diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-21 11:54:28 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-21 11:54:28 +0000 |
commit | e6918187568dbd01842d8d1d2c808ce16a894239 (patch) | |
tree | 64f88b554b444a49f656b6c656111a145cbbaa28 /doc/cephfs/capabilities.rst | |
parent | Initial commit. (diff) | |
download | ceph-e6918187568dbd01842d8d1d2c808ce16a894239.tar.xz ceph-e6918187568dbd01842d8d1d2c808ce16a894239.zip |
Adding upstream version 18.2.2.upstream/18.2.2
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/cephfs/capabilities.rst')
-rw-r--r-- | doc/cephfs/capabilities.rst | 182 |
1 files changed, 182 insertions, 0 deletions
diff --git a/doc/cephfs/capabilities.rst b/doc/cephfs/capabilities.rst new file mode 100644 index 000000000..79dfd3ace --- /dev/null +++ b/doc/cephfs/capabilities.rst @@ -0,0 +1,182 @@ +====================== +Capabilities in CephFS +====================== +When a client wants to operate on an inode, it will query the MDS in various +ways, which will then grant the client a set of **capabilities**. This +grants the client permissions to operate on the inode in various ways. One +of the major differences from other network file systems (e.g NFS or SMB) is +that the capabilities granted are quite granular, and it's possible that +multiple clients can hold different capabilities on the same inodes. + +Types of Capabilities +--------------------- +There are several "generic" capability bits. These denote what sort of ability +the capability grants. + +:: + + /* generic cap bits */ + #define CEPH_CAP_GSHARED 1 /* (metadata) client can read (s) */ + #define CEPH_CAP_GEXCL 2 /* (metadata) client can read and update (x) */ + #define CEPH_CAP_GCACHE 4 /* (file) client can cache reads (c) */ + #define CEPH_CAP_GRD 8 /* (file) client can read (r) */ + #define CEPH_CAP_GWR 16 /* (file) client can write (w) */ + #define CEPH_CAP_GBUFFER 32 /* (file) client can buffer writes (b) */ + #define CEPH_CAP_GWREXTEND 64 /* (file) client can extend EOF (a) */ + #define CEPH_CAP_GLAZYIO 128 /* (file) client can perform lazy io (l) */ + +These are then shifted by a particular number of bits. These denote a part of +the inode's data or metadata on which the capability is being granted: + +:: + + /* per-lock shift */ + #define CEPH_CAP_SAUTH 2 /* A */ + #define CEPH_CAP_SLINK 4 /* L */ + #define CEPH_CAP_SXATTR 6 /* X */ + #define CEPH_CAP_SFILE 8 /* F */ + +Only certain generic cap types are ever granted for some of those "shifts", +however. In particular, only the FILE shift ever has more than the first two +bits. + +:: + + | AUTH | LINK | XATTR | FILE + 2 4 6 8 + +From the above, we get a number of constants, that are generated by taking +each bit value and shifting to the correct bit in the word: + +:: + + #define CEPH_CAP_AUTH_SHARED (CEPH_CAP_GSHARED << CEPH_CAP_SAUTH) + +These bits can then be or'ed together to make a bitmask denoting a set of +capabilities. + +There is one exception: + +:: + + #define CEPH_CAP_PIN 1 /* no specific capabilities beyond the pin */ + +The "pin" just pins the inode into memory, without granting any other caps. + +Graphically: + +:: + + +---+---+---+---+---+---+---+---+ + | p | _ |As x |Ls x |Xs x | + +---+---+---+---+---+---+---+---+ + |Fs x c r w b a l | + +---+---+---+---+---+---+---+---+ + +The second bit is currently unused. + +Abilities granted by each cap +----------------------------- +While that is how capabilities are granted (and communicated), the important +bit is what they actually allow the client to do: + +* **PIN**: This just pins the inode into memory. This is sufficient to allow + the client to get to the inode number, as well as other immutable things like + major or minor numbers in a device inode, or symlink contents. + +* **AUTH**: This grants the ability to get to the authentication-related metadata. + In particular, the owner, group and mode. Note that doing a full permission + check may require getting at ACLs as well, which are stored in xattrs. + +* **LINK**: The link count of the inode. + +* **XATTR**: Ability to access or manipulate xattrs. Note that since ACLs are + stored in xattrs, it's also sometimes necessary to access them when checking + permissions. + +* **FILE**: This is the big