[ceph-users] UID Restrictions

Keane Wolter wolterk at umich.edu
Wed Nov 1 11:03:08 PDT 2017

I am mounting a directory under /user which I am the owner of with the
permissions of 700. If I remove the uid=100026 option, I have no issues. I
start having issues as soon as the uid restrictions are in place.

On Wed, Nov 1, 2017 at 1:05 PM, Gregory Farnum <gfarnum at redhat.com> wrote:

> Well, obviously UID 100026 needs to have the normal POSIX permissions to
> write to the /user path, which it probably won't until after you've done
> something as root to make it so...
> On Wed, Nov 1, 2017 at 9:57 AM Keane Wolter <wolterk at umich.edu> wrote:
>> Acting as UID 100026, I am able to successfully run ceph-fuse and mount
>> the filesystem. However, as soon as I try to write a file as UID 100026, I
>> get permission denied, but I am able to write to disk as root without
>> issue. I am looking for the inverse of this. I want to write changes to
>> disk as UID 100026, but not as root. From what I understood in the email at
>> http://lists.ceph.com/pipermail/ceph-users-ceph.com/
>> 2017-February/016173.html, I should be able to do so with the following
>> cephx caps set to "caps: [mds] allow r, allow rw path=/user uid=100026". Am
>> I wrong with this assumption or is there something else at play I am not
>> aware of?
>> Thanks,
>> Keane
>> On Wed, Oct 25, 2017 at 5:52 AM, Gregory Farnum <gfarnum at redhat.com>
>> wrote:
>>> On Mon, Oct 23, 2017 at 5:03 PM Keane Wolter <wolterk at umich.edu> wrote:
>>>> Hi Gregory,
>>>> I did set the cephx caps for the client to:
>>>> caps: [mds] allow r, allow rw uid=100026 path=/user, allow rw
>>>> path=/project
>>> So you’ve got three different permission granting clauses here:
>>> 1) allows the client to read anything
>>> 2) allows the client to act as uid 100026 in the path /user
>>> 3) allows the user to do any read or write (as any user) in path /project
>>> caps: [mon] allow r
>>>> caps: [osd] allow rw pool=cephfs_osiris, allow rw pool=cephfs_users
>>>> Keane
>>>> On Fri, Oct 20, 2017 at 5:35 PM, Gregory Farnum <gfarnum at redhat.com>
>>>> wrote:
>>>>> What did you actually set the cephx caps to for that client?
>>>>> On Fri, Oct 20, 2017 at 8:01 AM Keane Wolter <wolterk at umich.edu>
>>>>> wrote:
>>>>>> Hello all,
>>>>>> I am trying to limit what uid/gid a client is allowed to run as
>>>>>> (similar to NFS' root squashing). I have referenced this email,
>>>>>> http://lists.ceph.com/pipermail/ceph-users-ceph.com/
>>>>>> 2017-February/016173.html, with no success.  After generating the
>>>>>> keyring, moving it to a client machine, and mounting the filesystem with
>>>>>> ceph-fuse, I am still able to create files with the UID and GID of root.
>>>>>> Is there something I am missing or can do to prevent root from
>>>>>> working with a ceph-fuse mounted filesystem?
>>>>>> Thanks,
>>>>>> Keane
>>>>>> wolterk at umich.edu
>>>>>> _______________________________________________
>>>>>> ceph-users mailing list
>>>>>> ceph-users at lists.ceph.com
>>>>>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ceph.com/pipermail/ceph-users-ceph.com/attachments/20171101/f6963f5e/attachment.html>

More information about the ceph-users mailing list