2015-11-13 14:12:28 +00:00
|
|
|
|
================================
|
|
|
|
|
CephFS Client Capabilities
|
|
|
|
|
================================
|
|
|
|
|
|
2019-09-09 19:36:04 +00:00
|
|
|
|
Use Ceph authentication capabilities to restrict your file system clients
|
2015-11-13 14:12:28 +00:00
|
|
|
|
to the lowest possible level of authority needed.
|
|
|
|
|
|
2020-07-16 11:51:57 +00:00
|
|
|
|
.. note:: Path restriction and layout modification restriction are new features
|
2015-12-08 14:10:18 +00:00
|
|
|
|
in the Jewel release of Ceph.
|
|
|
|
|
|
2020-07-16 11:51:57 +00:00
|
|
|
|
.. note:: Using Erasure Coded(EC) pools with CephFS is supported only with the
|
2019-09-09 08:39:15 +00:00
|
|
|
|
BlueStore Backend. They cannot be used as metadata pools and overwrites must
|
|
|
|
|
be enabled on the data pools.
|
|
|
|
|
|
|
|
|
|
|
2015-11-13 14:12:28 +00:00
|
|
|
|
Path restriction
|
|
|
|
|
================
|
|
|
|
|
|
2020-07-16 11:51:57 +00:00
|
|
|
|
By default, clients are not restricted in what paths they are allowed to
|
|
|
|
|
mount. Further, when clients mount a subdirectory, e.g., ``/home/user``, the
|
|
|
|
|
MDS does not by default verify that subsequent operations are ‘locked’ within
|
|
|
|
|
that directory.
|
2015-11-13 14:12:28 +00:00
|
|
|
|
|
|
|
|
|
To restrict clients to only mount and work within a certain directory, use
|
|
|
|
|
path-based MDS authentication capabilities.
|
|
|
|
|
|
2022-09-30 19:34:27 +00:00
|
|
|
|
Note that this restriction *only* impacts the filesystem hierarchy -- the metadata
|
|
|
|
|
tree managed by the MDS. Clients will still be able to access the underlying
|
|
|
|
|
file data in RADOS directly. To segregate clients fully, you must also isolate
|
|
|
|
|
untrusted clients in their own RADOS namespace. You can place a client's
|
|
|
|
|
filesystem subtree in a particular namespace using `file layouts`_ and then
|
|
|
|
|
restrict their RADOS access to that namespace using `OSD capabilities`_
|
|
|
|
|
|
|
|
|
|
.. _file layouts: ./file-layouts
|
|
|
|
|
.. _OSD capabilities: ../rados/operations/user-management/#authorization-capabilities
|
|
|
|
|
|
2015-11-13 14:12:28 +00:00
|
|
|
|
Syntax
|
|
|
|
|
------
|
|
|
|
|
|
|
|
|
|
To grant rw access to the specified directory only, we mention the specified
|
2020-07-16 11:51:57 +00:00
|
|
|
|
directory while creating key for a client using the following syntax::
|
2015-11-13 14:12:28 +00:00
|
|
|
|
|
2020-07-16 11:51:57 +00:00
|
|
|
|
ceph fs authorize <fs_name> client.<client_id> <path-in-cephfs> rw
|
2015-11-13 14:12:28 +00:00
|
|
|
|
|
2020-07-16 11:51:57 +00:00
|
|
|
|
For example, to restrict client ``foo`` to writing only in the ``bar``
|
|
|
|
|
directory of file system ``cephfs_a``, use ::
|
2015-11-13 14:12:28 +00:00
|
|
|
|
|
2020-01-21 18:41:47 +00:00
|
|
|
|
ceph fs authorize cephfs_a client.foo / r /bar rw
|
2015-11-13 14:12:28 +00:00
|
|
|
|
|
2017-10-03 14:17:12 +00:00
|
|
|
|
results in:
|
|
|
|
|
|
|
|
|
|
client.foo
|
|
|
|
|
key: *key*
|
|
|
|
|
caps: [mds] allow r, allow rw path=/bar
|
|
|
|
|
caps: [mon] allow r
|
|
|
|
|
caps: [osd] allow rw tag cephfs data=cephfs_a
|
|
|
|
|
|
2017-01-19 05:23:42 +00:00
|
|
|
|
To completely restrict the client to the ``bar`` directory, omit the
|
2017-08-02 15:39:51 +00:00
|
|
|
|
root directory ::
|
2017-01-19 05:23:42 +00:00
|
|
|
|
|
2020-01-21 18:41:47 +00:00
|
|
|
|
ceph fs authorize cephfs_a client.foo /bar rw
|
2017-01-19 05:23:42 +00:00
|
|
|
|
|
|
|
|
|
Note that if a client's read access is restricted to a path, they will only
|
2019-09-09 19:36:04 +00:00
|
|
|
|
be able to mount the file system when specifying a readable path in the
|
2017-01-19 05:23:42 +00:00
|
|
|
|
mount command (see below).
