Feature #59388
openmds/MDSAuthCaps: "fsname", path, root_squash can't be in same cap with uid and/or gids
0%
Description
MDS capabilities can take 5 parameters: FS name, path, root squash, UID and GIDs. It's possible to have first 3 together in a MDS cap and also to have later 2 together in a MDS cap. But it's not possible to combine the two group fully or partially.
Following commands run successfully -
MONCAP="allow rw" OSDCAP="allow rw tag cephfs data=a" ceph auth add client.x mon "$MONCAP" osd "$OSDCAP" mds "allow rw fsname=cephfs1" ceph auth add client.x mon "$MONCAP" osd "$OSDCAP" mds "allow rw fsname=cephfs1 path=dir1/dir2" ceph auth add client.x mon "$MONCAP" osd "$OSDCAP" mds "allow rw uid=1000" ceph auth add client.x mon "$MONCAP" osd "$OSDCAP" mds "allow rw gids=1000,1001,1002" ceph auth add client.x mon "$MONCAP" osd "$OSDCAP" mds "allow rw uid=1000 gids=1000,1001,1002"
But following commands don't run successfully -
ceph auth add client.x mon "$MONCAP" osd "$OSDCAP" mds "allow rw fsname=a uid=1000" ceph auth add client.x mon "$MONCAP" osd "$OSDCAP" mds "allow rw fsname=a gids=1000,1001,1002" ceph auth add client.x mon "$MONCAP" osd "$OSDCAP" mds "allow rw fsname=a uid=1000 gids=1000,1001,1002"
Same goes when path and/or root_squash (with or without fsname) is combined with UID and/or GIDs. Following error is printed in each of these cases Error EINVAL: mds capability parse failed
.
This shouldn't be the case. It should be possible to combine in a cap UID and GID with FS name/FS path/root squash.
Updated by Rishabh Dave about 1 year ago
- Description updated (diff)
- Status changed from New to In Progress
- Assignee set to Rishabh Dave
- Priority changed from Normal to High
Updated by Rishabh Dave about 1 year ago
- Subject changed from "fsname", path, root_squash can't be in same cap with uid and/or gids to mds/MDSAuthCaps: "fsname", path, root_squash can't be in same cap with uid and/or gids
Updated by Venky Shankar about 1 year ago
- Category set to Correctness/Safety
- Target version set to v19.0.0
- Backport set to reef,quincy,pacific
Updated by Rishabh Dave about 1 year ago
We can have 5 elements in one MDS Cap -
1. fs name (string)
2. fs path (string)
3. root_squash (bool)
4. uid (int)
5. gids (list of ints)
Total 31 types of MDS caps are possible (5c5 + 5c4 + 5c3 + 5c2 + 5c1 = 31). Out of these, 11 MDS caps succeeded in parsing and 20 MDS caps failed to parsing.
Parsing failed for following MDS caps -
allow rw gids=1000,1001,1002 Error EINVAL: mds capability parse failed, stopped at 'gids=1000,1001,1002' of 'allow rw gids=1000,1001,1002' allow rw fsname=a uid=1000 Error EINVAL: mds capability parse failed, stopped at 'uid=1000' of 'allow rw fsname=a uid=1000' allow rw fsname=a gids=1000,1001,1002 Error EINVAL: mds capability parse failed, stopped at 'gids=1000,1001,1002' of 'allow rw fsname=a gids=1000,1001,1002' allow rw path=/dir1 gids=1000,1001,1002 Error EINVAL: mds capability parse failed, stopped at 'gids=1000,1001,1002' of 'allow rw path=/dir1 gids=1000,1001,1002' allow rw root_squash uid=1000 Error EINVAL: mds capability parse failed, stopped at 'uid=1000' of 'allow rw root_squash uid=1000' allow rw root_squash gids=1000,1001,1002 Error EINVAL: mds capability parse failed, stopped at 'gids=1000,1001,1002' of 'allow rw root_squash gids=1000,1001,1002' allow rw fsname=a path=/dir1 uid=1000 Error EINVAL: mds capability parse failed, stopped at 'uid=1000' of 'allow rw fsname=a path=/dir1 uid=1000' allow rw fsname=a path=/dir1 gids=1000,1001,1002 Error EINVAL: mds capability parse failed, stopped at 