[DNM] mon, cephfs: Add auth caps for CephFS fsids#26855
[DNM] mon, cephfs: Add auth caps for CephFS fsids#26855fullerdj wants to merge 5 commits intoceph:masterfrom
Conversation
PendingReleaseNotes
Outdated
| clients based on a new auth cap: | ||
| [mon] allow rw; allow fsid=1; allow fsid=2 | ||
| * Communication with MDS daemons may now be restricted using a new auth cap: | ||
| [mds] allow fsid=1 No newline at end of file |
There was a problem hiding this comment.
This implementation doesn't have a read-only variant. If you're restricted by fsid, the mds will drop all messages for unauthorized fsids. Do we want a read-only variant?
There was a problem hiding this comment.
This implementation doesn't have a read-only variant.
I think I was wondering if mds allow r fsid=1 would be allowed. That is, read-only MDS access although I'm not sure who uses that in practice; would that imply a read-only mount?
PendingReleaseNotes
Outdated
|
|
||
| * The monitor cluster may now withhold filesystem and/or MDS information from | ||
| clients based on a new auth cap: | ||
| [mon] allow rw; allow fsid=1; allow fsid=2 |
There was a problem hiding this comment.
IIRC, the caps are additive. Wouldn't allow rw provide access to all MDSMaps?
| key: AQAz7EVWygILFRAAdIcuJ12opU/JKyfFmxhuaw== | ||
| caps: [mds] allow rw, allow fsid=1 | ||
| caps: [mon] allow r, allow fsid=1 | ||
| caps: [osd] allow rw tag cephfs data=cephfs_a |
There was a problem hiding this comment.
I guess we also need to extend these OSDCaps to take an FSCID. Not urgent though.
There was a problem hiding this comment.
Well, the OSD does not know the fscid. We could tag the pools with it, though.
There was a problem hiding this comment.
The pools tags are good enough now I think. I don't believe we want to move forward anymore with shared data pools. The feature is no longer attractive with the pg_autoscaler.
| } | ||
| if (mdsmon()->get_fsmap().filesystem_count() > 0) { | ||
| ss << " mds: " << spacing << mdsmon()->get_fsmap() << "\n"; | ||
| const FSMap *fsmapp = &mdsmon()->get_fsmap(); |
There was a problem hiding this comment.
nit: const auto& fsmap would be better.
| ss << " mds: " << spacing << mdsmon()->get_fsmap() << "\n"; | ||
| const FSMap *fsmapp = &mdsmon()->get_fsmap(); | ||
| if (!fsids.empty()) { | ||
| FSMap map = *fsmapp; |
|
|
||
| client.0 | ||
| key: AQAz7EVWygILFRAAdIcuJ12opU/JKyfFmxhuaw== | ||
| caps: [mon] allow r, allow fsid=1, allow fsid=2 |
There was a problem hiding this comment.
ditto. the first allow r applies to all fsids. the fsid= has to be a property of each allow to restrict it.
|
ping @fullerdj |
|
ack, @batrick . I should be able to get back on this next week. |
Now, progress events are part of `WriteCompletion` istead of part of the orchestrator module. It does not yet provide a way to just show orchestrator events. Also fixes issue in the SSH orchestrator Signed-off-by: Sebastian Wagner <sebastian.wagner@suse.com>
The previous link was to version 2, which is a bit older. Fix to version 3. Signed-off-by: Yaniv Kaul <ykaul@redhat.com>
Add a 'fsid' clause to mon auth caps to restrict a client's view of the FSMap. Example: mon 'allow rw; allow fsid 2' This would restrict the client's view of the FSMap to the MDSMap for fscid 2. Any MDS allocated to a different filesystem will be invisible. Global standby daemons are always visible. To allow multiple fscids, add multiple caps: mon 'allow rw; allow fsid 2; allow fsid 3' Fixes: http://tracker.ceph.com/issues/15070 Signed-off-by: Douglas Fuller <dfuller@redhat.com>
Modify MMDSMap to include the global ID of the Filesystem from the FSMap when bringing up a new MDS. Store the ID in the MDSRank structure for use in security validation. Fixes: http://tracker.ceph.com/issues/15070 Signed-off-by: Douglas Fuller <dfuller@redhat.com>
Add new auth caps to restrict access to clients based on fsid. To specify this, for example: mds 'allow fsid=1' This will restrict client access to fsid 1 only. Messages to active MDS assigned to any other FSMap will be dropped. Standby MDS not associated with an FSMap will accept messages from clients so restricted. Fixes: http://tracker.ceph.com/issues/15070 Signed-off-by: Douglas Fuller <dfuller@redhat.com>
|
This pull request has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs for another 30 days. |
|
This pull request has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs for another 30 days. |
|
This pull request has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs for another 30 days. |
|
This pull request has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs for another 30 days. |
|
closed in favor of #32581 |
Add new mon and mds auth caps to restrict access based on fsid.
DNM for now because there is no test yet.