|
|
|
|
|
|
2019-09-09 19:36:04 +00:00
|
|
|
|
Supplying ``all`` or ``*`` as the file system name will grant access to every
|
2020-07-16 11:51:57 +00:00
|
|
|
|
file system. Note that it is usually necessary to quote ``*`` to protect it
|
|
|
|
|
from the shell.
|
2017-01-19 05:23:42 +00:00
|
|
|
|
|
2020-07-16 11:51:57 +00:00
|
|
|
|
See `User Management - Add a User to a Keyring`_. for additional details on
|
|
|
|
|
user management
|
2015-11-13 14:12:28 +00:00
|
|
|
|
|
2020-07-16 11:51:57 +00:00
|
|
|
|
To restrict a client to the specified sub-directory only, we mention the
|
|
|
|
|
specified directory while mounting using the following syntax::
|
2015-11-13 14:12:28 +00:00
|
|
|
|
|
2020-07-16 11:51:57 +00:00
|
|
|
|
ceph-fuse -n client.<client_id> <mount-path> -r *directory_to_be_mounted*
|
2015-11-13 14:12:28 +00:00
|
|
|
|
|
2020-07-16 11:51:57 +00:00
|
|
|
|
For example, to restrict client ``foo`` to ``mnt/bar`` directory, we will
|
|
|
|
|
use::
|
2015-11-13 14:12:28 +00:00
|
|
|
|
|
2020-07-16 11:51:57 +00:00
|
|
|
|
ceph-fuse -n client.foo mnt -r /bar
|
2015-11-13 14:12:28 +00:00
|
|
|
|
|
2016-05-11 12:18:23 +00:00
|
|
|
|
Free space reporting
|
|
|
|
|
--------------------
|
|
|
|
|
|
|
|
|
|
By default, when a client is mounting a sub-directory, the used space (``df``)
|
|
|
|
|
will be calculated from the quota on that sub-directory, rather than reporting
|
|
|
|
|
the overall amount of space used on the cluster.
|
|
|
|
|
|
2019-09-09 19:36:04 +00:00
|
|
|
|
If you would like the client to report the overall usage of the file system,
|
2016-05-11 12:18:23 +00:00
|
|
|
|
and not just the quota usage on the sub-directory mounted, then set the
|
2019-03-01 16:41:45 +00:00
|
|
|
|
following config option on the client::
|
2016-05-11 12:18:23 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
client quota df = false
|
|
|
|
|
|
|
|
|
|
If quotas are not enabled, or no quota is set on the sub-directory mounted,
|
2019-09-09 19:36:04 +00:00
|
|
|
|
then the overall usage of the file system will be reported irrespective of
|
2016-05-11 12:18:23 +00:00
|
|
|
|
the value of this setting.
|
|
|
|
|
|
2017-02-24 12:40:43 +00:00
|
|
|
|
Layout and Quota restriction (the 'p' flag)
|
|
|
|
|
===========================================
|
2015-11-13 14:12:28 +00:00
|
|
|
|
|
2017-02-24 12:40:43 +00:00
|
|
|
|
To set layouts or quotas, clients require the 'p' flag in addition to 'rw'.
|
|
|
|
|
This restricts all the attributes that are set by special extended attributes
|
|
|
|
|
with a "ceph." prefix, as well as restricting other means of setting
|
|
|
|
|
these fields (such as openc operations with layouts).
|
2015-11-13 14:12:28 +00:00
|
|
|
|
|
2017-10-03 14:17:12 +00:00
|
|
|
|
For example, in the following snippet client.0 can modify layouts and quotas
|
2019-03-01 16:41:45 +00:00
|
|
|
|
on the file system cephfs_a, but client.1 cannot::
|
2015-12-08 14:10:18 +00:00
|
|
|
|
|
2015-11-13 14:12:28 +00:00
|
|
|
|
client.0
|
|
|
|
|
key: AQAz7EVWygILFRAAdIcuJ12opU/JKyfFmxhuaw==
|
|
|
|
|
caps: [mds] allow rwp
|
|
|
|
|
caps: [mon] allow r
|
2017-10-03 14:17:12 +00:00
|
|
|
|
caps: [osd] allow rw tag cephfs data=cephfs_a
|
2015-11-13 14:12:28 +00:00
|
|
|
|
|
|
|
|
|
client.1
|
|
|
|
|
key: AQAz7EVWygILFRAAdIcuJ12opU/JKyfFmxhuaw==
|
|
|
|
|
caps: [mds] allow rw
|
|
|
|
|
caps: [mon] allow r
|
2017-10-03 14:17:12 +00:00
|
|
|
|
caps: [osd] allow rw tag cephfs data=cephfs_a
|
2015-11-13 14:12:28 +00:00
|
|
|
|
|
2016-08-04 11:50:18 +00:00
|
|
|
|
|
2018-06-14 09:21:59 +00:00
|
|
|
|
Snapshot restriction (the 's' flag)
|
|
|
|
|
===========================================
|
|
|
|
|
|
2020-07-16 11:51:57 +00:00
|
|
|
|
To create or delete snapshots, clients require the 's' flag in addition to
|
|
|
|
|
'rw'. Note that when capability string also contains the 'p' flag, the 's'
|
|
|
|
|
flag must appear after it (all flags except 'rw' must be specified in
|
|
|
|
|
alphabetical order).
