Skip to main content

管理文件权限

JuiceFS 完全兼容 POSIX 接口,可以直接使用类 Unix 系统的 UIDGID 对文件权限进行管理。

部署

以动态配置为例,先创建 Secret:

apiVersion: v1
kind: Secret
metadata:
  name: juicefs-secret
type: Opaque
stringData:
  name: <NAME>
  metaurl: redis://[:<PASSWORD>]@<HOST>:6379[/<DB>]
  storage: s3
  bucket: https://<BUCKET>.s3.<REGION>.amazonaws.com
  access-key: <ACCESS_KEY>
  secret-key: <SECRET_KEY>

创建 StorageClass 和 PersistentVolumeClaim(PVC):

kubectl apply -f - <<EOF
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: juicefs-sc
provisioner: csi.juicefs.com
parameters:
  csi.storage.k8s.io/provisioner-secret-name: juicefs-secret
  csi.storage.k8s.io/provisioner-secret-namespace: default
  csi.storage.k8s.io/node-publish-secret-name: juicefs-secret
  csi.storage.k8s.io/node-publish-secret-namespace: default
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: juicefs-pvc
  namespace: default
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 10Pi
  storageClassName: juicefs-sc
EOF

在 Pod 中设置权限

kubectl apply -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: juicefs-app
spec:
  template:
    spec:
      containers:
      - name: owner
        image: centos
        command: ["/bin/sh"]
        args: ["-c", "while true; do echo $(date -u) >> /data/out-$(POD).txt; sleep 5; done"]
        env:
        - name: POD
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        securityContext:
          runAsUser: 1000
          runAsGroup: 3000
        resources:
          limits:
            cpu: "20m"
            memory: "55M"
        volumeMounts:
        - name: data
          mountPath: /data
      - name: group
        image: centos
        command: ["/bin/sh"]
        args: ["-c", "tail -f /data/out-$(POD).txt"]
        env:
        - name: POD
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        securityContext:
          runAsUser: 2000
          runAsGroup: 3000
        resources:
          limits:
            cpu: "20m"
            memory: "55M"
        volumeMounts:
        - name: data
          mountPath: /data
      - name: other
        image: centos
        command: ["/bin/sh"]
        args: ["-c", "while true; do echo $(date -u) >> /data/out-$(POD).txt; sleep 5; done"]
        env:
        - name: POD
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        securityContext:
          runAsUser: 3000
          runAsGroup: 4000
        resources:
          limits:
            cpu: "20m"
            memory: "55M"
        volumeMounts:
        - name: data
          mountPath: /data
      volumes:
      - name: data
        persistentVolumeClaim:
          claimName: juicefs-pvc
EOF

确认 volume 中的文件权限

owner 容器以用户 1000 和组 3000 的身份运行。检查它创建的文件属于 1000:3000 用户和用户组,文件权限为 -rw-r--r--,因为 umask 是 0022

>> kubectl exec -it juicefs-app-perms-7c6c95b68-76g8g -c owner -- id
uid=1000 gid=3000 groups=3000
>> kubectl exec -it juicefs-app-perms-7c6c95b68-76g8g -c owner -- umask
0022
>> kubectl exec -it juicefs-app-perms-7c6c95b68-76g8g -c owner -- ls -l /data
total 707088
-rw-r--r--   1 1000 3000      3780 Aug  9 11:23 out-juicefs-app-perms-7c6c95b68-76g8g.txt

group 容器以用户 2000 和组 3000 运行。检查该文件是否可由组中的其他用户读取:

>> kubectl exec -it juicefs-app-perms-7c6c95b68-76g8g -c group -- id
uid=2000 gid=3000 groups=3000
>> kubectl logs juicefs-app-perms-7c6c95b68-76g8g group
Fri Aug 9 10:08:32 UTC 2019
Fri Aug 9 10:08:37 UTC 2019
...

other 容器以用户 3000 和组 4000 运行。检查文件对于不在组中的用户不可写:

>> kubectl exec -it juicefs-app-perms-7c6c95b68-76g8g -c other -- id
uid=3000 gid=4000 groups=4000
>> kubectl logs juicefs-app-perms-7c6c95b68-76g8g -c other
/bin/sh: /data/out-juicefs-app-perms-7c6c95b68-76g8g.txt: Permission denied
...
Follow us on X
Let's chat on Slack