mds: allow all types of mds caps

[rishabh-d-dave]

Fixes: https://tracker.ceph.com/issues/59388

Contribution Guidelines

• To sign and title your commits, please refer to Submitting Patches to Ceph.

• If you are submitting a fix for a stable branch (e.g. "pacific"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.

Checklist

• Tracker (select at least one)
  • References tracker ticket
  • Very recent bug; references commit where it was introduced
  • New feature (ticket optional)
  • Doc update (no ticket needed)
  • Code cleanup (no ticket needed)
• Component impact
  • Affects Dashboard, opened tracker ticket
  • Affects Orchestrator, opened tracker ticket
  • No impact that needs to be tracked
• Documentation (select at least one)
  • Updates relevant documentation
  • No doc update is appropriate
• Tests (select at least one)
  • Includes unit test(s)
  • Includes integration test(s)
  • Includes bug reproducer
  • No tests

Show available Jenkins commands

• jenkins retest this please
• jenkins test classic perf
• jenkins test crimson perf
• jenkins test signed
• jenkins test make check
• jenkins test make check arm64
• jenkins test submodules
• jenkins test dashboard
• jenkins test dashboard cephadm
• jenkins test api
• jenkins test docs
• jenkins render docs
• jenkins test ceph-volume all
• jenkins test ceph-volume tox
• jenkins test windows

[gregsfortytwo]

This was a good discovery (of something that scares me) and a nice start. Still need some improvements to testing to make sure the fix is complete. :)

[rishabh-d-dave]

jenkins test make check

[rishabh-d-dave]

https://jenkins.ceph.com/job/ceph-pull-requests/114916/

test updates look good

[rishabh-d-dave]

https://jenkins.ceph.com/job/ceph-pull-requests/114928/consoleFull#7654512942a811ea2-3e7b-466b-84b4-d13df7e35809

[rishabh-d-dave]

jenkins test api

[rishabh-d-dave]

Strange the ceph API tests failed because it looks like test runner exited with success -

2023-06-09 17:09:13,467.467 INFO:__main__:----------------------------------------------------------------------
2023-06-09 17:09:13,467.467 INFO:__main__:Ran 308 tests in 3871.918s
2023-06-09 17:09:13,467.467 INFO:__main__:
2023-06-09 17:09:13,467.467 INFO:__main__:

https://jenkins.ceph.com/job/ceph-api/56590/

[rishabh-d-dave]

@gregsfortytwo @vshankar
GIDs in MDS caps work if and only if they are mentioned in the cap along with UID. Following 2 cases demonstrate this. The former only has GIDs it MDS cap and latter has both UID and GID. Former mounts successfully and latter fails to mount.

$ cat ceph.client.x1.keyring 
[client.x1] 
        key = AQDy+oZkoWJvLxAAeRTzmjAqZ3FD04DHGKLf1Q== 
        caps mds = "allow rw gids=1001" 
        caps mon = "allow r fsname=a" 
        caps osd = "allow rw tag cephfs data=a" 

$ cat ceph.client.x2.keyring 
[client.x2] 
        key = AQDM+4ZkdoUTLxAAyYZq+AAy2LerkSKtE0NjeQ== 
        caps mds = "allow rw uid=1001 gids=1001" 
        caps mon = "allow r fsname=a" 
        caps osd = "allow rw tag cephfs data=a" 

$ ./bin/ceph-fuse cephfs1 --client_fs a --id x1 -k ceph.client.x1.keyring
2023-06-12T16:36:17.449+0530 7faab6c39500 -1 init, newargv = 0x7faaa401c290 newargc=15
ceph-fuse[27741]: starting ceph client
ceph-fuse[27741]: starting fuse

$ ./bin/ceph-fuse cephfs2 --client_fs a --id x2 -k ceph.client.x2.keyring
2023-06-12T16:36:22.063+0530 7f7938560500 -1 init, newargv = 0x7f792401c1d0 newargc=15
ceph-fuse[27799]: starting ceph client
ceph-fuse[27799]: ceph mount failed with (13) Permission denied

Should an MDS caps with GID should be allowed? IMO it should be. If a CephFS user wants to allow 5 Linux users to access a certain CephFS, he/she can simply add all of the users to a group and then create an MDS cap mentioning the GID. The cap would look like this allow rw fsname =cephfs1 gids=1001. Currently, the user would have to do multiple cap for each user: allow rw fsname=cephfs1 uid=1001, allow rw fsname=cephfs1 uid=1002, allow rw fsname=cephfs1 uid=1003, allow rw fsname=cephfs1 uid=1004, allow rw fsname=cephfs1 uid=1005.

Obviously, former style is easier on eyes and is also better scalable and manageable.

[rishabh-d-dave]

jenkins test api

[github-actions]

This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved

[rishabh-d-dave]

Rebased and resolved the merge conflicts.

[vshankar]

@rishabh-d-dave please run this through QA and post the result.

[kotreshhr]

GIDs in MDS caps work if and only if they are mentioned in the cap along with UID.

@rishabh-d-dave In your results, the cap with only gids mentioned could successfully mount. Am I missing something?

[rishabh-d-dave]

@kotreshhr

GIDs in MDS caps work if and only if they are mentioned in the cap along with UID.

@rishabh-d-dave In your results, the cap with only gids mentioned could successfully mount. Am I missing something?

I am confused by what you mean. We expect only GIDs 1001,1002,1003 should be able to mount when MDS cap is allow rw gids=1001,1002,1003. But that is not the case, other GIDs too can mount CephFS.

[rishabh-d-dave]

Tests were successful - https://tracker.ceph.com/projects/cephfs/wiki/Main#13-Jul-2023

[rishabh-d-dave]

Tests were successful - https://tracker.ceph.com/projects/cephfs/wiki/Main#13-Jul-2023

@vshankar This PR is ready for merge but an approval is needed.

[github-actions]

This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved

[vshankar]

LGTM

[rishabh-d-dave]

Rebased PR branch to resolve the conflict. I'll merge as soon as the CI tests finish running successfully.

[rishabh-d-dave]

jenkins test make check

[rishabh-d-dave]

https://jenkins.ceph.com/job/ceph-pull-requests/118293/