'gids=1000,1001,1002' of 'allow rw fsname=a path=/dir1 gids=1000,1001,1002' allow rw fsname=a root_squash uid=1000 Error EINVAL: mds capability parse failed, stopped at 'uid=1000' of 'allow rw fsname=a root_squash uid=1000' allow rw fsname=a root_squash gids=1000,1001,1002 Error EINVAL: mds capability parse failed, stopped at 'gids=1000,1001,1002' of 'allow rw fsname=a root_squash gids=1000,1001,1002' allow rw fsname=a uid=1000 gids=1000,1001,1002 Error EINVAL: mds capability parse failed, stopped at 'uid=1000 gids=1000,1001,1002' of 'allow rw fsname=a uid=1000 gids=1000,1001,1002' allow rw path=/dir1 root_squash uid=1000 Error EINVAL: mds capability parse failed, stopped at 'uid=1000' of 'allow rw path=/dir1 root_squash uid=1000' allow rw path=/dir1 root_squash gids=1000,1001,1002 Error EINVAL: mds capability parse failed, stopped at 'gids=1000,1001,1002' of 'allow rw path=/dir1 root_squash gids=1000,1001,1002' allow rw root_squash uid=1000 gids=1000,1001,1002 Error EINVAL: mds capability parse failed, stopped at 'uid=1000 gids=1000,1001,1002' of 'allow rw root_squash uid=1000 gids=1000,1001,1002' allow rw fsname=a path=/dir1 root_squash uid=1000 Error EINVAL: mds capability parse failed, stopped at 'uid=1000' of 'allow rw fsname=a path=/dir1 root_squash uid=1000' allow rw fsname=a path=/dir1 root_squash gids=1000,1001,1002 Error EINVAL: mds capability parse failed, stopped at 'gids=1000,1001,1002' of 'allow rw fsname=a path=/dir1 root_squash gids=1000,1001,1002' allow rw fsname=a path=/dir1 uid=1000 gids=1000,1001,1002 Error EINVAL: mds capability parse failed, stopped at 'uid=1000 gids=1000,1001,1002' of 'allow rw fsname=a path=/dir1 uid=1000 gids=1000,1001,1002' allow rw fsname=a root_squash uid=1000 gids=1000,1001,1002 Error EINVAL: mds capability parse failed, stopped at 'uid=1000 gids=1000,1001,1002' of 'allow rw fsname=a root_squash uid=1000 gids=1000,1001,1002' allow rw path=/dir1 root_squash uid=1000 gids=1000,1001,1002 Error EINVAL: mds capability parse failed, stopped at 'uid=1000 gids=1000,1001,1002' of 'allow rw path=/dir1 root_squash uid=1000 gids=1000,1001,1002' allow rw fsname=a path=/dir1 root_squash uid=1000 gids=1000,1001,1002 Error EINVAL: mds capability parse failed, stopped at 'uid=1000 gids=1000,1001,1002' of 'allow rw fsname=a path=/dir1 root_squash uid=1000 gids=1000,1001,1002'
And following MDS caps were parsed successfully -
allow rw fsname=a allow rw path=/dir1 allow rw root_squash allow rw uid=1000 allow rw fsname=a path=/dir1 allow rw fsname=a root_squash allow rw path=/dir1 root_squash allow rw path=/dir1 uid=1000 allow rw uid=1000 gids=1000,1001,1002 allow rw fsname=a path=/dir1 root_squash allow rw path=/dir1 uid=1000 gids=1000,1001,1002
Updated by Rishabh Dave about 1 year ago
- Status changed from In Progress to Fix Under Review
Updated by Rishabh Dave about 1 year ago
The PR's makes all 31 types of MDS cap parse successfully.
Updated by Rishabh Dave 10 months ago
- Status changed from Fix Under Review to Resolved
Updated by Rishabh Dave 10 months ago
- Status changed from Resolved to Pending Backport
Updated by Backport Bot 10 months ago
- Copied to Backport #62026: reef: mds/MDSAuthCaps: "fsname", path, root_squash can't be in same cap with uid and/or gids added
Updated by Backport Bot 10 months ago
- Copied to Backport #62027: quincy: mds/MDSAuthCaps: "fsname", path, root_squash can't be in same cap with uid and/or gids added
Updated by Backport Bot 10 months ago
- Copied to Backport #62028: pacific: mds/MDSAuthCaps: "fsname", path, root_squash can't be in same cap with uid and/or gids added