mirror of
https://github.com/ceph/ceph
synced 2024-12-19 01:46:00 +00:00
811e48d6ff
Add a 'fsname' clause to mon auth caps to restrict a client's view of the FSMap. Example: mon 'allow rw fsname=cephfs2' This would restrict the client's view of the FSMap to the MDSMap for cephfs2. Any MDS allocated to a different filesystem will be invisible. Global standby daemons are always visible. To allow multiple CephFSs, add multiple caps: mon 'allow rw fsname=cephfs2, allow rw fsname=cephfs2' Fixes: http://tracker.ceph.com/issues/15070 Signed-off-by: Douglas Fuller <dfuller@redhat.com> Signed-off-by: Rishabh Dave <ridave@redhat.com>
187 lines
6.5 KiB
ReStructuredText
187 lines
6.5 KiB
ReStructuredText
================================
|
||
CephFS Client Capabilities
|
||
================================
|
||
|
||
Use Ceph authentication capabilities to restrict your file system clients
|
||
to the lowest possible level of authority needed.
|
||
|
||
.. note::
|
||
|
||
Path restriction and layout modification restriction are new features
|
||
in the Jewel release of Ceph.
|
||
|
||
.. note::
|
||
|
||
Using Erasure Coded(EC) pools with CephFS is supported only with the
|
||
BlueStore Backend. They cannot be used as metadata pools and overwrites must
|
||
be enabled on the data pools.
|
||
|
||
|
||
Path restriction
|
||
================
|
||
|
||
By default, clients are not restricted in what paths they are allowed to mount.
|
||
Further, when clients mount a subdirectory, e.g., /home/user, the MDS does not
|
||
by default verify that subsequent operations
|
||
are ‘locked’ within that directory.
|
||
|
||
To restrict clients to only mount and work within a certain directory, use
|
||
path-based MDS authentication capabilities.
|
||
|
||
Syntax
|
||
------
|
||
|
||
To grant rw access to the specified directory only, we mention the specified
|
||
directory while creating key for a client using the following syntax. ::
|
||
|
||
ceph fs authorize *file_system_name* client.*client_name* /*specified_directory* rw
|
||
|
||
For example, to restrict client ``foo`` to writing only in the ``bar`` directory of file system ``cephfs_a``, use ::
|
||
|
||
ceph fs authorize cephfs_a client.foo / r /bar rw
|
||
|
||
results in:
|
||
|
||
client.foo
|
||
key: *key*
|
||
caps: [mds] allow r, allow rw path=/bar
|
||
caps: [mon] allow r
|
||
caps: [osd] allow rw tag cephfs data=cephfs_a
|
||
|
||
To completely restrict the client to the ``bar`` directory, omit the
|
||
root directory ::
|
||
|
||
ceph fs authorize cephfs_a client.foo /bar rw
|
||
|
||
Note that if a client's read access is restricted to a path, they will only
|
||
be able to mount the file system when specifying a readable path in the
|
||
mount command (see below).
|
||
|
||
Supplying ``all`` or ``*`` as the file system name will grant access to every
|
||
file system. Note that it is usually necessary to quote ``*`` to protect it from
|
||
the shell.
|
||
|
||
See `User Management - Add a User to a Keyring`_. for additional details on user management
|
||
|
||
To restrict a client to the specified sub-directory only, we mention the specified
|
||
directory while mounting using the following syntax. ::
|
||
|
||
./ceph-fuse -n client.*client_name* *mount_path* -r *directory_to_be_mounted*
|
||
|
||
For example, to restrict client ``foo`` to ``mnt/bar`` directory, we will use. ::
|
||
|
||
./ceph-fuse -n client.foo mnt -r /bar
|
||
|
||
Free space reporting
|
||
--------------------
|
||
|
||
By default, when a client is mounting a sub-directory, the used space (``df``)
|
||
will be calculated from the quota on that sub-directory, rather than reporting
|
||
the overall amount of space used on the cluster.
|
||
|
||
If you would like the client to report the overall usage of the file system,
|
||
and not just the quota usage on the sub-directory mounted, then set the
|
||
following config option on the client::
|
||
|
||
|
||
client quota df = false
|
||
|
||
If quotas are not enabled, or no quota is set on the sub-directory mounted,
|
||
then the overall usage of the file system will be reported irrespective of
|
||
the value of this setting.
|
||
|
||
Layout and Quota restriction (the 'p' flag)
|
||
===========================================
|
||
|
||
To set layouts or quotas, clients require the 'p' flag in addition to 'rw'.
