Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 2316919

Summary: Different behavior in permissions handling for paths with trailing slashes between 7.1 and 8.0.
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Amarnath <amk>
Component: CephFSAssignee: Kotresh HR <khiremat>
Status: CLOSED ERRATA QA Contact: Hemanth Kumar <hyelloji>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.1CC: ceph-eng-bugs, cephqe-warriors, dwalveka, gfarnum, khiremat, ngangadh, tserlin, vshankar
Target Milestone: ---Keywords: Automation, Regression
Target Release: 7.1z3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-18.2.1-293.el9cp Doc Type: Bug Fix
Doc Text:
.user can now access files as per the permission on a given path whether the path used to authorize has trailing / or not Previously, due to a bug in the mds auth caps matching code while matching the path with a trailing /, the users could not create files under the path even though the user was authorized with RW permission on the path. This happened only when the path used to authorize has a trailing `/`. For example, ceph fs authorize cephfs client.user / r /volumes/ rw Here the user `client.user` could not create files under `/volumes` even with `rw` permission. With this fix, the bug in the mds auth caps matching code is fixed for target path with trailing / and the user can now access files as per the permission on a given path whether the path used to authorize has trailing / or not.
 Story Points: ---
Clone Of:
: 2317530 (view as bug list) Environment:
Last Closed: 2025-02-24 15:41:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2317530    

Description Amarnath 2024-10-07 09:49:01 UTC 
Description of problem:
There is a difference in the behavior of permissions handling when dealing with paths that have a trailing slash between versions 7.1 and 8.0.

In version 8.0: Permissions are applied directly to the specified path. For example, if a user has rw (read/write) permissions to the path /volumes/_nogroup/subvol_1/c6b9ef66-8107-4622-ba8a-cb809d92e227/, they can create files and folders directly within this directory.

In version 7.1: Permissions are applied differently. Users cannot create files or folders directly within the path, but they can create files and folders in subdirectories under the path. 

Assign rw permissions to a path such as /volumes/_nogroup/subvol_1/c6b9ef66-8107-4622-ba8a-cb809d92e227/.
Attempt to create a file or folder directly within this path:
In 8.0, this works as expected.
In 7.1, the file or folder creation fails unless it is within a subdirectory.


Test steps on 8.0: 
[root@ceph-amk-nfs-h8x293-node11 ~]# ceph fs subvolume create cephfs subvol_1
[root@ceph-amk-nfs-h8x293-node11 ~]# 
[root@ceph-amk-nfs-h8x293-node11 ~]# 
[root@ceph-amk-nfs-h8x293-node11 ~]# ceph fs subvolume getpath cephfs subvol_1
/volumes/_nogroup/subvol_1/c6b9ef66-8107-4622-ba8a-cb809d92e227
[root@ceph-amk-nfs-h8x293-node11 ~]# ceph fs authorize cephfs client.test_auth / r /volumes/_nogroup/subvol_1/c6b9ef66-8107-4622-ba8a-cb809d92e227/ rw
[client.test_auth]
	key = AQDIzgJnd/vbIhAAYWa38+Yqeky9lJKY4oLgtg==
	caps mds = "allow r fsname=cephfs, allow rw fsname=cephfs path=/volumes/_nogroup/subvol_1/c6b9ef66-8107-4622-ba8a-cb809d92e227/"
	caps mon = "allow r fsname=cephfs"
	caps osd = "allow rw tag cephfs data=cephfs"
[root@ceph-amk-nfs-h8x293-node11 ~]# 
[root@ceph-amk-nfs-h8x293-node11 ~]# 
[root@ceph-amk-nfs-h8x293-node11 ~]# mkdir /mnt/cephfuse
[root@ceph-amk-nfs-h8x293-node11 ~]# ceph auth get client.test_auth -o /etc/ceph/ceph.client.test_auth.keyring 
[root@ceph-amk-nfs-h8x293-node11 ~]# 
[root@ceph-amk-nfs-h8x293-node11 ~]# ceph-fuse -n client.test_auth /mnt/cephfuse/ -r / --client_fs cephfs 
2024-10-06T13:55:41.303-0400 7fe331d53480 -1 init, newargv = 0x55ae1392be40 newargc=15
ceph-fuse[11272]: starting ceph client
ceph-fuse[11272]: starting fuse
[root@ceph-amk-nfs-h8x293-node11 ~]# 
[root@ceph-amk-nfs-h8x293-node11 ~]# cd /mnt/cephfuse/
[root@ceph-amk-nfs-h8x293-node11 cephfuse]# ls
volumes
[root@ceph-amk-nfs-h8x293-node11 cephfuse]# touch auth_test_file
touch: cannot touch 'auth_test_file': Permission denied
[root@ceph-amk-nfs-h8x293-node11 cephfuse]# cd volumes/_nogroup/subvol_1/c6b9ef66-8107-4622-ba8a-cb809d92e227/
[root@ceph-amk-nfs-h8x293-node11 c6b9ef66-8107-4622-ba8a-cb809d92e227]# touch auth_test_file
[root@ceph-amk-nfs-h8x293-node11 c6b9ef66-8107-4622-ba8a-cb809d92e227]# 


