Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp2465362rwd; Wed, 14 Jun 2023 03:17:46 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ79ot+HslQ6Lw4pHpV1hZNGLW5ZxhWqGT1ZIwtpCRoXDCNVPXUyUcc/OSwNkdxi3B8lrJK+ X-Received: by 2002:aa7:de07:0:b0:510:d9c8:f180 with SMTP id h7-20020aa7de07000000b00510d9c8f180mr8352284edv.21.1686737865822; Wed, 14 Jun 2023 03:17:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686737865; cv=none; d=google.com; s=arc-20160816; b=yGn9DOEk4lwyXGDn/VKPnAzgJxipmIZi0wBRqJlKPL6xNxKFKcm+4kWbiI+DsJPAue ya8VhErL4CpG0Oa35cSa8hPUyyQV0D5BgJ+UQ50vIa4AvV+bE2L8XXRMFKUpRUw03Fym Avzf0Kz3+PQHt9ZKi2IjP6RITZbp7lp13B/OQ4ECX9vqogjc4KetcBaK7lLLJXGJRgxv a5pGOgceATG248uaukp949EQ1RKSjxaN9eD5XiwWzaYCNMDM2PC5IYPlc2QhgPqIn9II QwEJgGIcVlcLFPrbW9AQvcWwEAc+MjTrCGLFX1KekLDAEDRHJBEu6mvSv9Z1fnT046dU oBLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=16iXiR/eYWIg5Oeq17rV2jFGybdwYcnzk9LFuaASnq4=; b=uvr1F4mZ9i3uy8XEM+qLP02ytHSU0m/AuiBxXGADw/yD9uB0JxVQN+zPZ1omE6CLfW kVCRb8XPZBw9P+AQ95KzyYwn6g2NTGeo+WFXeom1D3X0tjeMn0CMAnLVOTMwsu+6T/2w RhBisw+EiMtn8r14BHHAAnkJDcNBIaE+tdm3WlhUIvowGDieX/Izza+tBYYZHJPPKmTh jKJW6l6mDM76xUo4zNZ5bpIClLxtrEbRGurDx5XjvmyZaqY+dzTpslowJTqTH1rXl1hC uhiJ+imNHqBlfN3j6N7h5iJucJBN2xm+9i2cDdHHeSRt38+t4EzuavOiFp/ljocrQIk/ l7Rw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=YagmxNqX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u24-20020aa7d998000000b0051897c1513fsi510970eds.567.2023.06.14.03.17.21; Wed, 14 Jun 2023 03:17:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=YagmxNqX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244032AbjFNJqk (ORCPT + 99 others); Wed, 14 Jun 2023 05:46:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46574 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244234AbjFNJqQ (ORCPT ); Wed, 14 Jun 2023 05:46:16 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AFB6B269E; Wed, 14 Jun 2023 02:45:51 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 183C263A37; Wed, 14 Jun 2023 09:45:51 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6BF80C433C0; Wed, 14 Jun 2023 09:45:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1686735950; bh=bOUTEmQRNYc2XRJruJB03nYq61euHP/sjkiGBDp0jWY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=YagmxNqX4bkrWOB9BBQcotdoXxdLP0fEnyz9wXn8Sl7+EjU/LxuJDdp9uBB38g0YT mRxpCUyx9P6EIwxoACtoqJiSwoWqfAbU7UdZVVcdTSLc7F1aPshmkHgjI4E+Eus30y KepqggXk0js7bVCTE8quhjgSx70PCFTnpgQoTJU0SzXjUfKtWdByl13UOcfXTdTsKN 3N1RD4YgTpBGTPj1vFue4yhScbXUY8z4yta5NFW094UZGmvAO96SvWQp1e+iQx9E7J aq9N5Z8k/eB5IE529DjlRUXFOVzfT3c+Ch0i+yrrhxr+i8q8T4XLKpTPuNWhenChf0 moyzO6KNMk/zA== Date: Wed, 14 Jun 2023 11:45:45 +0200 From: Christian Brauner To: Aleksandr Mikhalitsyn Cc: Xiubo Li , Gregory Farnum , stgraber@ubuntu.com, linux-fsdevel@vger.kernel.org, Ilya Dryomov , Jeff Layton , ceph-devel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v5 00/14] ceph: support idmapped mounts Message-ID: <20230614-westseite-urlaub-7a5afcf0577a@brauner> References: <20230608154256.562906-1-aleksandr.mikhalitsyn@canonical.com> <20230609-alufolie-gezaubert-f18ef17cda12@brauner> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jun 13, 2023 at 02:46:02PM +0200, Aleksandr Mikhalitsyn wrote: > On Tue, Jun 13, 2023 at 3:43 AM Xiubo Li wrote: > > > > > > On 6/9/23 18:12, Aleksandr Mikhalitsyn wrote: > > > On Fri, Jun 9, 2023 at 12:00 PM Christian Brauner wrote: > > >> On Fri, Jun 09, 2023 at 10:59:19AM +0200, Aleksandr Mikhalitsyn wrote: > > >>> On Fri, Jun 9, 2023 at 3:57 AM Xiubo Li wrote: > > >>>> > > >>>> On 6/8/23 23:42, Alexander Mikhalitsyn wrote: > > >>>>> Dear friends, > > >>>>> > > >>>>> This patchset was originally developed by Christian Brauner but I'll continue > > >>>>> to