cephfs: Do not check auth gid when not specified

author Douglas Fuller <dfuller@redhat.com>

Thu, 2 Nov 2017 20:30:17 +0000 (16:30 -0400)

committer Douglas Fuller <dfuller@redhat.com>

Fri, 3 Nov 2017 16:40:48 +0000 (12:40 -0400)
author Douglas Fuller <dfuller@redhat.com>
Thu, 2 Nov 2017 20:30:17 +0000 (16:30 -0400)
committer Douglas Fuller <dfuller@redhat.com>
Fri, 3 Nov 2017 16:40:48 +0000 (12:40 -0400)
diff --git a/src/mds/MDSAuthCaps.cc b/src/mds/MDSAuthCaps.cc

index e22e449cd42218a5a1e8946064f5b0cd30abc19f..1f819827f3004df5fa89070d58c4cd0632d82609 100644 (file)
--- a/src/mds/MDSAuthCaps.cc
+++ b/src/mds/MDSAuthCaps.cc
@@ -116,19 +116,21 @@ bool MDSCapMatch::match(const std::string &target_path,
    if (uid != MDS_AUTH_UID_ANY) {
      if (uid != caller_uid)
        return false;
-    bool gid_matched = false;
-    if (std::find(gids.begin(), gids.end(), caller_gid) != gids.end())
-      gid_matched = true;
-    if (caller_gid_list) {
-      for (auto i = caller_gid_list->begin(); i != caller_gid_list->end(); ++i) {
-       if (std::find(gids.begin(), gids.end(), *i) != gids.end()) {
-         gid_matched = true;
-         break;
+    if (!gids.empty()) {
+      bool gid_matched = false;
+      if (std::find(gids.begin(), gids.end(), caller_gid) != gids.end())
+       gid_matched = true;
+      if (caller_gid_list) {
+       for (auto i = caller_gid_list->begin(); i != caller_gid_list->end(); ++i) {
+         if (std::find(gids.begin(), gids.end(), *i) != gids.end()) {
+           gid_matched = true;
+           break;
+         }
         }
        }
+      if (!gid_matched)
+       return false;
      }
-    if (!gid_matched)
-      return false;
    }
  
    if (!match_path(target_path)) {
diff --git a/src/test/mds/TestMDSAuthCaps.cc b/src/test/mds/TestMDSAuthCaps.cc

index f01760fbce62f1de8ce2ea037a95ea89f177da6d..fabb7857895051c97f57fe2bad53c9be31f9e5b6 100644 (file)
--- a/src/test/mds/TestMDSAuthCaps.cc
+++ b/src/test/mds/TestMDSAuthCaps.cc
@@ -115,6 +115,19 @@ TEST(MDSAuthCaps, AllowAll) {
  }
  
  TEST(MDSAuthCaps, AllowUid) {
+  MDSAuthCaps cap(g_ceph_context);
+  ASSERT_TRUE(cap.parse(g_ceph_context, "allow * uid=10", NULL));
+  ASSERT_FALSE(cap.allow_all());
+
+  // uid/gid must be valid
+  ASSERT_FALSE(cap.is_capable("foo", 0, 0, 0777, 0, 0, NULL, MAY_READ, 0, 0));
+  ASSERT_TRUE(cap.is_capable("foo", 0, 0, 0777, 10, 0, NULL, MAY_READ, 0, 0));
+  ASSERT_TRUE(cap.is_capable("foo", 0, 0, 0777, 10, 10, NULL, MAY_READ, 0, 0));
+  ASSERT_FALSE(cap.is_capable("foo", 0, 0, 0777, 12, 12, NULL, MAY_READ, 0, 0));
+  ASSERT_TRUE(cap.is_capable("foo", 0, 0, 0777, 10, 13, NULL, MAY_READ, 0, 0));
+}
+
+TEST(MDSAuthCaps, AllowUidGid) {
    MDSAuthCaps cap(g_ceph_context);
    ASSERT_TRUE(cap.parse(g_ceph_context, "allow * uid=10 gids=10,11,12; allow * uid=12 gids=12,10", NULL));
    ASSERT_FALSE(cap.allow_all());
author	Douglas Fuller <dfuller@redhat.com>
	Thu, 2 Nov 2017 20:30:17 +0000 (16:30 -0400)
committer	Douglas Fuller <dfuller@redhat.com>
	Fri, 3 Nov 2017 16:40:48 +0000 (12:40 -0400)
src/mds/MDSAuthCaps.cc		patch \| blob \| history
src/test/mds/TestMDSAuthCaps.cc		patch \| blob \| history