|
2018-06-14 09:21:59 +00:00
|
|
|
|
|
|
|
|
|
For example, in the following snippet client.0 can create or delete snapshots
|
2019-03-01 16:41:45 +00:00
|
|
|
|
in the ``bar`` directory of file system ``cephfs_a``::
|
2018-06-14 09:21:59 +00:00
|
|
|
|
|
|
|
|
|
client.0
|
|
|
|
|
key: AQAz7EVWygILFRAAdIcuJ12opU/JKyfFmxhuaw==
|
|
|
|
|
caps: [mds] allow rw, allow rws path=/bar
|
|
|
|
|
caps: [mon] allow r
|
|
|
|
|
caps: [osd] allow rw tag cephfs data=cephfs_a
|
|
|
|
|
|
|
|
|
|
|
2017-03-01 01:51:01 +00:00
|
|
|
|
.. _User Management - Add a User to a Keyring: ../../rados/operations/user-management/#add-a-user-to-a-keyring
|
2018-07-05 16:44:25 +00:00
|
|
|
|
|
|
|
|
|
Network restriction
|
|
|
|
|
===================
|
|
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
|
|
client.foo
|
|
|
|
|
key: *key*
|
|
|
|
|
caps: [mds] allow r network 10.0.0.0/8, allow rw path=/bar network 10.0.0.0/8
|
|
|
|
|
caps: [mon] allow r network 10.0.0.0/8
|
|
|
|
|
caps: [osd] allow rw tag cephfs data=cephfs_a network 10.0.0.0/8
|
|
|
|
|
|
|
|
|
|
The optional ``{network/prefix}`` is a standard network name and
|
|
|
|
|
prefix length in CIDR notation (e.g., ``10.3.0.0/16``). If present,
|
|
|
|
|
the use of this capability is restricted to clients connecting from
|
|
|
|
|
this network.
|
2019-03-01 16:41:45 +00:00
|
|
|
|
|
2020-12-09 02:57:44 +00:00
|
|
|
|
.. _fs-authorize-multifs:
|
|
|
|
|
|
2019-03-01 16:41:45 +00:00
|
|
|
|
File system Information Restriction
|
|
|
|
|
===================================
|
|
|
|
|
|
|
|
|
|
If desired, the monitor cluster can present a limited view of the file systems
|
|
|
|
|
available. In this case, the monitor cluster will only inform clients about
|
|
|
|
|
file systems specified by the administrator. Other file systems will not be
|
|
|
|
|
reported and commands affecting them will fail as if the file systems do
|
|
|
|
|
not exist.
|
|
|
|
|
|
|
|
|
|
Consider following example. The Ceph cluster has 2 FSs::
|
|
|
|
|
|
|
|
|
|
$ ceph fs ls
|
|
|
|
|
name: cephfs, metadata pool: cephfs_metadata, data pools: [cephfs_data ]
|
|
|
|
|
name: cephfs2, metadata pool: cephfs2_metadata, data pools: [cephfs2_data ]
|
|
|
|
|
|
|
|
|
|
But we authorize client ``someuser`` for only one FS::
|
|
|
|
|
|
|
|
|
|
$ ceph fs authorize cephfs client.someuser / rw
|
|
|
|
|
[client.someuser]
|
|
|
|
|
key = AQAmthpf89M+JhAAiHDYQkMiCq3x+J0n9e8REQ==
|
|
|
|
|
$ cat ceph.client.someuser.keyring
|
|
|
|
|
[client.someuser]
|
|
|
|
|
key = AQAmthpf89M+JhAAiHDYQkMiCq3x+J0n9e8REQ==
|
|
|
|
|
caps mds = "allow rw fsname=cephfs"
|
|
|
|
|
caps mon = "allow r fsname=cephfs"
|
|
|
|
|
caps osd = "allow rw tag cephfs data=cephfs"
|
|
|
|
|
|
|
|
|
|
And the client can only see the FS that it has authorization for::
|
|
|
|
|
|
|
|
|
|
$ ceph fs ls -n client.someuser -k ceph.client.someuser.keyring
|
|
|
|
|
name: cephfs, metadata pool: cephfs_metadata, data pools: [cephfs_data ]
|
|
|
|
|
|
|
|
|
|
Standby MDS daemons will always be displayed. Note that the information about
|
|
|
|
|
restricted MDS daemons and file systems may become available by other means,
|
|
|
|
|
such as ``ceph health detail``.
