[ceph-users] UID Restrictions

Gregory Farnum gfarnum at redhat.com
Wed Nov 1 10:05:56 PDT 2017


Well, obviously UID 100026 needs to have the normal POSIX permissions to
write to the /user path, which it probably won't until after you've done
something as root to make it so...

On Wed, Nov 1, 2017 at 9:57 AM Keane Wolter <wolterk at umich.edu> wrote:

> Acting as UID 100026, I am able to successfully run ceph-fuse and mount
> the filesystem. However, as soon as I try to write a file as UID 100026, I
> get permission denied, but I am able to write to disk as root without
> issue. I am looking for the inverse of this. I want to write changes to
> disk as UID 100026, but not as root. From what I understood in the email at
> http://lists.ceph.com/pipermail/ceph-users-ceph.com/2017-February/016173.html,
> I should be able to do so with the following cephx caps set to "caps: [mds]
> allow r, allow rw path=/user uid=100026". Am I wrong with this assumption
> or is there something else at play I am not aware of?
>
> Thanks,
> Keane
>
> On Wed, Oct 25, 2017 at 5:52 AM, Gregory Farnum <gfarnum at redhat.com>
> wrote:
>
>>
>> On Mon, Oct 23, 2017 at 5:03 PM Keane Wolter <wolterk at umich.edu> wrote:
>>
>>> Hi Gregory,
>>>
>>> I did set the cephx caps for the client to:
>>>
>>> caps: [mds] allow r, allow rw uid=100026 path=/user, allow rw
>>> path=/project
>>>
>>
>> So you’ve got three different permission granting clauses here:
>> 1) allows the client to read anything
>> 2) allows the client to act as uid 100026 in the path /user
>> 3) allows the user to do any read or write (as any user) in path /project
>>
>>
>> caps: [mon] allow r
>>> caps: [osd] allow rw pool=cephfs_osiris, allow rw pool=cephfs_users
>>>
>>> Keane
>>>
>>> On Fri, Oct 20, 2017 at 5:35 PM, Gregory Farnum <gfarnum at redhat.com>
>>> wrote:
>>>
>>>> What did you actually set the cephx caps to for that client?
>>>>
>>>> On Fri, Oct 20, 2017 at 8:01 AM Keane Wolter <wolterk at umich.edu> wrote:
>>>>
>>>>> Hello all,
>>>>>
>>>>> I am trying to limit what uid/gid a client is allowed to run as
>>>>> (similar to NFS' root squashing). I have referenced this email,
>>>>> http://lists.ceph.com/pipermail/ceph-users-ceph.com/2017-February/016173.html,
>>>>> with no success.  After generating the keyring, moving it to a client
>>>>> machine, and mounting the filesystem with ceph-fuse, I am still able to
>>>>> create files with the UID and GID of root.
>>>>>
>>>>> Is there something I am missing or can do to prevent root from working
>>>>> with a ceph-fuse mounted filesystem?
>>>>>
>>>>> Thanks,
>>>>> Keane
>>>>> wolterk at umich.edu
>>>>> _______________________________________________
>>>>> ceph-users mailing list
>>>>> ceph-users at lists.ceph.com
>>>>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>>>>>
>>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ceph.com/pipermail/ceph-users-ceph.com/attachments/20171101/db536b29/attachment.html>


More information about the ceph-users mailing list