mds: Make min/max UID configurable for who is allowed to create a snapshot

This way administrators can configure which UIDs are allowed to create
snapshots on CephFS.

In certain situations it might be desirable that regular users are not allowed
to create snapshots. For example on shared hosting environments.

Fixes: #9029

diff --git a/src/common/config_opts.h b/src/common/config_opts.h
index d73e5dcc0674783da5e8ef43f269b1fcf88f1927..ee4353f2af93b9ccd1c299f5d6ab325c70c7bb36 100644 (file)
--- a/src/common/config_opts.h
+++ b/src/common/config_opts.h
@@ -383,6 +383,8 @@ OPTION(mds_op_history_size, OPT_U32, 20)    // Max number of completed ops to tr
 OPTION(mds_op_history_duration, OPT_U32, 600) // Oldest completed op to track
 OPTION(mds_op_complaint_time, OPT_FLOAT, 30) // how many seconds old makes an op complaint-worthy
 OPTION(mds_op_log_threshold, OPT_INT, 5) // how many op log messages to show in one go
+OPTION(mds_snap_min_uid, OPT_U32, 0) // The minimum UID required to create a snapshot
+OPTION(mds_snap_max_uid, OPT_U32, 65536) // The maximum UID allowed to create a snapshot
 
 // If true, compact leveldb store on mount
 OPTION(osd_compact_leveldb_on_mount, OPT_BOOL, false)

diff --git a/src/mds/Server.cc b/src/mds/Server.cc
index 394c7edff1b917dcbc115a90b81f1ef1bca845f7..dbf0f07da33e636e4562eb3dc121924eb2b2eac1 100644 (file)
--- a/src/mds/Server.cc
+++ b/src/mds/Server.cc
@@ -7370,8 +7370,15 @@ void Server::handle_client_mksnap(MDRequestRef& mdr)
     reply_request(mdr, -EPERM);
     return;
   }
-
+  
   const string &snapname = req->get_filepath().last_dentry();
+
+  if (mdr->client_request->get_caller_uid() < g_conf->mds_snap_min_uid || mdr->client_request->get_caller_uid() > g_conf->mds_snap_max_uid) {
+    dout(20) << "mksnap " << snapname << " on " << *diri << " denied to uid " << mdr->client_request->get_caller_uid() << dendl;
+    reply_request(mdr, -EPERM);
+    return;
+  }
+  
   dout(10) << "mksnap " << snapname << " on " << *diri << dendl;
 
   // lock snap