Project

General

Profile

Backport #18307

path restricted cephx caps not working correctly

Added by Jeff Layton over 7 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Target version:
Release:
jewel
Crash signature (v1):
Crash signature (v2):


Related issues

Copied from CephFS - Bug #18254: path restricted cephx caps not working correctly Resolved 12/14/2016

History

#1 Updated by Jeff Layton over 7 years ago

  • Copied from Bug #18254: path restricted cephx caps not working correctly added

#3 Updated by Nathan Cutler over 7 years ago

  • Tracker changed from Bug to Backport
  • Description updated (diff)
  • Status changed from Pending Backport to New

original description

Ramana noticed this first while testing my ganesha patches to allow restricting exports. It appears that attempting to restrict a particular cephx user to a subtree of the whole cephfs is not working correctly. To reproduce:

1) Set up a cephfs cluster with cephx enabled (I used vstart).

2) Mount up the share using ceph-fuse and create a directory within it called "/export".

3) Create a user named "alice" and give it wide open permissions first:

$ ./bin/ceph auth add client.alice mon 'allow *' mds 'allow *' osd 'allow rw'

4) take the attached program and build it vs. libcephfs:

$ gcc -Wall -o ./ceph_submount ./ceph_submount.c -lcephfs

5) Run the program. You should see "Mount successful!" output.

6) now, restrict the mds caps for alice:

$ ceph auth caps client.alice mds "allow rw path=/export" mon "allow *" osd "allow rw"

7) run the program again:

$ ./bin/ceph_submount 
mount: -1

That's -EPERM. So either I'm not restricting the caps correctly by path, or something is broken...

#4 Updated by Nathan Cutler over 7 years ago

  • Description updated (diff)
  • Status changed from New to Resolved

#5 Updated by Nathan Cutler over 7 years ago

  • File deleted (ceph_submount.c)

#6 Updated by Nathan Cutler over 7 years ago

  • File deleted (0001-ceph-add-ceph_submount-test-program.patch)

#7 Updated by Nathan Cutler over 7 years ago

(removed attachments that are available at #18254)

#8 Updated by Loïc Dachary over 7 years ago

  • Target version set to v10.2.6

Also available in: Atom PDF