Cephfs - multitenancy features » History » Version 1
Jessica Mack, 07/06/2015 09:58 PM
1 | 1 | Jessica Mack | h1. Cephfs - multitenancy features |
---|---|---|---|
2 | |||
3 | h3. Summary |
||
4 | |||
5 | Make CephFS more secure in multi-tenant environments |
||
6 | |||
7 | h3. Owners |
||
8 | |||
9 | * Sage Weil (Red Hat) |
||
10 | * Name (Affiliation) |
||
11 | * Name |
||
12 | |||
13 | h3. Interested Parties |
||
14 | |||
15 | * Danny Al-Gaaf (Deutsche Telekom) |
||
16 | * Name (Affiliation) |
||
17 | * Name |
||
18 | |||
19 | h3. Current Status |
||
20 | |||
21 | CephFS has a capability defined that is intended to describe what a client is allowed to do. Currently it parses a bunch fo stuff but we only interpret it as a binary value: is this client allowed to mount the file system? If it mounts, it can do anything. |
||
22 | Ceph has similar capabilities that let you lock a client into different rados pools or rados namespaces. |
||
23 | CephFS lets you set a policy on a directory that puts new files in specific rados pools. |
||
24 | |||
25 | h3. Detailed Description |
||
26 | |||
27 | *Read-only mount* |
||
28 | Make the capability specify that a given client can only mount read-only and cannot make any cahnges |
||
29 | |||
30 | *Root squash* |
||
31 | Make the capability specify that a given client cannot act as root. This should mimic the NFS semantics. I went hunting for a detailed technical description of what that is, but didn't find anything. Reading the source is probably the best way to establish that. I think it means: |
||
32 | |||
33 | p((. cannot read/write/etc a file that is only readable/writeable/etc by root |
||
34 | |||
35 | Since the cephfs client is trusted to map ops to users, anything non-root is still fair game since the client can claim to be whatever uid/gid own the file. I don't think it is worth trying anything else clever there... at least not until we specify in teh capability that we can only be a specific uid. |
||
36 | |||
37 | *Path-based mount restriction* |
||
38 | This is parsed, but not enforced. Here we should only allow teh client to mount a subdirectory (or something beneath it). That means that any open-by-ino needs to ensure that the ino is part of that subtree. I think this can happen int eh request path, somewhere in the neighborhood of rdlock_path_pin_ref() or rdlock_path_xlock_dentry(). |
||
39 | * verify that any lookup-by-ino (targeti?) lives in the subtree |
||
40 | * possibly special case allow inodes where we have a remote dentry inside the subtree pointing to something outside of it? at the very least we need to handle inodes that are in a straydir if their previous owner was in the correct tree. This may be tricky to establish :( |
||
41 | |||
42 | *Extend file layout ceph_file_layout to specify a namespace id (uint64_t?)* |
||
43 | Right now this layout specifies a data pool number. It could also specify a namespace id, or 0 for none. The actual rados namespaces are described by strings, but we could make the cephfs ones be decimal string forms of the namespace numbers. |
||
44 | We have two unused fields in this struct we could reclaim: |
||
45 | |||
46 | p((. __le32 fl_cas_hash; // never used |
||
47 | __le32 fl_unused; // used to be the preferred pg, removed years ago |
||
48 | |||
49 | Perhaps 2^32 namespaces is enough and we just use one of them. |
||
50 | This would require changes in |
||
51 | * mds: parse virtual xattrs for this field |
||
52 | * mds: use this namespace for all backtrace operations |
||
53 | * mds: do any file probe or cleanup in this namespace |
||
54 | * mds: use this namespace for backtraces |
||
55 | * cephfs-journal-tool: use proper namespace for any scavenge/repair operations |
||
56 | * Client: use this namespace for io, both sync and ObjectCacher-initiated |
||
57 | * libceph.ko: generic namespace support |
||
58 | * ceph.ko: use correct namespace for any IO |
||
59 | |||
60 | h3. Work items |
||
61 | |||
62 | h4. Coding tasks |
||
63 | |||
64 | # expand MDSAuthCap grammar to capture any/all of the above |
||
65 | # root squash |
||
66 | # path-based mount restrictions |
||
67 | # namespaces for ceph_file_layout |