[ceph.git] / ceph / doc / cephfs / client-auth.rst

================================
CephFS Client Capabilities
================================

Use Ceph authentication capabilities to restrict your filesystem clients
to the lowest possible level of authority needed.

.. note::

    Path restriction and layout modification restriction are new features
    in the Jewel release of Ceph.

Path restriction
================

By default, clients are not restricted in what paths they are allowed to mount.
Further, when clients mount a subdirectory, e.g., /home/user, the MDS does not
by default verify that subsequent operations
are ‘locked’ within that directory.

To restrict clients to only mount and work within a certain directory, use
path-based MDS authentication capabilities.

Syntax
------

To grant rw access to the specified directory only, we mention the specified
directory while creating key for a client using the following syntax. ::

 ceph fs authorize *filesystem_name* client.*client_name* /*specified_directory* rw

for example, to restrict client ``foo`` to writing only in the ``bar`` directory of filesystem ``cephfs``, use ::

 ceph fs authorize cephfs client.foo / r /bar rw

To completely restrict the client to the ``bar`` directory, omit the
root directory ::

 ceph fs authorize cephfs client.foo /bar rw

Note that if a client's read access is restricted to a path, they will only
be able to mount the filesystem when specifying a readable path in the
mount command (see below).


See `User Management - Add a User to a Keyring`_. for additional details on user management

To restrict a client to the specfied sub-directory only, we mention the specified
directory while mounting using the following syntax. ::

 ./ceph-fuse -n client.*client_name* *mount_path* -r *directory_to_be_mounted*

for example, to restrict client ``foo`` to ``mnt/bar`` directory, we will use. ::

 ./ceph-fuse -n client.foo mnt -r /bar

Free space reporting
--------------------

By default, when a client is mounting a sub-directory, the used space (``df``)
will be calculated from the quota on that sub-directory, rather than reporting
the overall amount of space used on the cluster.

If you would like the client to report the overall usage of the filesystem,
and not just the quota usage on the sub-directory mounted, then set the
following config option on the client:

::

    client quota df = false

If quotas are not enabled, or no quota is set on the sub-directory mounted,
then the overall usage of the filesystem will be reported irrespective of
the value of this setting.

Layout and Quota restriction (the 'p' flag)
===========================================

To set layouts or quotas, clients require the 'p' flag in addition to 'rw'.
This restricts all the attributes that are set by special extended attributes
with a "ceph." prefix, as well as restricting other means of setting
these fields (such as openc operations with layouts).

For example, in the following snippet client.0 can modify layouts and quotas, 
but client.1 cannot.

::

    client.0
        key: AQAz7EVWygILFRAAdIcuJ12opU/JKyfFmxhuaw==
        caps: [mds] allow rwp
        caps: [mon] allow r
        caps: [osd] allow rw pool=data

    client.1
        key: AQAz7EVWygILFRAAdIcuJ12opU/JKyfFmxhuaw==
        caps: [mds] allow rw
        caps: [mon] allow r
        caps: [osd] allow rw pool=data


.. _User Management - Add a User to a Keyring: ../../rados/operations/user-management/#add-a-user-to-a-keyring
Commit	Line	Data
7c673cae FG	1	================================
	2	CephFS Client Capabilities
	3	================================
	4
	5	Use Ceph authentication capabilities to restrict your filesystem clients
	6	to the lowest possible level of authority needed.
	7
	8	.. note::
	9
	10	Path restriction and layout modification restriction are new features
	11	in the Jewel release of Ceph.
	12
	13	Path restriction
	14	================
	15
	16	By default, clients are not restricted in what paths they are allowed to mount.
	17	Further, when clients mount a subdirectory, e.g., /home/user, the MDS does not
	18	by default verify that subsequent operations
	19	are ‘locked’ within that directory.
	20
	21	To restrict clients to only mount and work within a certain directory, use
	22	path-based MDS authentication capabilities.
	23
	24	Syntax
	25	------
	26
	27	To grant rw access to the specified directory only, we mention the specified
d2e6a577	28	directory while creating key for a client using the following syntax. ::
7c673cae	29
d2e6a577	30	ceph fs authorize filesystem_name client.client_name /specified_directory rw
7c673cae	31
d2e6a577	32	for example, to restrict client ``foo`` to writing only in the ``bar`` directory of filesystem ``cephfs``, use ::
7c673cae	33
d2e6a577	34	ceph fs authorize cephfs client.foo / r /bar rw
7c673cae FG	35
7c673cae FG	36	To completely restrict the client to the ``bar`` directory, omit the
d2e6a577	37	root directory ::
7c673cae	38
d2e6a577	39	ceph fs authorize cephfs client.foo /bar rw
7c673cae FG	40
	41	Note that if a client's read access is restricted to a path, they will only
	42	be able to mount the filesystem when specifying a readable path in the
	43	mount command (see below).
	44
	45
	46	See `User Management - Add a User to a Keyring`_. for additional details on user management
	47
	48	To restrict a client to the specfied sub-directory only, we mention the specified
d2e6a577	49	directory while mounting using the following syntax. ::
7c673cae	50
d2e6a577	51	./ceph-fuse -n client.client_name mount_path -r directory_to_be_mounted
7c673cae FG	52
	53	for example, to restrict client ``foo`` to ``mnt/bar`` directory, we will use. ::
	54
d2e6a577	55	./ceph-fuse -n client.foo mnt -r /bar
7c673cae FG	56
	57	Free space reporting
	58	--------------------
	59
	60	By default, when a client is mounting a sub-directory, the used space (``df``)
	61	will be calculated from the quota on that sub-directory, rather than reporting
	62	the overall amount of space used on the cluster.
	63
	64	If you would like the client to report the overall usage of the filesystem,
	65	and not just the quota usage on the sub-directory mounted, then set the
	66	following config option on the client:
	67
	68	::
	69
	70	client quota df = false
	71
	72	If quotas are not enabled, or no quota is set on the sub-directory mounted,
	73	then the overall usage of the filesystem will be reported irrespective of
	74	the value of this setting.
	75
7c673cae FG	76	Layout and Quota restriction (the 'p' flag)
	77	===========================================
	78
	79	To set layouts or quotas, clients require the 'p' flag in addition to 'rw'.
	80	This restricts all the attributes that are set by special extended attributes
	81	with a "ceph." prefix, as well as restricting other means of setting
	82	these fields (such as openc operations with layouts).
	83
	84	For example, in the following snippet client.0 can modify layouts and quotas,
	85	but client.1 cannot.
	86
	87	::
	88
	89	client.0
	90	key: AQAz7EVWygILFRAAdIcuJ12opU/JKyfFmxhuaw==
	91	caps: [mds] allow rwp
	92	caps: [mon] allow r
	93	caps: [osd] allow rw pool=data
	94
	95	client.1
	96	key: AQAz7EVWygILFRAAdIcuJ12opU/JKyfFmxhuaw==
	97	caps: [mds] allow rw
	98	caps: [mon] allow r
	99	caps: [osd] allow rw pool=data
	100
	101
	102	.. _User Management - Add a User to a Keyring: ../../rados/operations/user-management/#add-a-user-to-a-keyring