Actions
Bug #18254
closedpath restricted cephx caps not working correctly
% Done:
0%
Source:
Tags:
Backport:
jewel
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Component(FS):
Client
Labels (FS):
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
Ramana noticed this first while testing my ganesha patches to allow restricting exports. It appears that attempting to restrict a particular cephx user to a subtree of the whole cephfs is not working correctly. To reproduce:
1) Set up a cephfs cluster with cephx enabled (I used vstart).
2) Mount up the share using ceph-fuse and create a directory within it called "/export".
3) Create a user named "alice" and give it wide open permissions first:
$ ./bin/ceph auth add client.alice mon 'allow *' mds 'allow *' osd 'allow rw'
4) take the attached program and build it vs. libcephfs:
$ gcc -Wall -o ./ceph_submount ./ceph_submount.c -lcephfs
5) Run the program. You should see "Mount successful!" output.
6) now, restrict the mds caps for alice:
$ ceph auth caps client.alice mds "allow rw path=/export" mon "allow *" osd "allow rw"
7) run the program again:
$ ./bin/ceph_submount
mount: -1
That's -EPERM. So either I'm not restricting the caps correctly by path, or something is broken...
Files
Actions