mds: add root_squash mode in MDS auth caps by ajarr · Pull Request #36457 · ceph/ceph

ajarr · 2020-08-04T16:48:24Z

Implement a root_squash mode in MDS auth caps to deny operations for
clients with uid=0 or gid=0 that need write access. It's mainly to
prevent operations such as accidental `sudo rm -rf /path`.

The root squash mode can be enforced in one of the following ways in
the MDS caps,
  'allow rw root_squash'
  (across file systems)
          or
  'allow rw fsname=a root_squash'
  (on a file system)
          or
  'allow rw fsname=a path=/vol/group/subvol00 root_squash'
  (on a file system path)

Fixes: https://tracker.ceph.com/issues/42451
Signed-off-by: Ramana Raja <rraja@redhat.com>

ajarr · 2020-08-04T16:59:50Z

This PR is based on the multiple FS auth ID PR that's not been merged. Following is the only commit
1f5d61a
that enables root_squash, the other commits are part of the multiple FS auth ID PR.

batrick

Looks about right. I don't think it's possible to restrict MAY_READ without changes to the client so this should be fine.

src/mds/MDSAuthCaps.cc

src/mds/MDSAuthCaps.h

ajarr · 2020-08-17T12:25:30Z

This PR is based on the multiple FS auth ID PR that's not been merged. Following is the only commit
1a96b64
that enables root_squash, the other commits are part of the multiple FS auth ID PR.

batrick

This looks very good. We just need tests for fs authorize with root_squash. Please add them to test_admin.py. You already have tests for checking the capability so I think you can skip validating the caps work with a mount.

... methods in LocalRemote class. These methods are called in some of the recently added cephfs tests. They were implemented in teuthology's Remote class, but not in vstart_runner's LocalRemote class. Hence some cephfs tests couldn't be run locally using vstart_runner without this change. Signed-off-by: Ramana Raja <rraja@redhat.com>

Implement a root_squash mode in MDS auth caps to deny operations for clients with uid=0 or gid=0 that need write access. It's mainly to prevent operations such as accidental `sudo rm -rf /path`. The root squash mode can be enforced in one of the following ways in the MDS caps, 'allow rw root_squash' (across file systems) or 'allow rw fsname=a root_squash' (on a file system) or 'allow rw fsname=a path=/vol/group/subvol00 root_squash' (on a file system path) Fixes: https://tracker.ceph.com/issues/42451 Signed-off-by: Ramana Raja <rraja@redhat.com>

ajarr · 2020-09-25T10:21:22Z

This looks very good. We just need tests for fs authorize with root_squash. Please add them to test_admin.py. You already have tests for checking the capability so I think you can skip validating the caps work with a mount.

Done.

fixed

... in test_admin.TestSubCmdFsAuthorize.setup_for_multiple_paths(). Signed-off-by: Ramana Raja <rraja@redhat.com>

batrick · 2020-09-25T15:19:19Z

jenkins test make check

ajarr · 2020-09-25T23:26:36Z

jenkins test make check

ajarr · 2020-10-05T14:33:19Z

@batrick do you want me to test this in teuthology?

batrick · 2020-10-05T20:54:06Z

@ajarr I encourage testing your own PR for the specific tests you're adding. I'll do broader QA testing in the next few days.

ajarr · 2020-10-06T10:33:01Z

tests for changes in TestMDSAuthCaps.cc
https://pulpito.ceph.com/rraja-2020-10-06_10:29:44-fs-wip-ajarr-root-squash-distro-basic-smithi/

tests for changes in test_admin
https://pulpito.ceph.com/rraja-2020-10-06_10:34:06-fs-wip-ajarr-root-squash-distro-basic-smithi/

ajarr · 2020-10-06T11:32:43Z

tests for changes in TestMDSAuthCaps.cc
https://pulpito.ceph.com/rraja-2020-10-06_10:29:44-fs-wip-ajarr-root-squash-distro-basic-smithi/

tests for changes in test_admin
https://pulpito.ceph.com/rraja-2020-10-06_10:34:06-fs-wip-ajarr-root-squash-distro-basic-smithi/

