________________________________ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com