mirror of
https://github.com/ceph/ceph
synced 2024-12-29 23:12:27 +00:00
6a6c06887c
Signed-off-by: Jashan Kamboj <jashank42@gmail.com>
42 lines
1.5 KiB
ReStructuredText
42 lines
1.5 KiB
ReStructuredText
================================
|
||
Restrict Access to a Directory
|
||
================================
|
||
|
||
CephFS mostly assumes a controlled environment where clients are not restricted
|
||
in what paths they are allowed to mount. And if they do mount a subdirectory,
|
||
e.g., /home/user, the MDS does not currently verify that subsequent operations
|
||
are ‘locked’ within that directory. Path-based restriction allows us to restrict
|
||
a client to a particular directory in the file system.
|
||
|
||
Syntax
|
||
======
|
||
|
||
To grant rw access to the specified directory only, we mention the specified
|
||
directory while creating key for a client following the undermentioned syntax. ::
|
||
|
||
./ceph auth get-or-create client.*client_name* mon 'allow r' mds 'allow r, allow rw path=/*specified_directory*' osd 'allow rwx'
|
||
|
||
for example, to restrict client ``foo`` to ``bar`` directory, we will use. ::
|
||
|
||
./ceph auth get-or-create client.foo mon 'allow r' mds 'allow r, allow rw path=/bar' osd 'allow rwx'
|
||
|
||
|
||
To restrict a client to the specfied sub-directory only, we mention the specified
|
||
directory while mounting following the undermentioned syntax. ::
|
||
|
||
./ceph-fuse -n client.*client_name* *mount_path* *directory_to_be_mounted*
|
||
|
||
for example, to restrict client ``foo`` to ``mnt/bar`` directory, we will use. ::
|
||
|
||
./ceph-fuse -n client.foo mnt /bar
|
||
|
||
|
||
For read-only access to sub-directory we can use. ::
|
||
|
||
./ceph-fuse -n client.*client_name* *mount_path* -r *directory_to_be_mounted*
|
||
|
||
for example, to restrict client ``foo`` to read-only access for ``mnt/bar``
|
||
directory, we will use. ::
|
||
|
||
./ceph-fuse -n client.foo mnt -r /foo
|