Tests passed.

batrick · 2020-10-08T20:21:38Z

https://pulpito.ceph.com/?branch=wip-pdonnell-testing-20201007.214100

failures unrelated.

ajarr changed the title ~~mds: add root_squash mode in MDS auth caps~~ [DNM] mds: add root_squash mode in MDS auth caps Aug 4, 2020

ajarr marked this pull request as draft August 4, 2020 17:37

ajarr requested a review from batrick August 4, 2020 17:38

jtlayton self-requested a review August 4, 2020 19:31

batrick requested changes Aug 4, 2020

View reviewed changes

src/mds/MDSAuthCaps.cc Outdated Show resolved Hide resolved

src/mds/MDSAuthCaps.cc Outdated Show resolved Hide resolved

src/mds/MDSAuthCaps.cc Outdated Show resolved Hide resolved

src/mds/MDSAuthCaps.h Outdated Show resolved Hide resolved

batrick added cephfs Ceph File System needs-review labels Aug 6, 2020

ajarr force-pushed the wip-42451 branch from 1f5d61a to 270a942 Compare August 8, 2020 20:18

ajarr force-pushed the wip-42451 branch from 270a942 to 1a96b64 Compare August 17, 2020 12:24

ajarr changed the title ~~[DNM] mds: add root_squash mode in MDS auth caps~~ mds: add root_squash mode in MDS auth caps Aug 17, 2020

ajarr marked this pull request as ready for review August 17, 2020 13:28

ajarr force-pushed the wip-42451 branch 2 times, most recently from a4f120b to a808f16 Compare August 19, 2020 08:40

ajarr force-pushed the wip-42451 branch from a808f16 to b04588d Compare September 17, 2020 12:25

ajarr requested a review from batrick September 17, 2020 12:26

batrick previously requested changes Sep 22, 2020

View reviewed changes

batrick removed the needs-review label Sep 23, 2020

batrick assigned ajarr Sep 23, 2020

ajarr added 2 commits September 25, 2020 14:34

ajarr force-pushed the wip-42451 branch from b04588d to af6b043 Compare September 25, 2020 10:20

ajarr assigned batrick Sep 25, 2020

ajarr requested a review from batrick September 25, 2020 10:21

ajarr removed their assignment Sep 25, 2020

qa/tasks/cephfs: fix fs authorize cmd args

525c0e6

... in test_admin.TestSubCmdFsAuthorize.setup_for_multiple_paths(). Signed-off-by: Ramana Raja <rraja@redhat.com>

ajarr force-pushed the wip-42451 branch from af6b043 to 525c0e6 Compare September 25, 2020 10:24

batrick approved these changes Sep 25, 2020

View reviewed changes

batrick removed their assignment Sep 25, 2020

batrick added the needs-qa label Sep 25, 2020

batrick added the wip-pdonnell-testing label Oct 7, 2020

batrick merged commit 5c9f77c into ceph:master Oct 8, 2020

Conversation

ajarr commented Aug 4, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ajarr commented Aug 4, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

batrick left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

ajarr commented Aug 17, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

batrick left a comment

Choose a reason for hiding this comment

Uh oh!

ajarr commented Sep 25, 2020

Uh oh!

batrick commented Sep 25, 2020

Uh oh!

ajarr commented Sep 25, 2020

Uh oh!

ajarr commented Oct 5, 2020

Uh oh!

batrick commented Oct 5, 2020

Uh oh!

ajarr commented Oct 6, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ajarr commented Oct 6, 2020

Uh oh!

batrick commented Oct 8, 2020

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

ajarr commented Aug 4, 2020 •

edited

Loading

ajarr commented Aug 4, 2020 •

edited

Loading

ajarr commented Aug 17, 2020 •

edited

Loading

ajarr commented Oct 6, 2020 •

edited

Loading