mds: Fix multifs auth caps check

The fsname is not take into consideration while validating
the access check for the operations. This patch fixes
the same.

Fixes: https://tracker.ceph.com/issues/72167
Signed-off-by: Kotresh HR <khiremat@redhat.com>

diff --git a/src/mds/MDSAuthCaps.cc b/src/mds/MDSAuthCaps.cc
index 70fa29a58f59bb186dc2e04b9fdebe834dd851fd..f3e6f59d3b8c8c825c223d8d044ad9f86c6fd6e9 100644 (file)
--- a/src/mds/MDSAuthCaps.cc
+++ b/src/mds/MDSAuthCaps.cc
@@ -130,11 +130,16 @@ void MDSCapMatch::normalize_path()
   // drop ..
 }
 
-bool MDSCapMatch::match(string_view target_path,
+bool MDSCapMatch::match(string_view fs_name,
+                        string_view target_path,
                        const int caller_uid,
                        const int caller_gid,
                        const vector<uint64_t> *caller_gid_list) const
 {
+  if (!match_fs(fs_name)) {
+    return false;
+  }
+
   if (uid != MDS_AUTH_UID_ANY) {
     if (uid != caller_uid)
       return false;
@@ -221,7 +226,8 @@ bool MDSAuthCaps::path_capable(string_view inode_path) const
  * This is true if any of the 'grant' clauses in the capability match the
  * requested path + op.
  */
-bool MDSAuthCaps::is_capable(string_view inode_path,
+bool MDSAuthCaps::is_capable(string_view fs_name,
+                             string_view inode_path,
                             uid_t inode_uid, gid_t inode_gid,
                             unsigned inode_mode,
                             uid_t caller_uid, gid_t caller_gid,
@@ -230,7 +236,7 @@ bool MDSAuthCaps::is_capable(string_view inode_path,
                             uid_t new_uid, gid_t new_gid,
                             const entity_addr_t& addr) const
 {
-  ldout(g_ceph_context, 10) << __func__ << " inode(path /" << inode_path
+  ldout(g_ceph_context, 10) << __func__ << "fs_name " << fs_name << " inode(path /" << inode_path
                 << " owner " << inode_uid << ":" << inode_gid
                 << " mode 0" << std::oct << inode_mode << std::dec
                 << ") by caller " << caller_uid << ":" << caller_gid
@@ -248,7 +254,7 @@ bool MDSAuthCaps::is_capable(string_view inode_path,
       continue;
     }
 
-    if (grant.match.match(inode_path, caller_uid, caller_gid, caller_gid_list) &&
+    if (grant.match.match(fs_name, inode_path, caller_uid, caller_gid, caller_gid_list) &&
        grant.spec.allows(mask & (MAY_READ|MAY_EXECUTE), mask & MAY_WRITE)) {
       if (grant.match.root_squash && ((caller_uid == 0) || (caller_gid == 0)) &&
           (mask & MAY_WRITE)) {

diff --git a/src/mds/MDSAuthCaps.h b/src/mds/MDSAuthCaps.h
index d63b7dbaeac1d366d0729ef8ac7bcffa34df7aa7..2f5d71dcd30f014a17ed9d9557378de1fae0a38e 100644 (file)
--- a/src/mds/MDSAuthCaps.h
+++ b/src/mds/MDSAuthCaps.h
@@ -143,7 +143,8 @@ struct MDSCapMatch {
   }
 
   // check whether this grant matches against a given file and caller uid:gid
-  bool match(std::string_view target_path,
+  bool match(std::string_view fs_name,
+             std::string_view target_path,
             const int caller_uid,
             const int caller_gid,
             const std::vector<uint64_t> *caller_gid_list) const;
@@ -266,7 +267,8 @@ public:
   bool merge(MDSAuthCaps newcaps);
 
   bool allow_all() const;
-  bool is_capable(std::string_view inode_path,
+  bool is_capable(std::string_view fs_name,
+                  std::string_view inode_path,
                  uid_t inode_uid, gid_t inode_gid, unsigned inode_mode,
                  uid_t uid, gid_t gid, const std::vector<uint64_t> *caller_gid_list,
                  unsigned mask, uid_t new_uid, gid_t new_gid,

diff --git a/src/mds/Server.cc b/src/mds/Server.cc
index 605c4fb7eacd655c6ff3ae1bbbd84cfe61158067..173a250d608b86de53b5c4ebcb47d99ff78f25a4 100644 (file)
--- a/src/mds/Server.cc
+++ b/src/mds/Server.cc
@@ -3471,8 +3471,9 @@ void Server::handle_peer_auth_pin_ack(const MDRequestRef& mdr, const cref_t<MMDS
 bool Server::check_access(const MDRequestRef& mdr, CInode *in, unsigned mask)
 {
   if (mdr->session) {
+    std::string_view fs_name = mds->mdsmap->get_fs_name();
     int r = mdr->session->check_access(
-      in, mask,
+      fs_name, in, mask,
       mdr->client_request->get_caller_uid(),
       mdr->client_request->get_caller_gid(),
       &mdr->client_request->get_caller_gid_list(),

diff --git a/src/mds/SessionMap.cc b/src/mds/SessionMap.cc
index 0fb1e1a74598598204d8aace205a630b82b49f8e..8dfdafff71375c88bd4bc5b4f6e414db5e507d6d 100644 (file)
--- a/src/mds/SessionMap.cc
+++ b/src/mds/SessionMap.cc
@@ -1086,7 +1086,7 @@ void Session::decode(bufferlist::const_iterator &p)
   _update_human_name();
 }
 
-int Session::check_access(CInode *in, unsigned mask,
+int Session::check_access(std::string_view fs_name, CInode *in, unsigned mask,
                          int caller_uid, int caller_gid,
                          const vector<uint64_t> *caller_gid_list,
                          int new_uid, int new_gid)
@@ -1137,7 +1137,7 @@ int Session::check_access(CInode *in, unsigned mask,
     return -EIO;
   }
 
-  if (!auth_caps.is_capable(path, inode->uid, inode->gid, inode->mode,
+  if (!auth_caps.is_capable(fs_name, path, inode->uid, inode->gid, inode->mode,
                            caller_uid, caller_gid, caller_gid_list, mask,
                            new_uid, new_gid,
                            info.inst.addr)) {

diff --git a/src/mds/SessionMap.h b/src/mds/SessionMap.h
index eb61fe7b0b5734f7e7003d3a537eef438b21ee15..c9db8ebba5a754d6a2c73eb597cc4e4889b3cc19 100644 (file)
--- a/src/mds/SessionMap.h
+++ b/src/mds/SessionMap.h
@@ -381,7 +381,7 @@ public:
     completed_requests_dirty = false;
   }
 
-  int check_access(CInode *in, unsigned mask, int caller_uid, int caller_gid,
+  int check_access(std::string_view fs_name, CInode *in, unsigned mask, int caller_uid, int caller_gid,
                   const std::vector<uint64_t> *gid_list, int new_uid, int new_gid);
 
   bool fs_name_capable(std::string_view fs_name, unsigned mask) const {