Bug 2316919 - Different behavior in permissions handling for paths with trailing slashes between 7.1 and 8.0.
Summary: Different behavior in permissions handling for paths with trailing slashes be...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: CephFS
Version: 7.1
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 7.1z3
Assignee: Kotresh HR
QA Contact: Hemanth Kumar
URL:
Whiteboard:
Depends On:
Blocks: 2317530
TreeView+ depends on / blocked
 
Reported: 2024-10-07 09:49 UTC by Amarnath
Modified: 2025-02-24 15:41 UTC (History)
8 users (show)

Fixed In Version: ceph-18.2.1-293.el9cp
Doc Type: Bug Fix
Doc Text:
.user can now access files as per the permission on a given path whether the path used to authorize has trailing / or not Previously, due to a bug in the mds auth caps matching code while matching the path with a trailing /, the users could not create files under the path even though the user was authorized with RW permission on the path. This happened only when the path used to authorize has a trailing `/`. For example, ceph fs authorize cephfs client.user / r /volumes/ rw Here the user `client.user` could not create files under `/volumes` even with `rw` permission. With this fix, the bug in the mds auth caps matching code is fixed for target path with trailing / and the user can now access files as per the permission on a given path whether the path used to authorize has trailing / or not.
Clone Of:
: 2317530 (view as bug list)
Environment:
Last Closed: 2025-02-24 15:41:50 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Ceph Project Bug Tracker 68455 0 None None None 2024-10-14 10:06:58 UTC
Red Hat Issue Tracker RHCEPH-9925 0 None None None 2024-10-07 09:49:22 UTC
Red Hat Product Errata RHBA-2025:1770 0 None None None 2025-02-24 15:41:58 UTC

Description Amarnath 2024-10-07 09:49:01 UTC
Description of problem:
There is a difference in the behavior of permissions handling when dealing with paths that have a trailing slash between versions 7.1 and 8.0.

In version 8.0: Permissions are applied directly to the specified path. For example, if a user has rw (read/write) permissions to the path /volumes/_nogroup/subvol_1/c6b9ef66-8107-4622-ba8a-cb809d92e227/, they can create files and folders directly within this directory.

In version 7.1: Permissions are applied differently. Users cannot create files or folders directly within the path, but they can create files and folders in subdirectories under the path. 

Assign rw permissions to a path such as /volumes/_nogroup/subvol_1/c6b9ef66-8107-4622-ba8a-cb809d92e227/.
Attempt to create a file or folder directly within this path:
In 8.0, this works as expected.
In 7.1, the file or folder creation fails unless it is within a subdirectory.


Test steps on 8.0: 
[root@ceph-amk-nfs-h8x293-node11 ~]# ceph fs subvolume create cephfs subvol_1
[root@ceph-amk-nfs-h8x293-node11 ~]# 
[root@ceph-amk-nfs-h8x293-node11 ~]# 
[root@ceph-amk-nfs-h8x293-node11 ~]# ceph fs subvolume getpath cephfs subvol_1
/volumes/_nogroup/subvol_1/c6b9ef66-8107-4622-ba8a-cb809d92e227
[root@ceph-amk-nfs-h8x293-node11 ~]# ceph fs authorize cephfs client.test_auth / r /volumes/_nogroup/subvol_1/c6b9ef66-8107-4622-ba8a-cb809d92e227/ rw
[client.test_auth]
	key = AQDIzgJnd/vbIhAAYWa38+Yqeky9lJKY4oLgtg==
	caps mds = "allow r fsname=cephfs, allow rw fsname=cephfs path=/volumes/_nogroup/subvol_1/c6b9ef66-8107-4622-ba8a-cb809d92e227/"
	caps mon = "allow r fsname=cephfs"
	caps osd = "allow rw tag cephfs data=cephfs"
[root@ceph-amk-nfs-h8x293-node11 ~]# 
[root@ceph-amk-nfs-h8x293-node11 ~]# 
[root@ceph-amk-nfs-h8x293-node11 ~]# mkdir /mnt/cephfuse
[root@ceph-amk-nfs-h8x293-node11 ~]# ceph auth get client.test_auth -o /etc/ceph/ceph.client.test_auth.keyring 
[root@ceph-amk-nfs-h8x293-node11 ~]# 
[root@ceph-amk-nfs-h8x293-node11 ~]# ceph-fuse -n client.test_auth /mnt/cephfuse/ -r / --client_fs cephfs 
2024-10-06T13:55:41.303-0400 7fe331d53480 -1 init, newargv = 0x55ae1392be40 newargc=15
ceph-fuse[11272]: starting ceph client
ceph-fuse[11272]: starting fuse
[root@ceph-amk-nfs-h8x293-node11 ~]# 
[root@ceph-amk-nfs-h8x293-node11 ~]# cd /mnt/cephfuse/
[root@ceph-amk-nfs-h8x293-node11 cephfuse]# ls
volumes
[root@ceph-amk-nfs-h8x293-node11 cephfuse]# touch auth_test_file
touch: cannot touch 'auth_test_file': Permission denied
[root@ceph-amk-nfs-h8x293-node11 cephfuse]# cd volumes/_nogroup/subvol_1/c6b9ef66-8107-4622-ba8a-cb809d92e227/
[root@ceph-amk-nfs-h8x293-node11 c6b9ef66-8107-4622-ba8a-cb809d92e227]# touch auth_test_file
[root@ceph-amk-nfs-h8x293-node11 c6b9ef66-8107-4622-ba8a-cb809d92e227]# 


