Bug 14866 - vfs_ceph: ceph mount failed with (1) Operation not permitted for ceph user restricted to cephfs subpath
Summary: vfs_ceph: ceph mount failed with (1) Operation not permitted for ceph user re...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: VFS Modules (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: David Disseldorp
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-10-15 11:22 UTC by Christoph
Modified: 2022-07-16 06:44 UTC (History)
0 users

See Also:


Attachments
patch to add new ceph:server_path to optionally specifiy cephfs mount path root folder (1.67 KB, patch)
2021-10-15 11:53 UTC, Christoph
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Christoph 2021-10-15 11:22:53 UTC
When trying to set up a samba file server backed by ceph trough  vfs_ceph based, I stumbled upon a "Operation not permitted" error from ceph when using a "ceph:user_id" which is restricted to a access of a subpath of the cephfs. 

This was the share definition:

[testshare]
        vfs objects = ceph
        kernel share modes = no
        ceph:user_id = samba.xpecto.local
        read only = no
        path = /subpath1



With the help of tcpdump I could see the ceph responsed with a

 error_string   non-allowable root '/'


which resulted in the samba error:

  ceph-fuse[380985]: ceph mount failed with (1) Operation not permitted


The reason for this is, that ceph_mount is being called without a base folder (second parameter being NULL) which is interpreted being by cephfs as root-folder "/". But the specified ceph user does not have access to the cephfs root path, resulting in the access denied error.


Initially I tried to use the share-definition "path" argument through "handle->conn->connectpath". But unfortunately this did not work as expected, because the subpath would then be automatically prepended to each ceph request, resulting in paths like /subpath1/subpath1 instead of just /subpath and I could not figure out how to strip the subpath from each ceph-request.


I've successfully created  a small patch vfs_ceph.c to allow for another parameter in the share definition (ceph:server_path) which allows for mounting with a non-root-path  with a restricted ceph-user:

>         const char *ceph_path;
102a104
>       ceph_path = lp_parm_const_string(snum, "ceph", "server_path", NULL);
133a136
>       DBG_DEBUG("[CEPH] using ceph_path=%s as cephfs root directory\n", ceph_path);
135c138
<       ret = ceph_mount(cmount, NULL);
---
>       ret = ceph_mount(cmount, ceph_path);


Test set-up:


1) create restricted user on cephfs on existing ceph cluster:

   ceph auth add client.samba.xpecto.local mds 'allow rw path=/subpath1 mon "allow r" osd "allow class-read object_prefix rbd_children, allow rw pool=cephfs_data"

2) export client keyring for use with samba:

   ceph auth get client.samba.xpecto.local >/etc/ceph/ceph.client.samba.xpecto.local.keyring


samba share:

[testshare]
        vfs objects = ceph
        comment = test share
        kernel share modes = no
        ceph:user_id = samba.xpecto.local
        read only = no
        path = /
        ceph:server_path = /subpath1


Without the patch or missing new ceph:server_path parameter, access to the share "testshare" will fail, with the patch applied the.
Comment 1 Christoph 2021-10-15 11:53:56 UTC
Created attachment 16851 [details]
patch to add new ceph:server_path to optionally specifiy cephfs mount path root folder
Comment 2 Christoph 2021-11-18 10:25:14 UTC
Any comments?

Should I create a pull request for the suggested fix?
Comment 3 thomas 2022-07-15 14:55:38 UTC
The patch works for me.
I'm not a fan of defining a new variable for this, but I'm still trying to understand how to "cleanly" solve this. If this patch could be merged I would be ok with it though.