push it forward. Christian allowed me to do that :) > > >>>>> > > >>>>> This feature is already actively used/tested with LXD/LXC project. > > >>>>> > > >>>>> Git tree (based on https://github.com/ceph/ceph-client.git master): > > >>> Hi Xiubo! > > >>> > > >>>> Could you rebase these patches to 'testing' branch ? > > >>> Will do in -v6. > > >>> > > >>>> And you still have missed several places, for example the following cases: > > >>>> > > >>>> > > >>>> 1 269 fs/ceph/addr.c <> > > >>>> req = ceph_mdsc_create_request(mdsc, CEPH_MDS_OP_GETATTR, > > >>>> mode); > > >>> + > > >>> > > >>>> 2 389 fs/ceph/dir.c <> > > >>>> req = ceph_mdsc_create_request(mdsc, op, USE_AUTH_MDS); > > >>> + > > >>> > > >>>> 3 789 fs/ceph/dir.c <> > > >>>> req = ceph_mdsc_create_request(mdsc, op, USE_ANY_MDS); > > >>> We don't have an idmapping passed to lookup from the VFS layer. As I > > >>> mentioned before, it's just impossible now. > > >> ->lookup() doesn't deal with idmappings and really can't otherwise you > > >> risk ending up with inode aliasing which is really not something you > > >> want. IOW, you can't fill in inode->i_{g,u}id based on a mount's > > >> idmapping as inode->i_{g,u}id absolutely needs to be a filesystem wide > > >> value. So better not even risk exposing the idmapping in there at all. > > > Thanks for adding, Christian! > > > > > > I agree, every time when we use an idmapping we need to be careful with > > > what we map. AFAIU, inode->i_{g,u}id should be based on the filesystem > > > idmapping (not mount), > > > but in this case, Xiubo want's current_fs{u,g}id to be mapped > > > according to an idmapping. > > > Anyway, it's impossible at now and IMHO, until we don't have any > > > practical use case where > > > UID/GID-based path restriction is used in combination with idmapped > > > mounts it's not worth to > > > make such big changes in the VFS layer. > > > > > > May be I'm not right, but it seems like UID/GID-based path restriction > > > is not a widespread > > > feature and I can hardly imagine it to be used with the container > > > workloads (for instance), > > > because it will require to always keep in sync MDS permissions > > > configuration with the > > > possible UID/GID ranges on the client. It looks like a nightmare for sysadmin. > > > It is useful when cephfs is used as an external storage on the host, but if you > > > share cephfs with a few containers with different user namespaces idmapping... > > > > Hmm, while this will break the MDS permission check in cephfs then in > > lookup case. If we really couldn't support it we should make it to > > escape the check anyway or some OPs may fail and won't work as expected. > > Hi Xiubo! > > Disabling UID/GID checks on the MDS side looks reasonable. IMHO the > most important checks are: > - open > - mknod/mkdir/symlink/rename > and for these checks we already have an idmapping. > > Also, I want to add that it's a little bit unusual when permission > checks are done against the caller UID/GID. The server side permission checking based on the sender's fs{g,u}id is rather esoteric imho. So I would just disable it for idmapped mounts. > Usually, if we have opened a file descriptor and, for instance, passed > this file descriptor through a unix socket then > file descriptor holder will be able to use it in accordance with the > flags (O_RDONLY, O_RDWR, ...). > We also have ->f_cred on the struct file that contains credentials of > the file opener and permission checks are usually done > based on this. But in cephfs we are always using syscall caller's > credentials. It makes cephfs file descriptor "not transferable" > in terms of permission checks. Yeah, that's another good point.