Skip to main content

管理文件权限

JuiceFS 完全兼容 POSIX 接口,可以直接使用类 Unix 系统的 UIDGID 对文件权限进行管理。

部署

以动态配置为例,先创建 Secret:

apiVersion: v1
kind: Secret
metadata:
name: juicefs-secret
type: Opaque
stringData:
name: <NAME>
metaurl: redis://[:<PASSWORD>]@<HOST>:6379[/<DB>]
storage: s3
bucket: https://<BUCKET>.s3.<REGION>.amazonaws.com
access-key: <ACCESS_KEY>
secret-key: <SECRET_KEY>

创建 StorageClass 和 PersistentVolumeClaim(PVC):

kubectl apply -f - <<EOF
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: juicefs-sc
provisioner: csi.juicefs.com
parameters:
csi.storage.k8s.io/provisioner-secret-name: juicefs-secret
csi.storage.k8s.io/provisioner-secret-namespace: default
csi.storage.k8s.io/node-publish-secret-name: juicefs-secret
csi.storage.k8s.io/node-publish-secret-namespace: default
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: juicefs-pvc
namespace: default
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Pi
storageClassName: juicefs-sc
EOF

在 pod 中设置权限

kubectl apply -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: juicefs-app
spec:
template:
spec:
containers:
- name: owner
image: centos
command: ["/bin/sh"]
args: ["-c", "while true; do echo $(date -u) >> /data/out-$(POD).txt; sleep 5; done"]
env:
- name: POD
valueFrom:
fieldRef:
fieldPath: metadata.name
securityContext:
runAsUser: 1000
runAsGroup: 3000
resources:
limits:
cpu: "20m"
memory: "55M"
volumeMounts:
- name: data
mountPath: /data
- name: group
image: centos
command: ["/bin/sh"]
args: ["-c", "tail -f /data/out-$(POD).txt"]
env:
- name: POD
valueFrom:
fieldRef:
fieldPath: metadata.name
securityContext:
runAsUser: 2000
runAsGroup: 3000
resources:
limits:
cpu: "20m"
memory: "55M"
volumeMounts:
- name: data
mountPath: /data
- name: other
image: centos
command: ["/bin/sh"]
args: ["-c", "while true; do echo $(date -u) >> /data/out-$(POD).txt; sleep 5; done"]
env:
- name: POD
valueFrom:
fieldRef:
fieldPath: metadata.name
securityContext:
runAsUser: 3000
runAsGroup: 4000
resources:
limits:
cpu: "20m"
memory: "55M"
volumeMounts:
- name: data
mountPath: /data
volumes:
- name: data
persistentVolumeClaim:
claimName: juicefs-pvc
EOF

确认 volume 中的文件权限

owner 容器以用户 1000 和组 3000 的身份运行。检查它创建的文件属于 1000:3000 用户和用户组,文件权限为 -rw-r--r--,因为 umask 是 0022

>> kubectl exec -it juicefs-app-perms-7c6c95b68-76g8g -c owner -- id
uid=1000 gid=3000 groups=3000
>> kubectl exec -it juicefs-app-perms-7c6c95b68-76g8g -c owner -- umask
0022
>> kubectl exec -it juicefs-app-perms-7c6c95b68-76g8g -c owner -- ls -l /data
total 707088
-rw-r--r-- 1 1000 3000 3780 Aug 9 11:23 out-juicefs-app-perms-7c6c95b68-76g8g.txt

group 容器以用户 2000 和组 3000 运行。检查该文件是否可由组中的其他用户读取:

>> kubectl exec -it juicefs-app-perms-7c6c95b68-76g8g -c group -- id
uid=2000 gid=3000 groups=3000
>> kubectl logs juicefs-app-perms-7c6c95b68-76g8g group
Fri Aug 9 10:08:32 UTC 2019
Fri Aug 9 10:08:37 UTC 2019
...

other 容器以用户 3000 和组 4000 运行。检查文件对于不在组中的用户不可写:

>> kubectl exec -it juicefs-app-perms-7c6c95b68-76g8g -c other -- id
uid=3000 gid=4000 groups=4000
>> kubectl logs juicefs-app-perms-7c6c95b68-76g8g -c other
/bin/sh: /data/out-juicefs-app-perms-7c6c95b68-76g8g.txt: Permission denied
...