>> We are working on a POC with containers (kubernetes) and cephfs (for 
>> permanent storage).
>> 
>> The main idea is to give to a user access to a subdirectory of the 
>> cephfs but be sure he won't be able to access to the rest of the 
>> storage. As k8s works, the user will have access to the yml file where 
>> the cephfs mount point is defined. He will be able to change the 
>> subdirectory mounted inside the container (and set it to /). And inside 
>> the container, the user is root…
>> 
>> So if even the user doesn't have access to the secret, he will be able 
>> to mount the whole cephfs volume with read access.
>> 
>> Is there a possibility to have "root_squash" option on cephfs volume for 
>> a specific client.user + secret?
>> 
>> Is it possible to allow a specific user to mount only /bla and disallow 
>> to mount the cephfs root "/"?
>> 
>> Or is there another way to do that?
>
> Maybe this will get you started with the permissions for only this fs
> path /smb
>
> sudo ceph auth get-or-create client.cephfs.smb mon 'allow r' mds 'allow
> r, allow rw path=/smb' osd 'allow rwx pool=fs_meta,allow rwx
> pool=fs_data'

What I currently do is :

mkdir /cephfs/foo
chown nobody:foogrp /cephfs/foo
chmod 770 /cephfs/foo
ceph auth get-or-create client.foo mon "allow r" osd "allow rw 
pool=cephfs_data" mds "allow r, allow rw path=/foo"
ceph fs authorize cephfs client.foo / r /foo rw

so I have this for client.foo

[client.foo]
        key = [secret]
        caps mds = "allow r, allow rw path=/foo"
        caps mon = "allow r"
        caps osd = "allow rw pool=cephfs_data"

With this, the user foo is able to mount the root of the cephfs and read 
everything, of course, he cannot modify but my problem here is he is
still able to have read access to everything with uid=0.

-- 
Yoann Moulin
EPFL IC-IT
_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Reply via email to