[ceph.git] / ceph / doc / cephfs / client-auth.rst

================================
CephFS Client Capabilities
================================

Use Ceph authentication capabilities to restrict your filesystem clients
to the lowest possible level of authority needed.

.. note::

    Path restriction and layout modification restriction are new features
    in the Jewel release of Ceph.

Path restriction
================

By default, clients are not restricted in what paths they are allowed to mount.
Further, when clients mount a subdirectory, e.g., /home/user, the MDS does not
by default verify that subsequent operations
are ‘locked’ within that directory.

To restrict clients to only mount and work within a certain directory, use
path-based MDS authentication capabilities.

Syntax
------

To grant rw access to the specified directory only, we mention the specified
directory while creating key for a client using the following syntax. ::

 ceph fs authorize *filesystem_name* client.*client_name* /*specified_directory* rw

For example, to restrict client ``foo`` to writing only in the ``bar`` directory of filesystem ``cephfs_a``, use ::

 ceph fs authorize cephfs_a client.foo / r /bar rw

 results in:

 client.foo
   key: *key*
   caps: [mds] allow r, allow rw path=/bar
   caps: [mon] allow r
   caps: [osd] allow rw tag cephfs data=cephfs_a

To completely restrict the client to the ``bar`` directory, omit the
root directory ::

 ceph fs authorize cephfs_a client.foo /bar rw

Note that if a client's read access is restricted to a path, they will only
be able to mount the filesystem when specifying a readable path in the
mount command (see below).

Supplying ``all`` or ``*`` as the filesystem name will grant access to every
file system. Note that it is usually necessary to quote ``*`` to protect it from
the shell.

See `User Management - Add a User to a Keyring`_. for additional details on user management

To restrict a client to the specified sub-directory only, we mention the specified
directory while mounting using the following syntax. ::

 ./ceph-fuse -n client.*client_name* *mount_path* -r *directory_to_be_mounted*

for example, to restrict client ``foo`` to ``mnt/bar`` directory, we will use. ::

 ./ceph-fuse -n client.foo mnt -r /bar

Free space reporting
--------------------

By default, when a client is mounting a sub-directory, the used space (``df``)
will be calculated from the quota on that sub-directory, rather than reporting
the overall amount of space used on the cluster.

If you would like the client to report the overall usage of the filesystem,
and not just the quota usage on the sub-directory mounted, then set the
following config option on the client:

::

    client quota df = false

If quotas are not enabled, or no quota is set on the sub-directory mounted,
then the overall usage of the filesystem will be reported irrespective of
the value of this setting.

Layout and Quota restriction (the 'p' flag)
===========================================

To set layouts or quotas, clients require the 'p' flag in addition to 'rw'.
This restricts all the attributes that are set by special extended attributes
with a "ceph." prefix, as well as restricting other means of setting
these fields (such as openc operations with layouts).

For example, in the following snippet client.0 can modify layouts and quotas
on the filesystem cephfs_a, but client.1 cannot.

::

    client.0
        key: AQAz7EVWygILFRAAdIcuJ12opU/JKyfFmxhuaw==
        caps: [mds] allow rwp
        caps: [mon] allow r
        caps: [osd] allow rw tag cephfs data=cephfs_a

    client.1
        key: AQAz7EVWygILFRAAdIcuJ12opU/JKyfFmxhuaw==
        caps: [mds] allow rw
        caps: [mon] allow r
        caps: [osd] allow rw tag cephfs data=cephfs_a


Snapshot restriction (the 's' flag)
===========================================

To create or delete snapshots, clients require the 's' flag in addition to 'rw'.
Note that when capability string also contains the 'p' flag, the 's' flag must
appear after it (all flags except 'rw' must be specified in alphabetical order).

For example, in the following snippet client.0 can create or delete snapshots
in the ``bar`` directory of filesystem ``cephfs_a``.

::

    client.0
        key: AQAz7EVWygILFRAAdIcuJ12opU/JKyfFmxhuaw==
        caps: [mds] allow rw, allow rws path=/bar
        caps: [mon] allow r
        caps: [osd] allow rw tag cephfs data=cephfs_a


.. _User Management - Add a User to a Keyring: ../../rados/operations/user-management/#add-a-user-to-a-keyring

Network restriction
===================

::

 client.foo
   key: *key*
   caps: [mds] allow r network 10.0.0.0/8, allow rw path=/bar network 10.0.0.0/8
   caps: [mon] allow r network 10.0.0.0/8
   caps: [osd] allow rw tag cephfs data=cephfs_a network 10.0.0.0/8

