Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1360854 - cep-fs fails to enforce client restrictions
Summary: cep-fs fails to enforce client restrictions
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: Documentation
Version: 2.0
Hardware: x86_64
OS: Linux
Target Milestone: rc
: 2.0
Assignee: Bara Ancincova
QA Contact: ceph-qe-bugs
Depends On:
TreeView+ depends on / blocked
Reported: 2016-07-27 16:05 UTC by rakesh
Modified: 2016-09-30 17:21 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-09-30 17:21:51 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description rakesh 2016-07-27 16:05:52 UTC
Description of problem:

1. Path restrictions are not enforced as per the configuration. example :

ceph auth get-or-create client.1 mon 'allow r' mds 'allow r, allow rw path=/home/cephfs' osd 'allow rw pool=data'

and still client.1 can access "/" of the filesystem. 

2. OSD restriction are not enforced properly 
even though the caps for osd is set as only "r" , and ceph-fs is still accepting writes i.e i was able to create files.

Comment 3 John Spray 2016-07-27 16:27:21 UTC
That MDS cap is going to give you readonly access to the whole filesystem, and write access to /home/cephfs.

The OSD cap is full read-write permission, so that's not going to limit anything other than ensuring filesystem clients can't write to any pools apart from your cephfs data pool.

Comment 4 Ken Dreyer (Red Hat) 2016-07-28 13:36:58 UTC
John it sounds like there's no code change here? Is this something that needs to be clarified in the docs?

Comment 5 John Spray 2016-07-28 13:38:51 UTC
Yes, it looks like this part of the documentation needs to be clearer to state that the example is restricting the client's ability to write metadata to a path rather than all access.

Comment 6 Ken Dreyer (Red Hat) 2016-07-28 13:51:33 UTC
Thanks John

Note You need to log in before you can comment on or make changes to this bug.