Version 1 - History - Cephfs - multitenancy features - Ceph - Ceph

1

Jessica Mack

h1. Cephfs - multitenancy features

2

3

h3. Summary

4

5

Make CephFS more secure in multi-tenant environments

6

7

h3. Owners

8

9

* Sage Weil (Red Hat)

10

* Name (Affiliation)

11

* Name

12

13

h3. Interested Parties

14

15

* Danny Al-Gaaf (Deutsche Telekom)

16

* Name (Affiliation)

17

* Name

18

19

h3. Current Status

20

21

CephFS has a capability defined that is intended to describe what a client is allowed to do.  Currently it parses a bunch fo stuff but we only interpret it as a binary value: is this client allowed to mount the file system?  If it mounts, it can do anything.

22

Ceph has similar capabilities that let you lock a client into different rados pools or rados namespaces.

23

CephFS lets you set a policy on a directory that puts new files in specific rados pools.

24

25

h3. Detailed Description

26

27

*Read-only mount*

28

Make the capability specify that a given client can only mount read-only and cannot make any cahnges

29

30

*Root squash*

31

Make the capability specify that a given client cannot act as root.  This should mimic the NFS semantics.  I went hunting for a detailed technical description of what that is, but didn't find anything.  Reading the source is probably the best way to establish that.  I think it means:

32

33

p((. cannot read/write/etc a file that is only readable/writeable/etc by root

34

35

Since the cephfs client is trusted to map ops to users, anything non-root is still fair game since the client can claim to be whatever uid/gid own the file.  I don't think it is worth trying anything else clever there... at least not until we specify in teh capability that we can only be a specific uid.

36

37

*Path-based mount restriction*

38

This is parsed, but not enforced.  Here we should only allow teh client to mount a subdirectory (or something beneath it).  That means that any open-by-ino needs to ensure that the ino is part of that subtree.  I think this can happen int eh request path, somewhere in the neighborhood of rdlock_path_pin_ref() or rdlock_path_xlock_dentry().

39

* verify that any lookup-by-ino (targeti?) lives in the subtree

40

* possibly special case allow inodes where we have a remote dentry inside the subtree pointing to something outside of it?  at the very least we need to handle inodes that are in a straydir if their previous owner was in the correct tree.  This may be tricky to establish :(

41

42

*Extend file layout ceph_file_layout to specify a namespace id (uint64_t?)*

43

Right now this layout specifies a data pool number.  It could also specify a namespace id, or 0 for none.  The actual rados namespaces are described by strings, but we could make the cephfs ones be decimal string forms of the namespace numbers.

44

We have two unused fields in this struct we could reclaim:

45

46

p((. __le32 fl_cas_hash;  // never used

47

     __le32 fl_unused;     // used to be the preferred pg, removed years ago

48

49

Perhaps 2^32 namespaces is enough and we just use one of them.

50

This would require changes in

51

* mds: parse virtual xattrs for this field

52

* mds: use this namespace for all backtrace operations

53

* mds: do any file probe or cleanup in this namespace

54

* mds: use this namespace for backtraces

55

* cephfs-journal-tool: use proper namespace for any scavenge/repair operations

56

* Client: use this namespace for io, both sync and ObjectCacher-initiated

57

* libceph.ko: generic namespace support

58

* ceph.ko: use correct namespace for any IO

59

60

h3. Work items

61

62

h4. Coding tasks

63

64

# expand MDSAuthCap grammar to capture any/all of the above

65

# root squash

66

# path-based mount restrictions

67

# namespaces for ceph_file_layout

Project

General

Profile

Ceph

Cephfs - multitenancy features » History » Version 1