|
||
This restricts all the attributes that are set by special extended attributes
|
||
with a "ceph." prefix, as well as restricting other means of setting
|
||
these fields (such as openc operations with layouts).
|
||
|
||
For example, in the following snippet client.0 can modify layouts and quotas
|
||
on the file system cephfs_a, but client.1 cannot::
|
||
|
||
client.0
|
||
key: AQAz7EVWygILFRAAdIcuJ12opU/JKyfFmxhuaw==
|
||
caps: [mds] allow rwp
|
||
caps: [mon] allow r
|
||
caps: [osd] allow rw tag cephfs data=cephfs_a
|
||
|
||
client.1
|
||
key: AQAz7EVWygILFRAAdIcuJ12opU/JKyfFmxhuaw==
|
||
caps: [mds] allow rw
|
||
caps: [mon] allow r
|
||
caps: [osd] allow rw tag cephfs data=cephfs_a
|
||
|
||
|
||
Snapshot restriction (the 's' flag)
|
||
===========================================
|
||
|
||
To create or delete snapshots, clients require the 's' flag in addition to 'rw'.
|
||
Note that when capability string also contains the 'p' flag, the 's' flag must
|
||
appear after it (all flags except 'rw' must be specified in alphabetical order).
|
||
|
||
For example, in the following snippet client.0 can create or delete snapshots
|
||
in the ``bar`` directory of file system ``cephfs_a``::
|
||
|
||
client.0
|
||
key: AQAz7EVWygILFRAAdIcuJ12opU/JKyfFmxhuaw==
|
||
caps: [mds] allow rw, allow rws path=/bar
|
||
caps: [mon] allow r
|
||
caps: [osd] allow rw tag cephfs data=cephfs_a
|
||
|
||
|
||
.. _User Management - Add a User to a Keyring: ../../rados/operations/user-management/#add-a-user-to-a-keyring
|
||
|
||
Network restriction
|
||
===================
|
||
|
||
::
|
||
|
||
client.foo
|
||
key: *key*
|
||
caps: [mds] allow r network 10.0.0.0/8, allow rw path=/bar network 10.0.0.0/8
|
||
caps: [mon] allow r network 10.0.0.0/8
|
||
caps: [osd] allow rw tag cephfs data=cephfs_a network 10.0.0.0/8
|
||
|
||
The optional ``{network/prefix}`` is a standard network name and
|
||
prefix length in CIDR notation (e.g., ``10.3.0.0/16``). If present,
|
||
the use of this capability is restricted to clients connecting from
|
||
this network.
|
||
|
||
File system Information Restriction
|
||
===================================
|
||
|
||
If desired, the monitor cluster can present a limited view of the file systems
|
||
available. In this case, the monitor cluster will only inform clients about
|
||
file systems specified by the administrator. Other file systems will not be
|
||
reported and commands affecting them will fail as if the file systems do
|
||
not exist.
|
||
|
||
Consider following example. The Ceph cluster has 2 FSs::
|
||
|
||
$ ceph fs ls
|
||
name: cephfs, metadata pool: cephfs_metadata, data pools: [cephfs_data ]
|
||
name: cephfs2, metadata pool: cephfs2_metadata, data pools: [cephfs2_data ]
|
||
|
||
But we authorize client ``someuser`` for only one FS::
|
||
|
||
$ ceph fs authorize cephfs client.someuser / rw
|
||
[client.someuser]
|
||
key = AQAmthpf89M+JhAAiHDYQkMiCq3x+J0n9e8REQ==
|
||
$ cat ceph.client.someuser.keyring
|
||
[client.someuser]
|
||
key = AQAmthpf89M+JhAAiHDYQkMiCq3x+J0n9e8REQ==
|
||
caps mds = "allow rw fsname=cephfs"
|
||
caps mon = "allow r fsname=cephfs"
|
||
caps osd = "allow rw tag cephfs data=cephfs"
|
||
|
||
And the client can only see the FS that it has authorization for::
|
||
|
||
$ ceph fs ls -n client.someuser -k ceph.client.someuser.keyring
|
||
name: cephfs, metadata pool: cephfs_metadata, data pools: [cephfs_data ]
|
||
|
||
Standby MDS daemons will always be displayed. Note that the information about
|
||
restricted MDS daemons and file systems may become available by other means,
|
||
such as ``ceph health detail``.
|