auth: enforce read/write caps for osd_op

diff --git a/src/osd/OSD.cc b/src/osd/OSD.cc
index efaa078245aa95ee95669c912f4b5bc12a25696b..a7287b8d5f3770ae1da5a3583487068796a6b423 100644 (file)
--- a/src/osd/OSD.cc
+++ b/src/osd/OSD.cc
@@ -3751,10 +3751,6 @@ void OSD::handle_op(MOSDOp *op)
   else
     pgid = osdmap->raw_pg_to_pg(op->get_pg());
 
-  // get and lock *pg.
-  PG *pg = _have_pg(pgid) ? _lookup_lock_pg(pgid):0;
-
-
   logger->set(l_osd_buf, buffer_total_alloc.test());
 
   utime_t now = g_clock.now();
@@ -3762,10 +3758,43 @@ void OSD::handle_op(MOSDOp *op)
   // set up op flags
   init_op_flags(op);
 
+  Session *session = (Session *)op->get_connection()->get_priv();
+  if (!session) {
+    dout(0) << "WARNING: no session for op" << dendl;
+    reply_op_error(op, -EPERM);
+    return;
+  }
+
+  OSDCaps& caps = session->caps;
+  int pool = pgid.pool();
+  int perm = caps.get_pool_cap(pool);
+
+  dout(0) << "request for pool=" << pool << " perm=" << perm << " may_read=" << op->may_read() << " may_write=" << op->may_write() << dendl;
+
+  if (op->may_read()) {
+    if (!(perm & OSD_POOL_CAP_R)) {
+      dout(0) << "no READ permission to access pool " << pool << dendl;
+      reply_op_error(op, -EPERM);
+      return;
+    }
+  }
+
+  if (op->may_write()) {
+    if (!(perm & OSD_POOL_CAP_W)) {
+      dout(0) << "no WRITE permission to access pool " << pool << dendl;
+      reply_op_error(op, -EPERM);
+      return;
+    }
+  }
+
+  // get and lock *pg.
+  PG *pg = _have_pg(pgid) ? _lookup_lock_pg(pgid):0;
+
   // update qlen stats
   stat_oprate.hit(now);
   stat_ops++;
   stat_qlen += pending_ops;
+
   if (!op->may_write()) {
     stat_rd_ops++;
     if (op->get_source().is_osd()) {

diff --git a/src/testradospp.cc b/src/testradospp.cc
index 9683fbe3c65123c7b0a5dd8a475e5b64486975a0..2449999ea9ee5bdc94e140456bab110ece79a46a 100644 (file)
--- a/src/testradospp.cc
+++ b/src/testradospp.cc
@@ -48,14 +48,22 @@ int main(int argc, const char **argv)
   object_t oid("bar");
 
   rados_pool_t pool;
+
   int r = rados.open_pool("data", &pool);
   cout << "open pool result = " << r << " pool = " << pool << std::endl;
 
-  rados.write(pool, oid, 0, bl, bl.length());
-  rados.write(pool, oid, 0, bl, bl.length() - 1);
-  rados.write(pool, oid, 0, bl, bl.length() - 2);
-  rados.write(pool, oid, 0, bl, bl.length() - 3);
-  rados.write(pool, oid, 0, bl, bl.length() - 4);
+  r = rados.write(pool, oid, 0, bl, bl.length());
+  cout << "rados.write returned " << r << std::endl;
+  r = rados.write(pool, oid, 0, bl, bl.length() - 1);
+  cout << "rados.write returned " << r << std::endl;
+  r = rados.write(pool, oid, 0, bl, bl.length() - 2);
+  cout << "rados.write returned " << r << std::endl;
+  r = rados.write(pool, oid, 0, bl, bl.length() - 3);
+  cout << "rados.write returned " << r << std::endl;
+  r = rados.write(pool, oid, 0, bl, bl.length() - 4);
+  cout << "rados.write returned " << r << std::endl;
+  r = rados.read(pool, oid, 0, bl, bl.length() - 4);
+  cout << "rados.read returned " << r << std::endl;
   r = rados.exec(pool, oid, "crypto", "md5", bl, bl2);
   cout << "exec returned " << r <<  " buf size=" << bl2.length() << std::endl;
   const unsigned char *md5 = (const unsigned char *)bl2.c_str();