|
2019-03-07 15:17:23 +00:00
|
|
|
|
|
|
|
|
|
MDS communication restriction
|
|
|
|
|
=============================
|
|
|
|
|
|
|
|
|
|
By default, user applications may communicate with any MDS, whether or not
|
|
|
|
|
they are allowed to modify data on an associated file system (see
|
|
|
|
|
`Path restriction` above). Client's communication can be restricted to MDS
|
|
|
|
|
daemons associated with particular file system(s) by adding MDS caps for that
|
|
|
|
|
particular file system. Consider the following example where the Ceph cluster
|
|
|
|
|
has 2 FSs::
|
|
|
|
|
|
|
|
|
|
$ ceph fs ls
|
|
|
|
|
name: cephfs, metadata pool: cephfs_metadata, data pools: [cephfs_data ]
|
|
|
|
|
name: cephfs2, metadata pool: cephfs2_metadata, data pools: [cephfs2_data ]
|
|
|
|
|
|
|
|
|
|
Client ``someuser`` is authorized only for one FS::
|
|
|
|
|
|
|
|
|
|
$ ceph fs authorize cephfs client.someuser / rw
|
|
|
|
|
[client.someuser]
|
|
|
|
|
key = AQBPSARfg8hCJRAAEegIxjlm7VkHuiuntm6wsA==
|
|
|
|
|
$ ceph auth get client.someuser > ceph.client.someuser.keyring
|
|
|
|
|
exported keyring for client.someuser
|
|
|
|
|
$ cat ceph.client.someuser.keyring
|
|
|
|
|
[client.someuser]
|
|
|
|
|
key = AQBPSARfg8hCJRAAEegIxjlm7VkHuiuntm6wsA==
|
|
|
|
|
caps mds = "allow rw fsname=cephfs"
|
|
|
|
|
caps mon = "allow r"
|
|
|
|
|
caps osd = "allow rw tag cephfs data=cephfs"
|
|
|
|
|
|
|
|
|
|
Mounting ``cephfs1`` with ``someuser`` works::
|
|
|
|
|
|
|
|
|
|
$ sudo ceph-fuse /mnt/cephfs1 -n client.someuser -k ceph.client.someuser.keyring --client-fs=cephfs
|
|
|
|
|
ceph-fuse[96634]: starting ceph client
|
|
|
|
|
ceph-fuse[96634]: starting fuse
|
|
|
|
|
$ mount | grep ceph-fuse
|
|
|
|
|
ceph-fuse on /mnt/cephfs1 type fuse.ceph-fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
|
|
|
|
|
|
|
|
|
|
But mounting ``cephfs2`` does not::
|
|
|
|
|
|
|
|
|
|
$ sudo ceph-fuse /mnt/cephfs2 -n client.someuser -k ceph.client.someuser.keyring --client-fs=cephfs2
|
|
|
|
|
ceph-fuse[96599]: starting ceph client
|
|
|
|
|
ceph-fuse[96599]: ceph mount failed with (1) Operation not permitted
|
2020-08-02 12:53:43 +00:00
|
|
|
|
|
|
|
|
|
Root squash
|
|
|
|
|
===========
|
|
|
|
|
|
|
|
|
|
The ``root squash`` feature is implemented as a safety measure to prevent
|
|
|
|
|
scenarios such as accidental ``sudo rm -rf /path``. You can enable
|
|
|
|
|
``root_squash`` mode in MDS caps to disallow clients with uid=0 or gid=0 to
|
|
|
|
|
perform write access operations -- e.g., rm, rmdir, rmsnap, mkdir, mksnap.
|
|
|
|
|
However, the mode allows the read operations of a root client unlike in
|
|
|
|
|
other file systems.
|
|
|
|
|
|
|
|
|
|
Following is an example of enabling root_squash in a filesystem except within
|
|
|
|
|
'/volumes' directory tree in the filesystem::
|
|
|
|
|
|
|
|
|
|
$ ceph fs authorize a client.test_a / rw root_squash /volumes rw
|
|
|
|
|
$ ceph auth get client.test_a
|
|
|
|
|
[client.test_a]
|
|
|
|
|
key = AQBZcDpfEbEUKxAADk14VflBXt71rL9D966mYA==
|
|
|
|
|
caps mds = "allow rw fsname=a root_squash, allow rw fsname=a path=/volumes"
|
|
|
|
|
caps mon = "allow r fsname=a"
|
|
|
|
|
caps osd = "allow rw tag cephfs data=a"
|