In 7.1: 
[root@ceph-amk-top-bh9z9m-node8 ~]# ceph fs subvolume getpath cephfs subvol_1
/volumes/_nogroup/subvol_1/33a3d82f-93b9-470d-b937-e2b20552deb8
[root@ceph-amk-top-bh9z9m-node8 ~]# ceph fs authorize cephfs client.test_auth / r /volumes/_nogroup/subvol_1/33a3d82f-93b9-470d-b937-e2b20552deb8/ rw
[client.test_auth]
	key = AQCknQNnmZj8ExAAXhaEPrmyPtKzk7MMxZmjQA==
[root@ceph-amk-top-bh9z9m-node8 ~]# ceph auth get client.test_auth -o /etc/ceph/ceph.client.test_auth.keyring 
[root@ceph-amk-top-bh9z9m-node8 ~]#  mkdir /mnt/cephfuse
[root@ceph-amk-top-bh9z9m-node8 ~]# ceph-fuse -n client.test_auth /mnt/cephfuse/ -r / --client_fs cephfs 
2024-10-07T04:37:07.430-0400 7fd06d40b480 -1 init, newargv = 0x7fd05c004bd0 newargc=15
ceph-fuse[6552]: starting ceph client
ceph-fuse[6552]: starting fuse
[root@ceph-amk-top-bh9z9m-node8 ~]# ceph auth get ceph-fuse -n client.test_auth /mnt/cephfuse/ -r / --client_fs cephfs ^C
[root@ceph-amk-top-bh9z9m-node8 ~]# ^C
[root@ceph-amk-top-bh9z9m-node8 ~]# ceph auth get client.test_auth
[client.test_auth]
	key = AQCknQNnmZj8ExAAXhaEPrmyPtKzk7MMxZmjQA==
	caps mds = "allow r fsname=cephfs, allow rw fsname=cephfs path=/volumes/_nogroup/subvol_1/33a3d82f-93b9-470d-b937-e2b20552deb8/"
	caps mon = "allow r fsname=cephfs"
	caps osd = "allow rw tag cephfs data=cephfs"
[root@ceph-amk-top-bh9z9m-node8 ~]# cd /mnt/cephfuse/
[root@ceph-amk-top-bh9z9m-node8 cephfuse]# touch auth_test_file
touch: cannot touch 'auth_test_file': Permission denied
[root@ceph-amk-top-bh9z9m-node8 cephfuse]# cd volumes/_nogroup/subvol_1/33a3d82f-93b9-470d-b937-e2b20552deb8/
[root@ceph-amk-top-bh9z9m-node8 33a3d82f-93b9-470d-b937-e2b20552deb8]# 
[root@ceph-amk-top-bh9z9m-node8 33a3d82f-93b9-470d-b937-e2b20552deb8]# touch auth_test_file
touch: cannot touch 'auth_test_file': Permission denied


Version-Release number of selected component (if applicable):

[root@ceph-amk-top-bh9z9m-node8 dir1]# ceph versions
{
    "mon": {
        "ceph version 18.2.1-251.el9cp (81688db791aa982863476facb32440cb7210c828) reef (stable)": 3
    },
    "mgr": {
        "ceph version 18.2.1-251.el9cp (81688db791aa982863476facb32440cb7210c828) reef (stable)": 2
    },
    "osd": {
        "ceph version 18.2.1-251.el9cp (81688db791aa982863476facb32440cb7210c828) reef (stable)": 16
    },
    "mds": {
        "ceph version 18.2.1-251.el9cp (81688db791aa982863476facb32440cb7210c828) reef (stable)": 5
    },
    "overall": {
        "ceph version 18.2.1-251.el9cp (81688db791aa982863476facb32440cb7210c828) reef (stable)": 26
    }
}



How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Storage PM bot 2024-10-07 09:49:13 UTC
Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.

Comment 19 errata-xmlrpc 2025-02-24 15:41:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 7.1 security, bug fix, enhancement, and known issue updates), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2025:1770


Note You need to log in before you can comment on or make changes to this bug.