mon/MonCap: parse 'network ...' suffix

Allow an optional network constraint to any grant.

Signed-off-by: Sage Weil <sage@redhat.com>

diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc
index 05ceaaa97c4977e2a241494a0261cd53e8527d05..f4e909b8bd1f60d0fd799356786be999441df636 100644 (file)
--- a/src/mon/MonCap.cc
+++ b/src/mon/MonCap.cc
@@ -113,6 +113,8 @@ ostream& operator<<(ostream& out, const MonCapGrant& m)
   }
   if (m.allow != 0)
     out << " " << m.allow;
+  if (m.network.size())
+    out << " network " << m.network;
   return out;
 }
 
@@ -127,7 +129,8 @@ BOOST_FUSION_ADAPT_STRUCT(MonCapGrant,
                          (std::string, profile)
                          (std::string, command)
                          (kvmap, command_args)
-                         (mon_rwxa_t, allow))
+                         (mon_rwxa_t, allow)
+                         (std::string, network))
 
 BOOST_FUSION_ADAPT_STRUCT(StringConstraint,
                           (StringConstraint::MatchType, match_type)
@@ -484,8 +487,9 @@ struct MonCapParser : qi::grammar<Iterator, MonCap()>
     quoted_string %=
       lexeme['"' >> +(char_ - '"') >> '"'] | 
       lexeme['\'' >> +(char_ - '\'') >> '\''];
-    unquoted_word %= +char_("a-zA-Z0-9_.-");
+    unquoted_word %= +char_("a-zA-Z0-9_./-");
     str %= quoted_string | unquoted_word;
+    network_str %= +char_("/.:a-fA-F0-9][");
 
     spaces = +(lit(' ') | lit('\n') | lit('\t'));
 
@@ -501,13 +505,15 @@ struct MonCapParser : qi::grammar<Iterator, MonCap()>
                            >> qi::attr(string()) >> qi::attr(string())
                            >> str
                            >> -(spaces >> lit("with") >> spaces >> kv_map)
-                           >> qi::attr(0);
+                           >> qi::attr(0)
+                           >> -(spaces >> lit("network") >> spaces >> network_str);
 
     // service foo rwxa
     service_match %= -spaces >> lit("allow") >> spaces >> lit("service") >> (lit('=') | spaces)
                             >> str >> qi::attr(string()) >> qi::attr(string())
                             >> qi::attr(map<string,StringConstraint>())
-                             >> spaces >> rwxa;
+                             >> spaces >> rwxa
+                            >> -(spaces >> lit("network") >> spaces >> network_str);
 
     // profile foo
     profile_match %= -spaces >> -(lit("allow") >> spaces)
@@ -516,13 +522,15 @@ struct MonCapParser : qi::grammar<Iterator, MonCap()>
                             >> str
                             >> qi::attr(string())
                             >> qi::attr(map<string,StringConstraint>())
-                            >> qi::attr(0);
+                            >> qi::attr(0)
+                            >> -(spaces >> lit("network") >> spaces >> network_str);
 
     // rwxa
     rwxa_match %= -spaces >> lit("allow") >> spaces
                          >> qi::attr(string()) >> qi::attr(string()) >> qi::attr(string())
                          >> qi::attr(map<string,StringConstraint>())
-                         >> rwxa;
+                         >> rwxa
+                         >> -(spaces >> lit("network") >> spaces >> network_str);
 
     // rwxa := * | [r][w][x]
     rwxa =
@@ -547,7 +555,7 @@ struct MonCapParser : qi::grammar<Iterator, MonCap()>
   qi::rule<Iterator, unsigned()> rwxa;
   qi::rule<Iterator, string()> quoted_string;
   qi::rule<Iterator, string()> unquoted_word;
-  qi::rule<Iterator, string()> str;
+  qi::rule<Iterator, string()> str, network_str;
 
   qi::rule<Iterator, StringConstraint()> str_match, str_prefix, str_regex;
   qi::rule<Iterator, pair<string, StringConstraint>()> kv_pair;

diff --git a/src/mon/MonCap.h b/src/mon/MonCap.h
index de3581f313c213f6a931ecbf4a7a2241d8d77ff6..5de2cb3773c4aab360ee4954675d4bfe9ef22817 100644 (file)
--- a/src/mon/MonCap.h
+++ b/src/mon/MonCap.h
@@ -80,6 +80,9 @@ struct MonCapGrant {
   std::string command;
   map<std::string,StringConstraint> command_args;
 
+  // restrict by network
+  std::string network;
+
   mon_rwxa_t allow;
 
   // explicit grants that a profile grant expands to; populated as

diff --git a/src/test/mon/moncap.cc b/src/test/mon/moncap.cc
index 38ecfca7f37814fe4098b00f5916924d8fae3874..5ac8bff13423b30f09fc0fe618fdb8b50b08e4a7 100644 (file)
--- a/src/test/mon/moncap.cc
+++ b/src/test/mon/moncap.cc
@@ -59,6 +59,13 @@ const char *parse_good[] = {
   "allow command \"foo bar\" with arg=\"baz.xx\"",
   "profile osd",
   "profile \"mds-bootstrap\", profile foo",
+  "allow * network 1.2.3.4/24",
+  "allow * network ::1/128",
+  "allow * network [aa:bb::1]/128",
+  "allow service=foo x network 1.2.3.4/16",
+  "allow command abc network 1.2.3.4/8",
+  "profile osd network 1.2.3.4/32",
+  "allow profile mon network 1.2.3.4/32",
   0
 };