one. This allows the client to access and manipulate + file data. It also covers certain metadata relating to file data -- the + size, mtime, atime and ctime, in particular. + +Shorthand +--------- +Note that the client logging can also present a compact representation of the +capabilities. For example: + +:: + + pAsLsXsFs + +The 'p' represents the pin. Each capital letter corresponds to the shift +values, and the lowercase letters after each shift are for the actual +capabilities granted in each shift. + +The relation between the lock states and the capabilities +--------------------------------------------------------- +In MDS there are four different locks for each inode, they are simplelock, +scatterlock, filelock and locallock. Each lock has several different lock +states, and the MDS will issue capabilities to clients based on the lock +state. + +In each state the MDS Locker will always try to issue all the capabilities to the +clients allowed, even some capabilities are not needed or wanted by the clients, +as pre-issuing capabilities could reduce latency in some cases. + +If there is only one client, usually it will be the loner client for all the inodes. +While in multiple clients case, the MDS will try to calculate a loner client out for +each inode depending on the capabilities the clients (needed | wanted), but usually +it will fail. The loner client will always get all the capabilities. + +The filelock will control files' partial metadatas' and the file contents' access +permissions. The metadatas include **mtime**, **atime**, **size**, etc. + +* **Fs**: Once a client has it, all other clients are denied **Fw**. + +* **Fx**: Only the loner client is allowed this capability. Once the lock state + transitions to LOCK_EXCL, the loner client is granted this along with all other + file capabilities except the **Fl**. + +* **Fr**: Once a client has it, the **Fb** capability will be already revoked from + all the other clients. + + If clients only request to read the file, the lock state will be transferred + to LOCK_SYNC stable state directly. All the clients can be granted **Fscrl** + capabilities from the auth MDS and **Fscr** capabilities from the replica MDSes. + + If multiple clients read from and write to the same file, then the lock state + will be transferred to LOCK_MIX stable state finally and all the clients could + have the **Frwl** capabilities from the auth MDS, and the **Fr** from the replica + MDSes. The **Fcb** capabilities won't be granted to all the clients and the + clients will do sync read/write. + +* **Fw**: If there is no loner client and once a client have this capability, the + **Fsxcb** capabilities won't be granted to other clients. + + If multiple clients read from and write to the same file, then the lock state + will be transferred to LOCK_MIX stable state finally and all the clients could + have the **Frwl** capabilities from the auth MDS, and the **Fr** from the replica + MDSes. The **Fcb** capabilities won't be granted to all the clients and the + clients will do sync read/write. + +* **Fc**: This capability means the clients could cache file read and should be + issued together with **Fr** capability and only in this use case will it make + sense. + + While actually in some stable or interim transitional states they tend to keep + the **Fc** allowed even the **Fr** capability isn't granted as this can avoid + forcing clients to drop full caches, for example on a simple file size extension + or truncating use case. + +* **Fb**: This capability means the clients could buffer file write and should be + issued together with **Fw** capability and only in this use case will it make + sense. + + While actually in some stable or interim transitional states they tend to keep + the **Fc** allowed even the **Fw** capability isn't granted as this can avoid + forcing clients to drop dirty buffers, for example on a simple file size extension + or truncating use case. + +* **Fl**: This capability means the clients could perform lazy io. LazyIO relaxes + POSIX semantics. Buffered reads/writes are allowed even when a file is opened by + multiple applications on multiple clients. Applications are responsible for managing + cache coherency themselves. |