Project

General

Profile

Actions
Copy link

Bug #18589

closed

ceph_volume_client.py doesn't create enough mds caps

Added by Huamin Chen about 7 years ago. Updated about 7 years ago.

Status:
Duplicate
Priority:
High
Assignee:
-
Category:
Security Model
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Component(FS):
kceph
Labels (FS):
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

In _authorize_ceph() at https://github.com/ceph/ceph/blob/master/src/pybind/ceph_volume_client.py#L1032, the caps is "allow r path=/some/path". This is not sufficient. I got permission denied error when mounting the volume using this cap.

According to ceph fs doc at http://docs.ceph.com/docs/master/cephfs/client-auth/, mds cap is "mds 'allow r, allow rw path=/*specified_directory*'". I added "allow r" and cephfs volume was mounted.

Actions
Copy link
 #2

Updated by Greg Farnum about 7 years ago

  • Project changed from Ceph to CephFS
  • Category set to Security Model
  • Component(FS) kceph added

This report applies to mounting with the kernel, not ceph-fuse, right? I think that makes this a kernel issue where it's unconditionally doing a root inode lookup, not a VolumeClient one. We had something like that in userspace recently, but I can't seem to find that bug number right now.

Actions
Copy link
 #3

Updated by John Spray about 7 years ago

  • Status changed from New to Duplicate

Assuming that you encounted this issue with kernel client, the bug was http://tracker.ceph.com/issues/17191, which was fixed in linux 4.9. The fuse client does not have the bug.

Actions
Copy link

Also available in: Atom PDF