&network_prefix);
}
-void MgrCapGrant::expand_profile() const {
+void MgrCapGrant::expand_profile(std::ostream *err) const {
// only generate this list once
if (!profile_grants.empty()) {
return;
for (auto& [key, constraint] : arguments) {
if (key == "pool" || key == "namespace") {
filtered_arguments[key] = std::move(constraint);
+ } else {
+ if (err != nullptr) {
+ *err << "profile '" << profile << "' does not recognize key '" << key
+ << "'";
+ }
+ return;
}
}
std::move(filtered_arguments), perms});
return;
}
+
+ if (err != nullptr) {
+ *err << "unrecognized profile '" << profile << "'";
+ }
}
bool MgrCapGrant::validate_arguments(
const std::string& m, const std::string& c,
const std::map<std::string, std::string>& args) const {
if (!profile.empty()) {
- expand_profile();
+ expand_profile(nullptr);
mgr_rwxa_t a;
for (auto& grant : profile_grants) {
a = a | grant.get_allowed(cct, name, s, m, c, args);
bool r = qi::parse(iter, end, exp, *this);
if (r && iter == end) {
text = str;
+
+ std::stringstream profile_err;
for (auto& g : grants) {
g.parse_network();
+
+ if (!g.profile.empty()) {
+ g.expand_profile(&profile_err);
+ }
+ }
+
+ if (!profile_err.str().empty()) {
+ if (err != nullptr) {
+ *err << "mgr capability parse failed during profile evaluation: "
+ << profile_err.str();
+ }
+ return false;
}
return true;
}
"\tallow\nrwx\t",
"allow service=foo x",
"allow service=\"froo\" x",
- "allow profile osd",
- "allow profile osd-bootstrap",
- "allow profile \"mds-bootstrap\", allow *",
+ "allow profile read-only",
+ "allow profile read-write",
+ "allow profile \"rbd-read-only\", allow *",
"allow command \"a b c\"",
"allow command abc",
"allow command abc with arg=foo",
"allow command \"foo bar\" with arg=\"baz\"",
"allow command \"foo bar\" with arg=\"baz.xx\"",
"allow command \"foo bar\" with arg = \"baz.xx\"",
- "profile osd",
+ "profile crash",
"profile rbd pool=ABC namespace=NS",
- "profile \"mds-bootstrap\", profile foo",
+ "profile \"rbd-read-only\", profile crash",
"allow * network 1.2.3.4/24",
"allow * network ::1/128",
"allow * network [aa:bb::1]/128",
"allow service=foo x network 1.2.3.4/16",
"allow command abc network 1.2.3.4/8",
- "profile osd network 1.2.3.4/32",
- "allow profile mon network 1.2.3.4/32",
+ "profile crash network 1.2.3.4/32",
+ "allow profile crash network 1.2.3.4/32",
0
};
"allow r",
"allow rwx",
"allow service foo x",
- "profile osd",
- "profile osd-bootstrap",
- "profile mds-bootstrap, allow *",
- "profile \"foo bar\", allow *",
+ "profile crash",
+ "profile rbd-read-only, allow *",
"profile rbd namespace=NS pool=ABC",
"allow command abc",
"allow command \"a b c\"",
MgrCap cap;
ASSERT_FALSE(cap.is_allow_all());
+ ASSERT_FALSE(cap.parse("profile unknown"));
+ ASSERT_FALSE(cap.parse("profile rbd invalid-key=value"));
+
ASSERT_TRUE(cap.parse("profile rbd", nullptr));
ASSERT_FALSE(cap.is_capable(nullptr, {}, "", "abc", "", {}, true, false,
false, {}));
projects / ceph-ci.git / commitdiff