In 7.1: 
[root@ceph-amk-top-bh9z9m-node8 ~]# ceph fs subvolume getpath cephfs subvol_1
/volumes/_nogroup/subvol_1/33a3d82f-93b9-470d-b937-e2b20552deb8
[root@ceph-amk-top-bh9z9m-node8 ~]# ceph fs authorize cephfs client.test_auth / r /volumes/_nogroup/subvol_1/33a3d82f-93b9-470d-b937-e2b20552deb8/ rw
[client.test_auth]
	key = AQCknQNnmZj8ExAAXhaEPrmyPtKzk7MMxZmjQA==
[root@ceph-amk-top-bh9z9m-node8 ~]# ceph auth get client.test_auth -o /etc/ceph/ceph.client.test_auth.keyring 
[root@ceph-amk-top-bh9z9m-node8 ~]#  mkdir /mnt/cephfuse
[root@ceph-amk-top-bh9z9m-node8 ~]# ceph-fuse -n client.test_auth /mnt/cephfuse/ -r / --client_fs cephfs 
2024-10-07T04:37:07.430-0400 7fd06d40b480 -1 init, newargv = 0x7fd05c004bd0 newargc=15
ceph-fuse[6552]: starting ceph client
ceph-fuse[6552]: starting fuse
[root@ceph-amk-top-bh9z9m-node8 ~]# ceph auth get ceph-fuse -n client.test_auth /mnt/cephfuse/ -r / --client_fs cephfs ^C
[root@ceph-amk-top-bh9z9m-node8 ~]# ^C
[root@ceph-amk-top-bh9z9m-node8 ~]# ceph auth get client.test_auth
[client.test_auth]
	key = AQCknQNnmZj8ExAAXhaEPrmyPtKzk7MMxZmjQA==
	caps mds = "allow r fsname=cephfs, allow rw fsname=cephfs path=/volumes/_nogroup/subvol_1/33a3d82f-93b9-470d-b937-e2b20552deb8/"
	caps mon = "allow r fsname=cephfs"
	caps osd = "allow rw tag cephfs data=cephfs"
[root@ceph-amk-top-bh9z9m-node8 ~]# cd /mnt/cephfuse/
[root@ceph-amk-top-bh9z9m-node8 cephfuse]# touch auth_test_file
touch: cannot touch 'auth_test_file': Permission denied
[root@ceph-amk-top-bh9z9m-node8 cephfuse]# cd volumes/_nogroup/subvol_1/33a3d82f-93b9-470d-b937-e2b20552deb8/
[root@ceph-amk-top-bh9z9m-node8 33a3d82f-93b9-470d-b937-e2b20552deb8]# 
[root@ceph-amk-top-bh9z9m-node8 33a3d82f-93b9-470d-b937-e2b20552deb8]# touch auth_test_file
touch: cannot touch 'auth_test_file': Permission denied


Version-Release number of selected component (if applicable):

[root@ceph-amk-top-bh9z9m-node8 dir1]# ceph versions
{
    "mon": {
        "ceph version 18.2.1-251.el9cp (81688db791aa982863476facb32440cb7210c828) reef (stable)": 3
    },
    "mgr": {
        "ceph version 18.2.1-251.el9cp (81688db791aa982863476facb32440cb7210c828) reef (stable)": 2
    },
    "osd": {
        "ceph version 18.2.1-251.el9cp (81688db791aa982863476facb32440cb7210c828) reef (stable)": 16
    },
    "mds": {
        "ceph version 18.2.1-251.el9cp (81688db791aa982863476facb32440cb7210c828) reef (stable)": 5
    },
    "overall": {
        "ceph version 18.2.1-251.el9cp (81688db791aa982863476facb32440cb7210c828) reef (stable)": 26
    }
}



How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Storage PM bot 2024-10-07 09:49:13 UTC 
Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.
Comment 19 errata-xmlrpc 2025-02-24 15:41:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 7.1 security, bug fix, enhancement, and known issue updates), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2025:1770