CephFS Client Capabilities

    Note

    Path restriction and layout modification restriction are new featuresin the Jewel release of Ceph.

    Note

    Using Erasure Coded(EC) pools with CephFS is supported only with theBlueStore Backend. They cannot be used as metadata pools and overwrites mustbe enabled on the data pools.

    By default, clients are not restricted in what paths they are allowed to mount.Further, when clients mount a subdirectory, e.g., /home/user, the MDS does notby default verify that subsequent operationsare ‘locked’ within that directory.

    To restrict clients to only mount and work within a certain directory, usepath-based MDS authentication capabilities.

    For example, to restrict client to writing only in the bar directory of file system cephfs, use

    1. ceph fs authorize cephfs client.foo / r /bar rw
    2.  
    3.  
    4. client.foo
    5.   key: *key*
    6.   caps: [mds] allow r, allow rw path=/bar
    7.   caps: [mon] allow r
    8.   caps: [osd] allow rw tag cephfs data=cephfs_a

    To completely restrict the client to the bar directory, omit theroot directory

    1. ceph fs authorize cephfs client.foo /bar rw

    Note that if a client’s read access is restricted to a path, they will onlybe able to mount the file system when specifying a readable path in themount command (see below).

    Supplying or as the file system name will grant access to everyfile system. Note that it is usually necessary to quote to protect it fromthe shell.

    See User Management - Add a User to a Keyring. for additional details on user management

    To restrict a client to the specified sub-directory only, we mention the specifieddirectory while mounting using the following syntax.

    1. ./ceph-fuse -n client.foo mnt -r /bar

    Free space reporting

    By default, when a client is mounting a sub-directory, the used space (df)will be calculated from the quota on that sub-directory, rather than reportingthe overall amount of space used on the cluster.

    If you would like the client to report the overall usage of the file system,and not just the quota usage on the sub-directory mounted, then set thefollowing config option on the client:

      If quotas are not enabled, or no quota is set on the sub-directory mounted,then the overall usage of the file system will be reported irrespective ofthe value of this setting.

      To set layouts or quotas, clients require the ‘p’ flag in addition to ‘rw’.This restricts all the attributes that are set by special extended attributeswith a “ceph.” prefix, as well as restricting other means of settingthese fields (such as openc operations with layouts).

      For example, in the following snippet client.0 can modify layouts and quotason the file system cephfs_a, but client.1 cannot.

      To create or delete snapshots, clients require the ‘s’ flag in addition to ‘rw’.Note that when capability string also contains the ‘p’ flag, the ‘s’ flag mustappear after it (all flags except ‘rw’ must be specified in alphabetical order).

      1. client.0
      2.     key: AQAz7EVWygILFRAAdIcuJ12opU/JKyfFmxhuaw==
      3.     caps: [mds] allow rw, allow rws path=/bar
      4.     caps: [mon] allow r
      5.     caps: [osd] allow rw tag cephfs data=cephfs_a
      1. client.foo
      2.   key: *key*
      3.   caps: [mds] allow r network 10.0.0.0/8, allow rw path=/bar network 10.0.0.0/8
      4.   caps: [osd] allow rw tag cephfs data=cephfs_a network 10.0.0.0/8

      The optional is a standard network name andprefix length in CIDR notation (e.g., 10.3.0.0/16). If present,the use of this capability is restricted to clients connecting fromthis network.