Actions
Bug #17798
closedClients without pool-changing caps shouldn't be allowed to change pool_namespace
% Done:
0%
Source:
other
Tags:
Backport:
jewel
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Component(FS):
MDS
Labels (FS):
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
The purpose of the 'p' flag in MDS client auth caps is to enable creating clients that cannot set the pool part of the file layout. We created that so that locked-down clients that are meant to be confined to a particular pool cannot create layouts pointing to any other pool.
The purpose of setting a namespace on file layouts is to enable creating clients that have OSD caps limiting them to that particular namespace. When we have clients like that, it doesn't make sense to allow them to modify their file layouts' pool_namespace field to point to a namespace that they don't have permission to write to.
Therefore, we should apply the same restriction on setting pool_namespace that we currently apply to setting pool.
Updated by John Spray over 7 years ago
- Status changed from In Progress to Pending Backport
- Backport set to jewel
Updated by Nathan Cutler over 7 years ago
- Copied to Backport #17956: jewel: Clients without pool-changing caps shouldn't be allowed to change pool_namespace added
Updated by John Spray over 7 years ago
- Status changed from Pending Backport to Resolved
Actions