Backport #18307
path restricted cephx caps not working correctly
Related issues
History
#1 Updated by Jeff Layton over 7 years ago
- Copied from Bug #18254: path restricted cephx caps not working correctly added
#2 Updated by Jeff Layton over 7 years ago
PR is up here:
#3 Updated by Nathan Cutler over 7 years ago
- Tracker changed from Bug to Backport
- Description updated (diff)
- Status changed from Pending Backport to New
original description¶
Ramana noticed this first while testing my ganesha patches to allow restricting exports. It appears that attempting to restrict a particular cephx user to a subtree of the whole cephfs is not working correctly. To reproduce:
1) Set up a cephfs cluster with cephx enabled (I used vstart).
2) Mount up the share using ceph-fuse and create a directory within it called "/export".
3) Create a user named "alice" and give it wide open permissions first:
$ ./bin/ceph auth add client.alice mon 'allow *' mds 'allow *' osd 'allow rw'
4) take the attached program and build it vs. libcephfs:
$ gcc -Wall -o ./ceph_submount ./ceph_submount.c -lcephfs
5) Run the program. You should see "Mount successful!" output.
6) now, restrict the mds caps for alice:
$ ceph auth caps client.alice mds "allow rw path=/export" mon "allow *" osd "allow rw"
7) run the program again:
$ ./bin/ceph_submount
mount: -1
That's -EPERM. So either I'm not restricting the caps correctly by path, or something is broken...
#4 Updated by Nathan Cutler over 7 years ago
- Description updated (diff)
- Status changed from New to Resolved
#5 Updated by Nathan Cutler over 7 years ago
- File deleted (
ceph_submount.c)
#6 Updated by Nathan Cutler over 7 years ago
- File deleted (
0001-ceph-add-ceph_submount-test-program.patch)
#7 Updated by Nathan Cutler over 7 years ago
(removed attachments that are available at #18254)
#8 Updated by Loïc Dachary over 7 years ago
- Target version set to v10.2.6