Re: [ceph-users] Prevent cephfs clients from mount and browsing "/"
Thanks all for the clarification. Best, Martin On Mon, Dec 5, 2016 at 2:14 PM, John Spraywrote: > On Mon, Dec 5, 2016 at 12:35 PM, David Disseldorp wrote: >> Hi Martin, >> >> On Mon, 5 Dec 2016 13:27:01 +0100, Martin Palma wrote: >> >>> Ok, just discovered that with the fuse client, we have to add the '-r >>> /path' option, to treat that as root. So I assume the caps 'mds allow >>> r' is only needed if we also what to be able to mount the directory >>> with the kernel client. Right? >> >> IIUC, this was recently fixed in the kernel client via: >> commit ce2728aaa82bbebae7d20345324af3f0f49eeb20 >> Author: Yan, Zheng >> Date: Wed Sep 14 14:53:05 2016 +0800 >> >> ceph: avoid accessing / when mounting a subpath > > Correct. Clients with a "path=" restriction only need the global > "allow r" if the client is buggy (as the kernel client was[1] before > Zheng's fix). > > This functionality has had more testing with the fuse client because > it is used with OpenStack Manila. > > John > > 1. http://tracker.ceph.com/issues/17191 > > > > >> Cheers, David >> ___ >> ceph-users mailing list >> ceph-users@lists.ceph.com >> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] Prevent cephfs clients from mount and browsing "/"
On Mon, Dec 5, 2016 at 12:35 PM, David Disseldorpwrote: > Hi Martin, > > On Mon, 5 Dec 2016 13:27:01 +0100, Martin Palma wrote: > >> Ok, just discovered that with the fuse client, we have to add the '-r >> /path' option, to treat that as root. So I assume the caps 'mds allow >> r' is only needed if we also what to be able to mount the directory >> with the kernel client. Right? > > IIUC, this was recently fixed in the kernel client via: > commit ce2728aaa82bbebae7d20345324af3f0f49eeb20 > Author: Yan, Zheng > Date: Wed Sep 14 14:53:05 2016 +0800 > > ceph: avoid accessing / when mounting a subpath Correct. Clients with a "path=" restriction only need the global "allow r" if the client is buggy (as the kernel client was[1] before Zheng's fix). This functionality has had more testing with the fuse client because it is used with OpenStack Manila. John 1. http://tracker.ceph.com/issues/17191 > Cheers, David > ___ > ceph-users mailing list > ceph-users@lists.ceph.com > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] Prevent cephfs clients from mount and browsing "/"
Hi Martin, On Mon, 5 Dec 2016 13:27:01 +0100, Martin Palma wrote: > Ok, just discovered that with the fuse client, we have to add the '-r > /path' option, to treat that as root. So I assume the caps 'mds allow > r' is only needed if we also what to be able to mount the directory > with the kernel client. Right? IIUC, this was recently fixed in the kernel client via: commit ce2728aaa82bbebae7d20345324af3f0f49eeb20 Author: Yan, ZhengDate: Wed Sep 14 14:53:05 2016 +0800 ceph: avoid accessing / when mounting a subpath Cheers, David ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] Prevent cephfs clients from mount and browsing "/"
Ok, just discovered that with the fuse client, we have to add the '-r /path' option, to treat that as root. So I assume the caps 'mds allow r' is only needed if we also what to be able to mount the directory with the kernel client. Right? Best, Martin On Mon, Dec 5, 2016 at 1:20 PM, Martin Palmawrote: > Hello, > > is it possible prevent cephfs client to mount the root of a cephfs > filesystem and browse through it? > > We want to restrict cephfs clients to a particular directory, but when > we define a specific cephx auth key for a client we need to add the > following caps: "mds 'allow r'" which then gives the client also the > possibility to mount the root for cephfs and inspect it. > > Are we missing something or is this by design? > > > Best, > Martin ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com