Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 2232446

Summary: [cephfs][client] client allows to write with only read permission
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: julpark
Component: CephFSAssignee: Rishabh Dave <ridave>
Status: CLOSED NOTABUG QA Contact: Hemanth Kumar <hyelloji>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.1CC: ceph-eng-bugs, cephqe-warriors, gfarnum, ridave
Target Milestone: ---   
Target Release: 7.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-10-18 03:34:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description julpark 2023-08-16 23:18:52 UTC 
Description of problem:

client allows to write in a dir with only read permissions

Version-Release number of selected component (if applicable):

17.2.6-111.el9cp

How reproducible:

Create a client with only read permission in dir1 and mount and try to write something in the dir1

Steps to Reproduce:
1. Create a client with only read permission in dir1
2. mount it with the client
3. Try to write in the dir

Actual results:

it allows to write in the directory

Expected results:

it should not allow to write in the directory

Additional info:

client.name2
	key: AQD4UN1koO5cCxAABydYwjB7cAttRRkAXIyHjA==
	caps: [mds] allow *,allow r path=/dir1
	caps: [mgr] allow rw
	caps: [mon] allow *
	caps: [osd] allow rw tag cephfs data=cephfs

[root@ceph-julpark-mvqdwj-node8 mnt]# ceph-fuse -n client.name2 /mnt/julpark2/
2023-08-16T18:46:15.722-0400 7f942c712300 -1 init, newargv = 0x55ae28ab6440 newargc=15
ceph-fuse[38131]: starting ceph client
ceph-fuse[38131]: starting fuse

[root@ceph-julpark-mvqdwj-node8 julpark2]# ls
ceph-julpark-mvqdwj-node8_dd_  dir1  dir2  dir3  file_dstdir  file_srcdir  network_shared
[root@ceph-julpark-mvqdwj-node8 julpark2]# cd dir1/
[root@ceph-julpark-mvqdwj-node8 dir1]#
[root@ceph-julpark-mvqdwj-node8 dir1]# touch 234
[root@ceph-julpark-mvqdwj-node8 dir1]# ls
234  asdf  qwer
Comment 2 Rishabh Dave 2023-10-06 11:43:51 UTC 
This is not a bug. Ceph caps can't be subtractive. "allow r path=/dir1" will have no effect when it is preceded by "allow *". Therefore, allowing writes on "/dir1" is correct behaviour when MDS cap is "allow *,allow r path=/dir1".
Comment 3 Greg Farnum 2023-10-11 16:40:54 UTC 
How did these caps come into existence? Is the documentation misleading somehow? Unless there's a docs change we should make, I think we just close this as NOTABUG.