MDSAuthCaps: add logic for group bits check

Signed-off-by: Nishtha Rai <nishtha3rai@gmail.com>

diff --git a/qa/workunits/fs/test_auth_caps.sh b/qa/workunits/fs/test_auth_caps.sh
index 20e36f15e3fd564858db8acb3af9b1eb9555530e..8e7d7e38cbcaf181ebe714a74b7da6765eebe43c 100644 (file)
--- a/qa/workunits/fs/test_auth_caps.sh
+++ b/qa/workunits/fs/test_auth_caps.sh
@@ -3,15 +3,17 @@
 cleanup()
 {
        echo "*** Restoring to old state"
-       sudo rm -rf mnt.admin/foo1 mnt.admin/foo2 mnt.admin/foo3 mnt.admin/foo4
+       sudo rm -rf mnt.admin/foo1 mnt.admin/foo2 mnt.admin/foo3 mnt.admin/foo4 mnt.admin/foo5 mnt.admin/foo6
        fusermount -u mnt.admin
        fusermount -u mnt.foo
-       rmdir mnt.admin mnt.foo
+       fusermount -u mnt.grp
+       rmdir mnt.admin mnt.foo mnt.grp
+       rm keyring.foo keyring.grp
 }
 trap cleanup INT TERM EXIT
 
 echo "*** Creating directories for mount"
-mkdir -p mnt.admin mnt.foo
+mkdir -p mnt.admin mnt.foo mnt.grp
 
 
 echo "*** Trying mount as admin"
@@ -27,17 +29,32 @@ eval $AUTH
 ./ceph auth import -i keyring.foo
 ./ceph-fuse mnt.foo -n client.foo -k keyring.foo
 
+
+echo "*** Trying mount as client.grp"
+GID="$(id -g)"
+GRP_AUTH_TEMPLATE='./ceph-authtool -C keyring.grp -n client.grp --cap osd "allow rw" --cap mon "allow rw" --cap mds "allow rw uid=UID gids=GID" --gen-key'
+GRP_AUTH="$(echo $GRP_AUTH_TEMPLATE | sed -e 's/UID/'$UID'/g')"
+GRP_AUTH="$(echo $GRP_AUTH | sed -e 's/GID/'$GID'/g')"
+eval $GRP_AUTH
+./ceph auth import -i keyring.grp
+./ceph-fuse mnt.grp -n client.grp -k keyring.grp
+
+
 echo "*** Creating directories for client.admin"
 sudo mkdir -m 777 mnt.admin/foo1
 sudo mkdir -m 700 mnt.admin/foo2
 sudo mkdir -m 755 mnt.admin/foo3
 sudo mkdir -m 755 mnt.admin/foo4
+sudo mkdir -m 775 mnt.admin/foo5
+sudo mkdir -m 755 mnt.admin/foo6
 
 echo "*** Granting ownership of directories to other users"
 sudo chown $USER mnt.admin/foo1
 sudo chown $USER mnt.admin/foo2
 sudo chown $USER mnt.admin/foo3
 sudo chown $OTH_UID mnt.admin/foo4
+sudo chgrp $GID mnt.admin/foo5
+sudo chgrp $GID mnt.admin/foo6
 
 echo "*** Testing auth checks"
 expect_false()
@@ -49,5 +66,7 @@ mkdir mnt.foo/foo1/asdf
 expect_false mkdir mnt.foo/foo2/asdf
 mkdir mnt.foo/foo3/asdf
 expect_false mkdir mnt.foo/foo4/asdf
+mkdir mnt.grp/foo5/asdf
+expect_false mkdir mnt.grp/foo6/asdf
 
 

diff --git a/src/mds/MDSAuthCaps.cc b/src/mds/MDSAuthCaps.cc
index 89c61d1285e3785397f06978a9330f3de2689ff7..17682ac80be81623aea03466128d1fe2e568473c 100644 (file)
--- a/src/mds/MDSAuthCaps.cc
+++ b/src/mds/MDSAuthCaps.cc
@@ -160,6 +160,12 @@ bool MDSAuthCaps::is_capable(const std::string &inode_path,
           (!(mask & MAY_EXECUTE) || (inode_mode & S_IXUSR))) {
           return true;
         }
+      } else if (std::find(i->match.gids.begin(), i->match.gids.end(), inode_gid) != i->match.gids.end()) {
+        if ((!(mask & MAY_READ) || (inode_mode & S_IRGRP)) &&
+          (!(mask & MAY_WRITE) || (inode_mode & S_IWGRP)) &&
+          (!(mask & MAY_EXECUTE) || (inode_mode & S_IXGRP))) {
+          return true;
+        }
       } else {
         if ((!(mask & MAY_READ) || (inode_mode & S_IROTH)) &&
           (!(mask & MAY_WRITE) || (inode_mode & S_IWOTH)) &&
@@ -167,13 +173,6 @@ bool MDSAuthCaps::is_capable(const std::string &inode_path,
           return true;
         }
       }
-
-         // use fcntl.h macros for the file mode:
-         //  S_IRUSR  S_IRGRP  S_ROTH
-         //  S_IWUSR  S_IWGRP  S_WOTH
-         //  S_IXUSR  S_IXGRP  S_XOTH
-
-         // WRITE ME
     }
   }