mon/AuthMonitor: don't validate fs caps on authorize

The monitor will have no idea how to validate fs caps during `fs
authorize`. Instead, validate solely the built osd and mds caps.

Signed-off-by: Joao Eduardo Luis <joao@suse.de>
(cherry picked from commit 4db0b88)

diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
index 89d2669e0e77e4e08b64fc4015328980f1f2fb39..e40497ae42a7a8609e3db7076ff05a114f0a5bf3 100644 (file)
--- a/src/mon/AuthMonitor.cc
+++ b/src/mon/AuthMonitor.cc
@@ -1043,6 +1043,35 @@ int AuthMonitor::do_osd_new(
   return 0;
 }
 
+bool AuthMonitor::valid_caps(
+    const string& type,
+    const string& caps,
+    ostream *out)
+{
+  if (type == "mon" || type == "mgr") {
+    MonCap tmp;
+    if (!tmp.parse(caps, out)) {
+      return false;
+    }
+  } else if (type == "osd") {
+    OSDCap ocap;
+    if (!ocap.parse(caps, out)) {
+      return false;
+    }
+  } else if (type == "mds") {
+    MDSAuthCaps mdscap;
+    if (!mdscap.parse(g_ceph_context, caps, out)) {
+      return false;
+    }
+  } else {
+    if (out) {
+      *out << "unknown cap type '" << type << "'";
+    }
+    return false;
+  }
+  return true;
+}
+
 bool AuthMonitor::valid_caps(const vector<string>& caps, ostream *out)
 {
   for (vector<string>::const_iterator p = caps.begin();
@@ -1051,23 +1080,7 @@ bool AuthMonitor::valid_caps(const vector<string>& caps, ostream *out)
       *out << "cap '" << *p << "' has no value";
       return false;
     }
-    if (*p == "mon" || *p == "mgr") {
-      MonCap tmp;
-      if (!tmp.parse(*(p+1), out)) {
-       return false;
-      }
-    } else if (*p == "osd") {
-      OSDCap ocap;
-      if (!ocap.parse(*(p+1), out)) {
-       return false;
-      }
-    } else if (*p == "mds") {
-      MDSAuthCaps mdscap;
-      if (!mdscap.parse(g_ceph_context, *(p+1), out)) {
-       return false;
-      }
-    } else {
-      *out << "unknown cap type '" << *p << "'";
+    if (!valid_caps(*p, *(p+1), out)) {
       return false;
     }
   }
@@ -1355,11 +1368,6 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op)
     string mds_cap_string, osd_cap_string;
     string osd_cap_wanted = "r";
 
-    if (!valid_caps(caps_vec, &ss)) {
-      err = -EINVAL;
-      goto done;
-    }
-
     for (auto it = caps_vec.begin();
         it != caps_vec.end() && (it + 1) != caps_vec.end();
         it += 2) {
@@ -1401,6 +1409,12 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op)
       { "mds", _encode_cap(mds_cap_string) }
     };
 
+    if (!valid_caps("osd", osd_cap_string, &ss) ||
+       !valid_caps("mds", mds_cap_string, &ss)) {
+      err = -EINVAL;
+      goto done;
+    }
+
     EntityAuth entity_auth;
     if (mon->key_server.get_auth(entity, entity_auth)) {
       for (const auto &sys_cap : wanted_caps) {

diff --git a/src/mon/AuthMonitor.h b/src/mon/AuthMonitor.h
index 01e4208c9b5ddb2f2c3a6f63fbd0d62b3bad8467..d06509da5efb96657e9b7938a7d0d368f8d2fdfc 100644 (file)
--- a/src/mon/AuthMonitor.h
+++ b/src/mon/AuthMonitor.h
@@ -129,8 +129,8 @@ private:
     pending_auth.push_back(inc);
   }
 
-  /* validate mon/osd/mds caps ; don't care about caps for other services as
-   * we don't know how to validate them */
+  /* validate mon/osd/mds caps; fail on unrecognized service/type */
+  bool valid_caps(const string& type, const string& caps, ostream *out);
   bool valid_caps(const vector<string>& caps, ostream *out);
 
   void on_active() override;