@@ -16,38 +16,42 @@ to the lowest possible level of authority needed.
1616Path restriction
1717================
1818
19- By default, clients are not restricted in what paths they are allowed to
20- mount. Further, when clients mount a subdirectory, e.g., ``/home/user ``, the
21- MDS does not by default verify that subsequent operations are ‘ locked’ within
22- that directory.
19+ By default, clients are not restricted in the paths that they are allowed to
20+ mount. When clients mount a subdirectory (for example ``/home/user ``) , the MDS
21+ does not by default verify that subsequent operations are " locked" within that
22+ directory.
2323
24- To restrict clients to only mount and work within a certain directory, use
25- path-based MDS authentication capabilities.
24+ To restrict clients so that they mount and work only within a certain
25+ directory, use path-based MDS authentication capabilities.
2626
27- Note that this restriction *only * impacts the filesystem hierarchy -- the metadata
28- tree managed by the MDS. Clients will still be able to access the underlying
29- file data in RADOS directly. To segregate clients fully, you must also isolate
30- untrusted clients in their own RADOS namespace. You can place a client's
31- filesystem subtree in a particular namespace using `file layouts `_ and then
32- restrict their RADOS access to that namespace using `OSD capabilities `_
27+ This restriction impacts *only * the filesystem hierarchy, or, in other words,
28+ the metadata tree that is managed by the MDS. Clients will still be able to
29+ access the underlying file data in RADOS directly. To segregate clients fully,
30+ isolate untrusted clients in their own RADOS namespace. You can place a
31+ client's filesystem subtree in a particular namespace using `file layouts `_ and
32+ then restrict their RADOS access to that namespace using `OSD capabilities `_
3333
3434.. _file layouts : ./file-layouts
3535.. _OSD capabilities : ../rados/operations/user-management/#authorization-capabilities
3636
3737Syntax
3838------
3939
40- To grant rw access to the specified directory only, we mention the specified
41- directory while creating key for a client using the following syntax: :
40+ To grant `` rw `` access to the specified directory only, mention the specified
41+ directory while creating key for a client. Use a command of the following form :
4242
43- ceph fs authorize <fs_name> client.<client_id> <path-in-cephfs> rw
43+ .. prompt :: bash #
4444
45- For example, to restrict client ``foo `` to writing only in the ``bar ``
46- directory of file system ``cephfs_a ``, use ::
45+ ceph fs authorize <fs_name> client.<client_id> <path-in-cephfs> rw
4746
48- ceph fs authorize cephfs_a client.foo / r /bar rw
47+ For example, to restrict a client named ``foo `` so that it can write only in
48+ the ``bar `` directory of file system ``cephfs_a ``, run the following command:
4949
50- results in:
50+ .. prompt :: bash #
51+
52+ ceph fs authorize cephfs_a client.foo / r /bar rw
53+
54+ This results in::
5155
5256 client.foo
5357 key: *key*
@@ -56,48 +60,52 @@ directory of file system ``cephfs_a``, use ::
5660 caps: [osd] allow rw tag cephfs data=cephfs_a
5761
5862To completely restrict the client to the ``bar `` directory, omit the
59- root directory ::
63+ root directory :
64+
65+ .. prompt :: bash #
6066
61- ceph fs authorize cephfs_a client.foo /bar rw
67+ ceph fs authorize cephfs_a client.foo /bar rw
6268
63- Note that if a client's read access is restricted to a path, they will only
64- be able to mount the file system when specifying a readable path in the
65- mount command (see below).
69+ If a client's read access is restricted to a path, the client will be able to
70+ mount the file system only by specifying a readable path in the mount command
71+ (see below).
6672
67- Supplying ``all `` or ``* `` as the file system name will grant access to every
68- file system. Note that it is usually necessary to quote ``* `` to protect it
69- from the shell.
73+ Supplying ``all `` or ``* `` as the file system name grants access to every file
74+ system. It is usually necessary to quote ``* `` to protect it from the
75+ shell.
7076
71- See `User Management - Add a User to a Keyring `_. for additional details on
72- user management
77+ See `User Management - Add a User to a Keyring `_ for more on user management.
7378
74- To restrict a client to the specified sub-directory only, we mention the
75- specified directory while mounting using the following syntax::
79+ To restrict a client to only the specified sub-directory, mention the specified
80+ directory while mounting. Use a command of the following form:
7681
77- ceph-fuse -n client.<client_id> <mount-path> -r *directory_to_be_mounted*
82+ .. prompt :: bash #
7883
79- For example, to restrict client ``foo `` to ``mnt/bar `` directory, we will
80- use::
84+ ceph-fuse -n client.<client_id> <mount-path> -r *directory_to_be_mounted *
8185
82- ceph-fuse -n client.foo mnt -r /bar
86+ For example, to restrict client ``foo `` to ``mnt/bar `` directory, use the
87+ following command:
88+
89+ .. prompt :: bash #
90+
91+ ceph-fuse -n client.foo mnt -r /bar
8392
8493Free space reporting
8594--------------------
8695
87- By default, when a client is mounting a sub-directory, the used space (``df ``)
88- will be calculated from the quota on that sub-directory, rather than reporting
89- the overall amount of space used on the cluster.
90-
91- If you would like the client to report the overall usage of the file system,
92- and not just the quota usage on the sub-directory mounted, then set the
93- following config option on the client::
96+ When a client is mounting a sub-directory, by default the used space (``df ``)
97+ is calculated from the quota on that sub-directory rather than reporting the
98+ overall amount of space used on the cluster.
9499
100+ To make the client report the overall usage of the file system and not just the
101+ quota usage on the mounted sub-directory, set the following config option on
102+ the client::
95103
96104 client quota df = false
97105
98- If quotas are not enabled, or no quota is set on the sub-directory mounted ,
99- then the overall usage of the file system will be reported irrespective of
100- the value of this setting.
106+ If quotas are not enabled or if no quota is set on the mounted sub-directory,
107+ then the overall usage of the file system will be reported irrespective of the
108+ value of this setting.
101109
102110Layout and Quota restriction (the 'p' flag)
103111===========================================
0 commit comments