Description of problem: There is a difference in the behavior of permissions handling when dealing with paths that have a trailing slash between versions 7.1 and 8.0. In version 8.0: Permissions are applied directly to the specified path. For example, if a user has rw (read/write) permissions to the path /volumes/_nogroup/subvol_1/c6b9ef66-8107-4622-ba8a-cb809d92e227/, they can create files and folders directly within this directory. In version 7.1: Permissions are applied differently. Users cannot create files or folders directly within the path, but they can create files and folders in subdirectories under the path. Assign rw permissions to a path such as /volumes/_nogroup/subvol_1/c6b9ef66-8107-4622-ba8a-cb809d92e227/. Attempt to create a file or folder directly within this path: In 8.0, this works as expected. In 7.1, the file or folder creation fails unless it is within a subdirectory. Test steps on 8.0: [root@ceph-amk-nfs-h8x293-node11 ~]# ceph fs subvolume create cephfs subvol_1 [root@ceph-amk-nfs-h8x293-node11 ~]# [root@ceph-amk-nfs-h8x293-node11 ~]# [root@ceph-amk-nfs-h8x293-node11 ~]# ceph fs subvolume getpath cephfs subvol_1 /volumes/_nogroup/subvol_1/c6b9ef66-8107-4622-ba8a-cb809d92e227 [root@ceph-amk-nfs-h8x293-node11 ~]# ceph fs authorize cephfs client.test_auth / r /volumes/_nogroup/subvol_1/c6b9ef66-8107-4622-ba8a-cb809d92e227/ rw [client.test_auth] key = AQDIzgJnd/vbIhAAYWa38+Yqeky9lJKY4oLgtg== caps mds = "allow r fsname=cephfs, allow rw fsname=cephfs path=/volumes/_nogroup/subvol_1/c6b9ef66-8107-4622-ba8a-cb809d92e227/" caps mon = "allow r fsname=cephfs" caps osd = "allow rw tag cephfs data=cephfs" [root@ceph-amk-nfs-h8x293-node11 ~]# [root@ceph-amk-nfs-h8x293-node11 ~]# [root@ceph-amk-nfs-h8x293-node11 ~]# mkdir /mnt/cephfuse [root@ceph-amk-nfs-h8x293-node11 ~]# ceph auth get client.test_auth -o /etc/ceph/ceph.client.test_auth.keyring [root@ceph-amk-nfs-h8x293-node11 ~]# [root@ceph-amk-nfs-h8x293-node11 ~]# ceph-fuse -n client.test_auth /mnt/cephfuse/ -r / --client_fs cephfs 2024-10-06T13:55:41.303-0400 7fe331d53480 -1 init, newargv = 0x55ae1392be40 newargc=15 ceph-fuse[11272]: starting ceph client ceph-fuse[11272]: starting fuse [root@ceph-amk-nfs-h8x293-node11 ~]# [root@ceph-amk-nfs-h8x293-node11 ~]# cd /mnt/cephfuse/ [root@ceph-amk-nfs-h8x293-node11 cephfuse]# ls volumes [root@ceph-amk-nfs-h8x293-node11 cephfuse]# touch auth_test_file touch: cannot touch 'auth_test_file': Permission denied [root@ceph-amk-nfs-h8x293-node11 cephfuse]# cd volumes/_nogroup/subvol_1/c6b9ef66-8107-4622-ba8a-cb809d92e227/ [root@ceph-amk-nfs-h8x293-node11 c6b9ef66-8107-4622-ba8a-cb809d92e227]# touch auth_test_file [root@ceph-amk-nfs-h8x293-node11 c6b9ef66-8107-4622-ba8a-cb809d92e227]# In 7.1: [root@ceph-amk-top-bh9z9m-node8 ~]# ceph fs subvolume getpath cephfs subvol_1 /volumes/_nogroup/subvol_1/33a3d82f-93b9-470d-b937-e2b20552deb8 [root@ceph-amk-top-bh9z9m-node8 ~]# ceph fs authorize cephfs client.test_auth / r /volumes/_nogroup/subvol_1/33a3d82f-93b9-470d-b937-e2b20552deb8/ rw [client.test_auth] key = AQCknQNnmZj8ExAAXhaEPrmyPtKzk7MMxZmjQA== [root@ceph-amk-top-bh9z9m-node8 ~]# ceph auth get client.test_auth -o /etc/ceph/ceph.client.test_auth.keyring [root@ceph-amk-top-bh9z9m-node8 ~]# mkdir /mnt/cephfuse [root@ceph-amk-top-bh9z9m-node8 ~]# ceph-fuse -n client.test_auth /mnt/cephfuse/ -r / --client_fs cephfs 2024-10-07T04:37:07.430-0400 7fd06d40b480 -1 init, newargv = 0x7fd05c004bd0 newargc=15 ceph-fuse[6552]: starting ceph client ceph-fuse[6552]: starting fuse [root@ceph-amk-top-bh9z9m-node8 ~]# ceph auth get ceph-fuse -n client.test_auth /mnt/cephfuse/ -r / --client_fs cephfs ^C [root@ceph-amk-top-bh9z9m-node8 ~]# ^C [root@ceph-amk-top-bh9z9m-node8 ~]# ceph auth get client.test_auth [client.test_auth] key = AQCknQNnmZj8ExAAXhaEPrmyPtKzk7MMxZmjQA== caps mds = "allow r fsname=cephfs, allow rw fsname=cephfs path=/volumes/_nogroup/subvol_1/33a3d82f-93b9-470d-b937-e2b20552deb8/" caps mon = "allow r fsname=cephfs" caps osd = "allow rw tag cephfs data=cephfs" [root@ceph-amk-top-bh9z9m-node8 ~]# cd /mnt/cephfuse/ [root@ceph-amk-top-bh9z9m-node8 cephfuse]# touch auth_test_file touch: cannot touch 'auth_test_file': Permission denied [root@ceph-amk-top-bh9z9m-node8 cephfuse]# cd volumes/_nogroup/subvol_1/33a3d82f-93b9-470d-b937-e2b20552deb8/ [root@ceph-amk-top-bh9z9m-node8 33a3d82f-93b9-470d-b937-e2b20552deb8]# [root@ceph-amk-top-bh9z9m-node8 33a3d82f-93b9-470d-b937-e2b20552deb8]# touch auth_test_file touch: cannot touch 'auth_test_file': Permission denied Version-Release number of selected component (if applicable): [root@ceph-amk-top-bh9z9m-node8 dir1]# ceph versions { "mon": { "ceph version 18.2.1-251.el9cp (81688db791aa982863476facb32440cb7210c828) reef (stable)": 3 }, "mgr": { "ceph version 18.2.1-251.el9cp (81688db791aa982863476facb32440cb7210c828) reef (stable)": 2 }, "osd": { "ceph version 18.2.1-251.el9cp (81688db791aa982863476facb32440cb7210c828) reef (stable)": 16 }, "mds": { "ceph version 18.2.1-251.el9cp (81688db791aa982863476facb32440cb7210c828) reef (stable)": 5 }, "overall": { "ceph version 18.2.1-251.el9cp (81688db791aa982863476facb32440cb7210c828) reef (stable)": 26 } } How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Please specify the severity of this bug. Severity is defined here: https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat Ceph Storage 7.1 security, bug fix, enhancement, and known issue updates), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2025:1770