ceph/doc/cephfs/path-based restriction.rst
Jashan Kamboj 6a6c06887c doc/cephfs: path-based restriction
Signed-off-by: Jashan Kamboj <jashank42@gmail.com>
2015-10-01 09:39:34 -04:00

42 lines
1.5 KiB
ReStructuredText
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

================================
Restrict Access to a Directory
================================
CephFS mostly assumes a controlled environment where clients are not restricted
in what paths they are allowed to mount. And if they do mount a subdirectory,
e.g., /home/user, the MDS does not currently verify that subsequent operations
are locked within that directory. Path-based restriction allows us to restrict
a client to a particular directory in the file system.
Syntax
======
To grant rw access to the specified directory only, we mention the specified
directory while creating key for a client following the undermentioned syntax. ::
./ceph auth get-or-create client.*client_name* mon 'allow r' mds 'allow r, allow rw path=/*specified_directory*' osd 'allow rwx'
for example, to restrict client ``foo`` to ``bar`` directory, we will use. ::
./ceph auth get-or-create client.foo mon 'allow r' mds 'allow r, allow rw path=/bar' osd 'allow rwx'
To restrict a client to the specfied sub-directory only, we mention the specified
directory while mounting following the undermentioned syntax. ::
./ceph-fuse -n client.*client_name* *mount_path* *directory_to_be_mounted*
for example, to restrict client ``foo`` to ``mnt/bar`` directory, we will use. ::
./ceph-fuse -n client.foo mnt /bar
For read-only access to sub-directory we can use. ::
./ceph-fuse -n client.*client_name* *mount_path* -r *directory_to_be_mounted*
for example, to restrict client ``foo`` to read-only access for ``mnt/bar``
directory, we will use. ::
./ceph-fuse -n client.foo mnt -r /foo