When trying to set up a samba file server backed by ceph trough vfs_ceph based, I stumbled upon a "Operation not permitted" error from ceph when using a "ceph:user_id" which is restricted to a access of a subpath of the cephfs. This was the share definition: [testshare] vfs objects = ceph kernel share modes = no ceph:user_id = samba.xpecto.local read only = no path = /subpath1 With the help of tcpdump I could see the ceph responsed with a error_string non-allowable root '/' which resulted in the samba error: ceph-fuse[380985]: ceph mount failed with (1) Operation not permitted The reason for this is, that ceph_mount is being called without a base folder (second parameter being NULL) which is interpreted being by cephfs as root-folder "/". But the specified ceph user does not have access to the cephfs root path, resulting in the access denied error. Initially I tried to use the share-definition "path" argument through "handle->conn->connectpath". But unfortunately this did not work as expected, because the subpath would then be automatically prepended to each ceph request, resulting in paths like /subpath1/subpath1 instead of just /subpath and I could not figure out how to strip the subpath from each ceph-request. I've successfully created a small patch vfs_ceph.c to allow for another parameter in the share definition (ceph:server_path) which allows for mounting with a non-root-path with a restricted ceph-user: > const char *ceph_path; 102a104 > ceph_path = lp_parm_const_string(snum, "ceph", "server_path", NULL); 133a136 > DBG_DEBUG("[CEPH] using ceph_path=%s as cephfs root directory\n", ceph_path); 135c138 < ret = ceph_mount(cmount, NULL); --- > ret = ceph_mount(cmount, ceph_path); Test set-up: 1) create restricted user on cephfs on existing ceph cluster: ceph auth add client.samba.xpecto.local mds 'allow rw path=/subpath1 mon "allow r" osd "allow class-read object_prefix rbd_children, allow rw pool=cephfs_data" 2) export client keyring for use with samba: ceph auth get client.samba.xpecto.local >/etc/ceph/ceph.client.samba.xpecto.local.keyring samba share: [testshare] vfs objects = ceph comment = test share kernel share modes = no ceph:user_id = samba.xpecto.local read only = no path = / ceph:server_path = /subpath1 Without the patch or missing new ceph:server_path parameter, access to the share "testshare" will fail, with the patch applied the.
Created attachment 16851 [details] patch to add new ceph:server_path to optionally specifiy cephfs mount path root folder
Any comments? Should I create a pull request for the suggested fix?
The patch works for me. I'm not a fan of defining a new variable for this, but I'm still trying to understand how to "cleanly" solve this. If this patch could be merged I would be ok with it though.