subject:"Re\: \[ceph\-users\] Prevent cephfs clients from mount and browsing \"\/\""

Re: [ceph-users] Prevent cephfs clients from mount and browsing "/"

2016-12-07 Thread Martin Palma

Thanks all for the clarification.

Best,
Martin

On Mon, Dec 5, 2016 at 2:14 PM, John Spray  wrote:
> On Mon, Dec 5, 2016 at 12:35 PM, David Disseldorp  wrote:
>> Hi Martin,
>>
>> On Mon, 5 Dec 2016 13:27:01 +0100, Martin Palma wrote:
>>
>>> Ok, just discovered that with the fuse client, we have to add the '-r
>>> /path' option, to treat that as root. So I assume the caps 'mds allow
>>> r' is only needed if we also what to be able to mount the directory
>>> with the kernel client. Right?
>>
>> IIUC, this was recently fixed in the kernel client via:
>> commit ce2728aaa82bbebae7d20345324af3f0f49eeb20
>> Author: Yan, Zheng 
>> Date:   Wed Sep 14 14:53:05 2016 +0800
>>
>> ceph: avoid accessing / when mounting a subpath
>
> Correct.  Clients with a "path=" restriction only need the global
> "allow r" if the client is buggy (as the kernel client was[1] before
> Zheng's fix).
>
> This functionality has had more testing with the fuse client because
> it is used with OpenStack Manila.
>
> John
>
> 1. http://tracker.ceph.com/issues/17191
>
>
>
>
>> Cheers, David
>> ___
>> ceph-users mailing list
>> ceph-users@lists.ceph.com
>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] Prevent cephfs clients from mount and browsing "/"

2016-12-05 Thread John Spray

On Mon, Dec 5, 2016 at 12:35 PM, David Disseldorp  wrote:
> Hi Martin,
>
> On Mon, 5 Dec 2016 13:27:01 +0100, Martin Palma wrote:
>
>> Ok, just discovered that with the fuse client, we have to add the '-r
>> /path' option, to treat that as root. So I assume the caps 'mds allow
>> r' is only needed if we also what to be able to mount the directory
>> with the kernel client. Right?
>
> IIUC, this was recently fixed in the kernel client via:
> commit ce2728aaa82bbebae7d20345324af3f0f49eeb20
> Author: Yan, Zheng 
> Date:   Wed Sep 14 14:53:05 2016 +0800
>
> ceph: avoid accessing / when mounting a subpath

Correct.  Clients with a "path=" restriction only need the global
"allow r" if the client is buggy (as the kernel client was[1] before
Zheng's fix).

This functionality has had more testing with the fuse client because
it is used with OpenStack Manila.

John

1. http://tracker.ceph.com/issues/17191




> Cheers, David
> ___
> ceph-users mailing list
> ceph-users@lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] Prevent cephfs clients from mount and browsing "/"

2016-12-05 Thread David Disseldorp

Hi Martin,

On Mon, 5 Dec 2016 13:27:01 +0100, Martin Palma wrote:

> Ok, just discovered that with the fuse client, we have to add the '-r
> /path' option, to treat that as root. So I assume the caps 'mds allow
> r' is only needed if we also what to be able to mount the directory
> with the kernel client. Right?

IIUC, this was recently fixed in the kernel client via:
commit ce2728aaa82bbebae7d20345324af3f0f49eeb20
Author: Yan, Zheng 
Date:   Wed Sep 14 14:53:05 2016 +0800

ceph: avoid accessing / when mounting a subpath

Cheers, David
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] Prevent cephfs clients from mount and browsing "/"

2016-12-05 Thread Martin Palma

Ok, just discovered that with the fuse client, we have to add the '-r
/path' option, to treat that as root. So I assume the caps 'mds allow
r' is only needed if we also what to be able to mount the directory
with the kernel client. Right?

Best,
Martin

On Mon, Dec 5, 2016 at 1:20 PM, Martin Palma  wrote:
> Hello,
>
> is it possible prevent cephfs client to mount the root of a cephfs
> filesystem and browse through it?
>
> We want to restrict cephfs clients to a particular directory, but when
> we define a specific cephx auth key for a client we need to add the
> following caps: "mds 'allow r'" which then gives the client also the
> possibility to mount the root for cephfs and inspect it.
>
> Are we missing something or is this by design?
>
>
> Best,
> Martin
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] Prevent cephfs clients from mount and browsing "/"

Re: [ceph-users] Prevent cephfs clients from mount and browsing "/"

Re: [ceph-users] Prevent cephfs clients from mount and browsing "/"

Re: [ceph-users] Prevent cephfs clients from mount and browsing "/"

4 matches

Site Navigation

Mail list logo

Footer information