]> git.apps.os.sepia.ceph.com Git - ceph.git/commitdiff
projects / ceph.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5038627)
mon/MonCap: take addr for MonCap::is_capable
authorSage Weil <sage@redhat.com>
Thu, 5 Jul 2018 16:39:48 +0000 (11:39 -0500)
committerSage Weil <sage@redhat.com>
Sun, 12 Aug 2018 22:01:05 +0000 (17:01 -0500)
Signed-off-by: Sage Weil <sage@redhat.com>
src/mgr/DaemonServer.cc patch | blob | history
src/mgr/MgrSession.h patch | blob | history
src/mon/MonCap.cc patch | blob | history
src/mon/MonCap.h patch | blob | history
src/mon/Monitor.cc patch | blob | history
src/mon/OSDMonitor.cc patch | blob | history
src/mon/Session.h patch | blob | history
src/test/mon/moncap.cc patch | blob | history

diff --git a/src/mgr/DaemonServer.cc b/src/mgr/DaemonServer.cc
index 6515d3a52409c23d22f76894acbff69dd35eedf5..ebdacaf69011a675e04421302e04e9ee9d63b352 100644 (file)
--- a/src/mgr/DaemonServer.cc
+++ b/src/mgr/DaemonServer.cc
@@ -713,7 +713,8 @@ bool DaemonServer::_allowed_command(
     CEPH_ENTITY_TYPE_MGR,
     s->entity_name,
     module, prefix, param_str_map,
-    cmd_r, cmd_w, cmd_x);
+    cmd_r, cmd_w, cmd_x,
+    s->get_peer_addr());
 
   dout(10) << " " << s->entity_name << " "
           << (capable ? "" : "not ") << "capable" << dendl;
diff --git a/src/mgr/MgrSession.h b/src/mgr/MgrSession.h
index c921ca09ead2f298a6c5b88cddd5720a0a0f1d08..c61a80b63e7e3f19a08197d9f0cdce18ecf855d2 100644 (file)
--- a/src/mgr/MgrSession.h
+++ b/src/mgr/MgrSession.h
@@ -27,6 +27,10 @@ struct MgrSession : public RefCountedObject {
 
   explicit MgrSession(CephContext *cct) : RefCountedObject(cct, 0) {}
   ~MgrSession() override {}
+
+  const entity_addr_t& get_peer_addr() {
+    return inst.addr;
+  }
 };
 
 typedef boost::intrusive_ptr<MgrSession> MgrSessionRef;
diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc
index f4e909b8bd1f60d0fd799356786be999441df636..1fbf2c8200a8a68e38b435b087e0912c570f71a8 100644 (file)
--- a/src/mon/MonCap.cc
+++ b/src/mon/MonCap.cc
@@ -381,18 +381,21 @@ void MonCap::set_allow_all()
   text = "allow *";
 }
 
-bool MonCap::is_capable(CephContext *cct,
-                       int daemon_type,
-                       EntityName name,
-                       const string& service,
-                       const string& command, const map<string,string>& command_args,
-                       bool op_may_read, bool op_may_write, bool op_may_exec) const
+bool MonCap::is_capable(
+  CephContext *cct,
+  int daemon_type,
+  EntityName name,
+  const string& service,
+  const string& command, const map<string,string>& command_args,
+  bool op_may_read, bool op_may_write, bool op_may_exec,
+  const entity_addr_t& addr) const
 {
   if (cct)
     ldout(cct, 20) << "is_capable service=" << service << " command=" << command
                   << (op_may_read ? " read":"")
                   << (op_may_write ? " write":"")
                   << (op_may_exec ? " exec":"")
+                  << " addr " << addr
                   << " on cap " << *this
                   << dendl;
   mon_rwxa_t allow = 0;
diff --git a/src/mon/MonCap.h b/src/mon/MonCap.h
index 5de2cb3773c4aab360ee4954675d4bfe9ef22817..b0fe6e73e335eb00720562fa3f0a5ef6cde4aac6 100644 (file)
--- a/src/mon/MonCap.h
+++ b/src/mon/MonCap.h
@@ -166,7 +166,8 @@ struct MonCap {
                  EntityName name,
                  const string& service,
                  const string& command, const map<string,string>& command_args,
-                 bool op_may_read, bool op_may_write, bool op_may_exec) const;
+                 bool op_may_read, bool op_may_write, bool op_may_exec,
+                 const entity_addr_t& addr) const;
 
   void encode(bufferlist& bl) const;
   void decode(bufferlist::const_iterator& bl);
diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
index 50c76c32c6d82fcaa5106165ce0574976bb31870..a184381c459a5cc082629e2662e673472d0c5221 100644 (file)
--- a/src/mon/Monitor.cc
+++ b/src/mon/Monitor.cc
@@ -2863,7 +2863,8 @@ bool Monitor::_allowed_command(MonSession *s, const string &module,
     CEPH_ENTITY_TYPE_MON,
     s->entity_name,
     module, prefix, param_str_map,
-    cmd_r, cmd_w, cmd_x);
+    cmd_r, cmd_w, cmd_x,
+    s->get_peer_addr());
 