The optional ``{network/prefix}`` is a standard network name and
prefix length in CIDR notation (e.g., ``10.3.0.0/16``).  If present,
the use of this capability is restricted to clients connecting from
this network.
Commit	Line	Data
7c673cae FG	1	================================
	2	CephFS Client Capabilities
	3	================================
	4
	5	Use Ceph authentication capabilities to restrict your filesystem clients
	6	to the lowest possible level of authority needed.
	7
	8	.. note::
	9
	10	Path restriction and layout modification restriction are new features
	11	in the Jewel release of Ceph.
	12
	13	Path restriction
	14	================
	15
	16	By default, clients are not restricted in what paths they are allowed to mount.
	17	Further, when clients mount a subdirectory, e.g., /home/user, the MDS does not
	18	by default verify that subsequent operations
	19	are ‘locked’ within that directory.
	20
	21	To restrict clients to only mount and work within a certain directory, use
	22	path-based MDS authentication capabilities.
	23
	24	Syntax
	25	------
	26
	27	To grant rw access to the specified directory only, we mention the specified
d2e6a577	28	directory while creating key for a client using the following syntax. ::
7c673cae	29
d2e6a577	30	ceph fs authorize filesystem_name client.client_name /specified_directory rw
7c673cae	31
92f5a8d4	32	For example, to restrict client ``foo`` to writing only in the ``bar`` directory of filesystem ``cephfs_a``, use ::
7c673cae	33
92f5a8d4	34	ceph fs authorize cephfs_a client.foo / r /bar rw
7c673cae	35
11fdf7f2 TL	36	results in:
	37
	38	client.foo
	39	key: key
	40	caps: [mds] allow r, allow rw path=/bar
	41	caps: [mon] allow r
	42	caps: [osd] allow rw tag cephfs data=cephfs_a
	43
7c673cae	44	To completely restrict the client to the ``bar`` directory, omit the
d2e6a577	45	root directory ::
7c673cae	46
92f5a8d4	47	ceph fs authorize cephfs_a client.foo /bar rw
7c673cae FG	48
	49	Note that if a client's read access is restricted to a path, they will only
	50	be able to mount the filesystem when specifying a readable path in the
	51	mount command (see below).
	52
11fdf7f2 TL	53	Supplying ``all`` or ``*`` as the filesystem name will grant access to every
	54	file system. Note that it is usually necessary to quote ``*`` to protect it from
	55	the shell.
7c673cae FG	56
	57	See `User Management - Add a User to a Keyring`_. for additional details on user management
	58
11fdf7f2	59	To restrict a client to the specified sub-directory only, we mention the specified
d2e6a577	60	directory while mounting using the following syntax. ::
7c673cae	61
d2e6a577	62	./ceph-fuse -n client.client_name mount_path -r directory_to_be_mounted
7c673cae FG	63
	64	for example, to restrict client ``foo`` to ``mnt/bar`` directory, we will use. ::
	65
d2e6a577	66	./ceph-fuse -n client.foo mnt -r /bar
7c673cae FG	67
	68	Free space reporting
	69	--------------------
	70
	71	By default, when a client is mounting a sub-directory, the used space (``df``)
	72	will be calculated from the quota on that sub-directory, rather than reporting
	73	the overall amount of space used on the cluster.
	74
	75	If you would like the client to report the overall usage of the filesystem,
	76	and not just the quota usage on the sub-directory mounted, then set the
	77	following config option on the client:
	78
	79	::
	80
	81	client quota df = false
	82
	83	If quotas are not enabled, or no quota is set on the sub-directory mounted,
	84	then the overall usage of the filesystem will be reported irrespective of
	85	the value of this setting.
	86
7c673cae FG	87	Layout and Quota restriction (the 'p' flag)
	88	===========================================
	89
	90	To set layouts or quotas, clients require the 'p' flag in addition to 'rw'.
	91	This restricts all the attributes that are set by special extended attributes
	92	with a "ceph." prefix, as well as restricting other means of setting
	93	these fields (such as openc operations with layouts).
	94
11fdf7f2 TL	95	For example, in the following snippet client.0 can modify layouts and quotas
11fdf7f2 TL	96	on the filesystem cephfs_a, but client.1 cannot.
7c673cae FG	97
	98	::
	99
	100	client.0
	101	key: AQAz7EVWygILFRAAdIcuJ12opU/JKyfFmxhuaw==
	102	caps: [mds] allow rwp
	103	caps: [mon] allow r
11fdf7f2	104	caps: [osd] allow rw tag cephfs data=cephfs_a
7c673cae FG	105
	106	client.1
	107	key: AQAz7EVWygILFRAAdIcuJ12opU/JKyfFmxhuaw==
	108	caps: [mds] allow rw
	109	caps: [mon] allow r
11fdf7f2 TL	110	caps: [osd] allow rw tag cephfs data=cephfs_a
	111
	112
	113	Snapshot restriction (the 's' flag)
	114	===========================================
	115
	116	To create or delete snapshots, clients require the 's' flag in addition to 'rw'.
	117	Note that when capability string also contains the 'p' flag, the 's' flag must
	118	appear after it (all flags except 'rw' must be specified in alphabetical order).
	119
	120	For example, in the following snippet client.0 can create or delete snapshots
	121	in the ``bar`` directory of filesystem ``cephfs_a``.
	122
	123	::
	124
	125	client.0
	126	key: AQAz7EVWygILFRAAdIcuJ12opU/JKyfFmxhuaw==
	127	caps: [mds] allow rw, allow rws path=/bar
	128	caps: [mon] allow r
	129	caps: [osd] allow rw tag cephfs data=cephfs_a
7c673cae FG	130
	131
	132	.. _User Management - Add a User to a Keyring: ../../rados/operations/user-management/#add-a-user-to-a-keyring
11fdf7f2 TL	133
	134	Network restriction
	135	===================
	136
	137	::
	138
	139	client.foo
	140	key: key
	141	caps: [mds] allow r network 10.0.0.0/8, allow rw path=/bar network 10.0.0.0/8
	142	caps: [mon] allow r network 10.0.0.0/8
	143	caps: [osd] allow rw tag cephfs data=cephfs_a network 10.0.0.0/8
	144
	145	The optional ``{network/prefix}`` is a standard network name and
	146	prefix length in CIDR notation (e.g., ``10.3.0.0/16``). If present,
	147	the use of this capability is restricted to clients connecting from
	148	this network.