mon/MgrMonitor: enforce mgr caps

Require 'allow x' for mgr beacon.  Verify fsid.

Signed-off-by: Sage Weil <sage@redhat.com>

diff --git a/src/mon/MgrMonitor.cc b/src/mon/MgrMonitor.cc
index 871478a7b3e67c08df787dbf96a3e4676b8dabcd..3e59d0ecb3694593147ee527b0755f5c42a714c1 100644 (file)
--- a/src/mon/MgrMonitor.cc
+++ b/src/mon/MgrMonitor.cc
@@ -67,6 +67,24 @@ void MgrMonitor::encode_pending(MonitorDBStore::TransactionRef t)
   put_last_committed(t, pending_map.epoch);
 }
 
+bool MgrMonitor::check_caps(MonOpRequestRef op, const uuid_d& fsid)
+{
+  // check permissions
+  MonSession *session = op->get_session();
+  if (!session)
+    return false;
+  if (!session->is_capable("mgr", MON_CAP_X)) {
+    dout(1) << __func__ << " insufficient caps " << session->caps << dendl;
+    return false;
+  }
+  if (fsid != mon->monmap->fsid) {
+    dout(1) << __func__ << " op fsid " << fsid
+           << " != " << mon->monmap->fsid << dendl;
+    return false;
+  }
+  return true;
+}
+
 bool MgrMonitor::preprocess_query(MonOpRequestRef op)
 {
   PaxosServiceMessage *m = static_cast<PaxosServiceMessage*>(op->get_req());
@@ -123,6 +141,10 @@ bool MgrMonitor::preprocess_beacon(MonOpRequestRef op)
   MMgrBeacon *m = static_cast<MMgrBeacon*>(op->get_req());
   dout(4) << "beacon from " << m->get_gid() << dendl;
 
+  if (!check_caps(op, m->get_fsid())) {
+    return true;
+  }
+
   last_beacon[m->get_gid()] = ceph_clock_now();
 
   if (pending_map.active_gid == m->get_gid()

diff --git a/src/mon/MgrMonitor.h b/src/mon/MgrMonitor.h
index bfddba5943aced02f752a26008a54ef96488b272..7e5fbce5438d2d004ccb46bb3fca0a41ddb915e0 100644 (file)
--- a/src/mon/MgrMonitor.h
+++ b/src/mon/MgrMonitor.h
@@ -36,6 +36,8 @@ class MgrMonitor : public PaxosService
 
   Context *digest_callback;
 
+  bool check_caps(MonOpRequestRef op, const uuid_d& fsid);
+
 public:
   MgrMonitor(Monitor *mn, Paxos *p, const string& service_name)
     : PaxosService(mn, p, service_name), digest_callback(nullptr)