In cases like this you also want to set RADOS namespaces for each tenant’s directory in the CephFS layout and give them OSD access to only that namespace. That will prevent malicious users from tampering with the raw RADOS objects of other users. -Greg On Fri, Sep 29, 2017 at 4:33 AM Yoann Moulin <yoann.mou...@epfl.ch> wrote:
> > >>>> Kernels on client is 4.4.0-93 and on ceph node are 4.4.0-96 > >>>> > >>>> What is exactly an older kernel client ? 4.4 is old ? > >>> > >>> See > >>> > http://docs.ceph.com/docs/master/cephfs/best-practices/#which-kernel-version > >>> > >>> If you're on Ubuntu Xenial I would advise to use > >>> "linux-generic-hwe-16.04". Currently gives you 4.10.0-* kernel. > >> > >> OK, but I still cannot set caps without read access to "/" on cephfs > volume, is there something else I must do ? > >> > >> # ceph auth get-or-create client.foo mon "allow r" osd "allow rw > pool=cephfs_data" mds "allow rw path=/foo" > >> Error EINVAL: key for client.foo exists but cap mds does not match > >> > >> # ceph fs authorize cephfs client.foo /foo rw > >> Error EINVAL: key for client.foo exists but cap mds does not match > > > > Use "ceph auth list" to check the current caps for the client. With ceph > > auth caps (note, _not_ get-or-create) you can update the caps: > > > > ceph auth caps client.foo mon "allow r" osd "allow rw > > pool=cephfs_data" mds "allow rw path=/foo" > > > > The command should return "updated caps for client.foo" > > oops, you're right I must use "ceph auth caps" and not "ceph auth > get-or-create" > > so finally I did that : > > # ceph auth caps client.foo mon "allow r" osd "allow rw pool=cephfs_data" > mds "allow rw path=/foo" > updated caps for client.foo > > # ceph fs authorize cephfs client.foo /foo rw > [client.foo] > key = [snip] > > On the client : > > # uname -a > Linux ntxvm006 4.10.0-33-generic #37~16.04.1-Ubuntu SMP Fri Aug 11 > 14:07:24 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux > > # mount.ceph iccluster041,iccluster042,iccluster054:/ /mnt -v -o > name=foo,secret=[snip] > parsing options: name=foo,secret=[snip] > mount error 13 = Permission denied > > # mount.ceph iccluster041,iccluster042,iccluster054:/foo /mnt -v -o > name=foo,secret=[snip] > parsing options: name=foo,secret=[snip] > > # df /mnt > Filesystem 1K-blocks Used Available > Use% Mounted on > 10.90.38.17,10.90.38.18,10.90.39.5:/foo 70324469760 26267648 70298202112 > 1% /mnt > > It seems to work as I want. > > Thanks a lot ! > > Cheers, > > -- > Yoann Moulin > EPFL IC-IT > _______________________________________________ > ceph-users mailing list > ceph-users@lists.ceph.com > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com >
_______________________________________________ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