   dout(10) << __func__ << " " << (capable ? "" : "not ") << "capable" << dendl;
   return capable;
diff --git a/src/mon/OSDMonitor.cc b/src/mon/OSDMonitor.cc
index 3eb2bf424edcc5cd34dd9c68a099cda841be32c8..6a7bf6234995ff756282b25b6a2e1ff10ab08257 100644 (file)
--- a/src/mon/OSDMonitor.cc
+++ b/src/mon/OSDMonitor.cc
@@ -113,17 +113,20 @@ bool is_unmanaged_snap_op_permitted(CephContext* cct,
                                     const KeyServer& key_server,
                                     const EntityName& entity_name,
                                     const MonCap& mon_caps,
+                                   const entity_addr_t& peer_socket_addr,
                                     const std::string* pool_name)
 {
   typedef std::map<std::string, std::string> CommandArgs;
 
-  if (mon_caps.is_capable(cct, CEPH_ENTITY_TYPE_MON,
-                               entity_name, "osd",
-                               "osd pool op unmanaged-snap",
-                               (pool_name == nullptr ?
-                                  CommandArgs{} /* pool DNE, require unrestricted cap */ :
-                                  CommandArgs{{"poolname", *pool_name}}),
-                                false, true, false)) {
+  if (mon_caps.is_capable(
+       cct, CEPH_ENTITY_TYPE_MON,
+       entity_name, "osd",
+       "osd pool op unmanaged-snap",
+       (pool_name == nullptr ?
+        CommandArgs{} /* pool DNE, require unrestricted cap */ :
+        CommandArgs{{"poolname", *pool_name}}),
+       false, true, false,
+       peer_socket_addr)) {
     return true;
   }
 
@@ -3340,7 +3343,8 @@ bool OSDMonitor::preprocess_remove_snaps(MonOpRequestRef op)
        cct,
        CEPH_ENTITY_TYPE_MON,
        session->entity_name,
-        "osd", "osd pool rmsnap", {}, true, true, false)) {
+        "osd", "osd pool rmsnap", {}, true, true, false,
+       session->get_peer_addr())) {
     dout(0) << "got preprocess_remove_snaps from entity with insufficient caps "
            << session->caps << dendl;
     goto ignore;
@@ -11893,6 +11897,7 @@ bool OSDMonitor::enforce_pool_op_caps(MonOpRequestRef op)
 
       if (!is_unmanaged_snap_op_permitted(cct, mon->key_server,
                                           session->entity_name, session->caps,
+                                         session->get_peer_addr(),
                                           pool_name)) {
         dout(0) << "got unmanaged-snap pool op from entity with insufficient "
                 << "privileges. message: " << *m  << std::endl
diff --git a/src/mon/Session.h b/src/mon/Session.h
index 6c97f686255fde1169bc5c7f29b5532572b81d5f..957dd5041debfad88c338654104c0b63a9e7e636 100644 (file)
--- a/src/mon/Session.h
+++ b/src/mon/Session.h
@@ -94,7 +94,12 @@ struct MonSession : public RefCountedObject {
       CEPH_ENTITY_TYPE_MON,
       entity_name,
       service, "", args,
-      mask & MON_CAP_R, mask & MON_CAP_W, mask & MON_CAP_X);
+      mask & MON_CAP_R, mask & MON_CAP_W, mask & MON_CAP_X,
+      get_peer_addr());
+  }
+
+  const entity_addr_t& get_peer_addr() {
+    return inst.addr;
   }
 };
 
diff --git a/src/test/mon/moncap.cc b/src/test/mon/moncap.cc
index 5ac8bff13423b30f09fc0fe618fdb8b50b08e4a7..93598774e8bfc24b8f11d41a8dfcb97a30939cf6 100644 (file)
--- a/src/test/mon/moncap.cc
+++ b/src/test/mon/moncap.cc
@@ -189,7 +189,7 @@ TEST(MonCap, AllowAll) {
   ASSERT_TRUE(cap.parse("allow *", NULL));
   ASSERT_TRUE(cap.is_allow_all());
   ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, EntityName(),
-                            "foo", "asdf", map<string,string>(), true, true, true));
+                            "foo", "asdf", map<string,string>(), true, true, true, entity_addr_t()));
 
   MonCap cap2;
   ASSERT_FALSE(cap2.is_allow_all());
@@ -207,48 +207,66 @@ TEST(MonCap, ProfileOSD) {
   map<string,string> ca;
 
   ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON,
-                            name, "osd", "", ca, true, false, false));
+                            name, "osd", "", ca, true, false, false,
+                            entity_addr_t()));
   ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON,
-                            name, "osd", "", ca, true, true, false));
+                            name, "osd", "", ca, true, true, false,
+                            entity_addr_t()));
   ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON,
-                            name, "osd", "", ca, true, true, true));
+                            name, "osd", "", ca, true, true, true,
+                            entity_addr_t()));
   ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON,
-                            name, "osd", "", ca, true, true, true));
+                            name, "osd", "", ca, true, true, true,
+                            entity_addr_t()));
   ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON,
-                            name, "mon", "", ca, true, false,false));
+                            name, "mon", "", ca, true, false,false,
+                            entity_addr_t()));
 
   ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON,
-                            name, "mds", "", ca, true, true, true));
+                            name, "mds", "", ca, true, true, true,
+                            entity_addr_t()));
   ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON,
-                            name, "mon", "", ca, true, true, true));
+                            name, "mon", "", ca, true, true, true,
+                            entity_addr_t()));
 
   ca.clear();
   ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON,
-                            name, "", "config-key get", ca, true, true, true));
+                            name, "", "config-key get", ca, true, true, true,
+                            entity_addr_t()));
   ca["key"] = "daemon-private/osd.123";
   ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON,
-                            name, "", "config-key get", ca, true, true, true));
+                            name, "", "config-key get", ca, true, true, true,
+                            entity_addr_t()));
   ca["key"] = "daemon-private/osd.12/asdf";
   ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON,
-                            name, "", "config-key get", ca, true, true, true));
+                            name, "", "config-key get", ca, true, true, true,
+                            entity_addr_t()));
   ca["key"] = "daemon-private/osd.123/";
   ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON,
-                            name, "", "config-key get", ca, true, true, true));
+                            name, "", "config-key get", ca, true, true, true,
+                            entity_addr_t()));
   ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON,
-                            name, "", "config-key get", ca, true, true, true));
+                            name, "", "config-key get", ca, true, true, true,
+                            entity_addr_t()));
   ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON,
-                            name, "", "config-key get", ca, true, true, true));
+                            name, "", "config-key get", ca, true, true, true,
+                            entity_addr_t()));
   ca["key"] = "daemon-private/osd.123/foo";
   ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON,
-                            name, "", "config-key get", ca, true, true, true));
+                            name, "", "config-key get", ca, true, true, true,
+                            entity_addr_t()));
   ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON,
-                            name, "", "config-key put", ca, true, true, true));
+                            name, "", "config-key put", ca, true, true, true,
+                            entity_addr_t()));
   ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON,
-                            name, "", "config-key set", ca, true, true, true));
+                            name, "", "config-key set", ca, true, true, true,
+                            entity_addr_t()));
   ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON,
-                            name, "", "config-key exists", ca, true, true, true));
+                            name, "", "config-key exists", ca, true, true, true,
+                            entity_addr_t()));
   ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON,
-                            name, "", "config-key delete", ca, true, true, true));
+                            name, "", "config-key delete", ca, true, true, true,
+                            entity_addr_t()));
 }
 
 TEST(MonCap, CommandRegEx) {
@@ -259,13 +277,16 @@ TEST(MonCap, CommandRegEx) {
   EntityName name;
   name.from_str("osd.123");
   ASSERT_TRUE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_OSD, name, "",
-                             "abc", {{"arg", "12345abcde"}}, true, true, true));
+                             "abc", {{"arg", "12345abcde"}}, true, true, true,
+                            entity_addr_t()));
   ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_OSD, name, "",
-                              "abc", {{"arg", "~!@#$"}}, true, true, true));
+                              "abc", {{"arg", "~!@#$"}}, true, true, true,
+                             entity_addr_t()));
 
   ASSERT_TRUE(cap.parse("allow command abc with arg regex \"[*\"", NULL));
   ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_OSD, name, "",
-                              "abc", {{"arg", ""}}, true, true, true));
+                              "abc", {{"arg", ""}}, true, true, true,
+                             entity_addr_t()));
 }
 
 TEST(MonCap, ProfileBootstrapRBD) {
@@ -280,17 +301,20 @@ TEST(MonCap, ProfileBootstrapRBD) {
                                {"entity", "client.rbd"},
                                {"caps_mon", "profile rbd"},
                                {"caps_osd", "profile rbd pool=foo, profile rbd-read-only"},
-                             }, true, true, true));
+                             }, true, true, true,
+                            entity_addr_t()));
   ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "",
                               "auth get-or-create", {
                                 {"entity", "client.rbd"},
                                 {"caps_mon", "allow *"},
                                 {"caps_osd", "profile rbd"},
-                              }, true, true, true));
+                              }, true, true, true,
+                             entity_addr_t()));
   ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "",
                               "auth get-or-create", {
                                 {"entity", "client.rbd"},
                                 {"caps_mon", "profile rbd"},
                                 {"caps_osd", "profile rbd pool=foo, allow *, profile rbd-read-only"},
-                              }, true, true, true));
+                              }, true, true, true,
+                             entity_addr_t()));
 }
Unnamed repository; edit this file 'description' to name the repository.