Set chmod on new CephFS volumes #5588
Description
Describe the feature you'd like to have
Background: I would like to give some people direct access to their volumes from the CephFS (outside of Kubernetes).
Problem: I need them to not automatically get access to all CephFS volumes just because they have rx (read&traverse) on /volumes/csi.
I observe that currently, the volume for a PV is create at e.g. volumes/csi/csi-vol-17141cca-6ffb-4b6b-9807-e7617cf49c5d/4e1716d7-cc8c-4a05-a399-4056a7d90fe1 where both the csi-vol-xxx-xxx and the inner yyy-yyy folder have o+rx. This means that if I give a user rx (read&traverse) permission to volumes/csi so they can access volumes/csi/csi-vol-xxx, when a new PV gets provisioned at volumes/csi-vol-www, they will be able to read it too.
I understand why the inner yyy folder needs to have open permissions (the app mounting it needs to have access), however since there is already a two-level hierarchy csi-vol-xxx/yyy, would it be possible to set a more restrictive permission on the outer csi-vol-xxx folder on creation?
What is the value to the end user? (why is it a priority?)
The most common deployment for CephFS is to have a single filesystem that is used in multiple different ways. Giving access to CSI volumes in another way is likely to be needed in a variety of scenario (to populate them, to export them, to back them up, ...)
How will we know we have a good solution? (acceptance criteria)
There should be a way to give a user access to one volume without exposing ALL volumes.
Additional context
I am giving permissions to specific users via setfacl.