From f23b6e628555278d32327387a895f170d5a3f376 Mon Sep 17 00:00:00 2001
From: Greg Farnum <gfarnum@redhat.com>
Date: Fri, 30 Sep 2022 19:34:27 +0000
Subject: [PATCH] doc: discuss the standard multi-tenant CephFS security model

Fixes: https://tracker.ceph.com/issues/57737

Signed-off-by: Greg Farnum <gfarnum@redhat.com>
(cherry picked from commit 91e7c7de6a5ccb44e9cbf3fffe258c952f733fe8)
---
 doc/cephfs/client-auth.rst | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/doc/cephfs/client-auth.rst b/doc/cephfs/client-auth.rst
index fd0faa83963a2..a7dea52518bdd 100644
--- a/doc/cephfs/client-auth.rst
+++ b/doc/cephfs/client-auth.rst
@@ -24,6 +24,16 @@ that directory.
 To restrict clients to only mount and work within a certain directory, use
 path-based MDS authentication capabilities.
 
+Note that this restriction *only* impacts the filesystem hierarchy -- the metadata
+tree managed by the MDS. Clients will still be able to access the underlying
+file data in RADOS directly. To segregate clients fully, you must also isolate
+untrusted clients in their own RADOS namespace. You can place a client's
+filesystem subtree in a particular namespace using `file layouts`_ and then
+restrict their RADOS access to that namespace using `OSD capabilities`_
+
+.. _file layouts: ./file-layouts
+.. _OSD capabilities: ../rados/operations/user-management/#authorization-capabilities
+
 Syntax
 ------
 
-- 
2.39.5