Bug 14866 - vfs_ceph: ceph mount failed with (1) Operation not permitted for ceph user restricted to cephfs subpath
Summary: vfs_ceph: ceph mount failed with (1) Operation not permitted for ceph user re...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: VFS Modules (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: David Disseldorp
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-10-15 11:22 UTC by Christoph
Modified: 2022-07-16 06:44 UTC (History)
0 users

See Also:

Attachments
patch to add new ceph:server_path to optionally specifiy cephfs mount path root folder (1.67 KB, patch)
2021-10-15 11:53 UTC, Christoph 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christoph 2021-10-15 11:22:53 UTC 
When trying to set up a samba file server backed by ceph trough  vfs_ceph based, I stumbled upon a "Operation not permitted" error from ceph when using a "ceph:user_id" which is restricted to a access of a subpath of the cephfs. 

This was the share definition:

[testshare]
        vfs objects = ceph
        kernel share modes = no
        ceph:user_id = samba.xpecto.local
        read only = no
        path = /subpath1



With the help of tcpdump I could see the ceph responsed with a

 error_string   non-allowable root '/'


which resulted in the samba error:

  ceph-fuse[380985]: ceph mount failed with (1) Operation not permitted


The reason for this is, that ceph_mount is being called without a base folder (second parameter being NULL) which is interpreted being by cephfs as root-folder "/". But the specified ceph user does not have access to the cephfs root path, resulting in the access denied error.


Initially I tried to use the share-definition "path" argument through "handle->conn->connectpath". But unfortunately this did not work as expected, because the subpath would then be automatically prepended to each ceph request, resulting in paths like /subpath1/subpath1 instead of just /subpath and I could not figure out how to strip the subpath from each ceph-request.


I've successfully created  a small patch vfs_ceph.c to allow for another parameter in the share definition (ceph:server_path) which allows for mounting with a non-root-path  with a restricted ceph-user:

>         const char *ceph_path;
102a104
>       ceph_path = lp_parm_const_string(snum, "ceph", "server_path", NULL);
133a136
>       DBG_DEBUG("[CEPH] using ceph_path=%s as cephfs root directory\n", ceph_path);
135c138
<       ret = ceph_mount(cmount, NULL);
---
>       ret = ceph_mount(cmount, ceph_path);


Test set-up:


1) create restricted user on cephfs on existing ceph cluster:

   ceph auth add client.samba.xpecto.local mds 'allow rw path=/subpath1 mon "allow r" osd "allow class-read object_prefix rbd_children, allow rw pool=cephfs_data"

2) export client keyring for use with samba:

   ceph auth get client.samba.xpecto.local >/etc/ceph/ceph.client.samba.xpecto.local.keyring


samba share:

[testshare]
        vfs objects = ceph
        comment = test share
        kernel share modes = no
        ceph:user_id = samba.xpecto.local
        read only = no
        path = /
        ceph:server_path = /subpath1


Without the patch or missing new ceph:server_path parameter, access to the share "testshare" will fail, with the patch applied the.
Comment 1 Christoph 2021-10-15 11:53:56 UTC 
Created attachment 16851 [details]
patch to add new ceph:server_path to optionally specifiy cephfs mount path root folder
Comment 2 Christoph 2021-11-18 10:25:14 UTC 
Any comments?

Should I create a pull request for the suggested fix?
Comment 3 thomas 2022-07-15 14:55:38 UTC 
The patch works for me.
I'm not a fan of defining a new variable for this, but I'm still trying to understand how to "cleanly" solve this. If this patch could be merged I would be ok with it though.