mon: apply 'r' and 'w' caps to osdmap

Signed-off-by: Sage Weil <sage@inktank.com>

diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
index 14adfc04714838dbd079e751d20bb81dd1d45534..db71858e756cb3e9ccdffba2b7829789482a547f 100644 (file)
--- a/src/mon/Monitor.cc
+++ b/src/mon/Monitor.cc
@@ -1143,11 +1143,6 @@ void Monitor::handle_command(MMonCommand *m)
       return;
     }
     if (m->cmd[0] == "osd") {
-      if (!session->caps.get_allow_all() && !_allowed_command(session, m->cmd)) {
-       r = -EACCES;
-       rs = "access denied";
-       goto out;
-      }
       osdmon()->dispatch(m);
       return;
     }

diff --git a/src/mon/OSDMonitor.cc b/src/mon/OSDMonitor.cc
index e9ef7ceb7342588b75c2687e5d7062bf43b6cd2f..38f61a65655fb95b1b5be897a71b8d9a80bc542b 100644 (file)
--- a/src/mon/OSDMonitor.cc
+++ b/src/mon/OSDMonitor.cc
@@ -1441,6 +1441,15 @@ bool OSDMonitor::preprocess_command(MMonCommand *m)
   bufferlist rdata;
   stringstream ss;
 
+  MonSession *session = m->get_session();
+  if (!session ||
+      (!session->caps.get_allow_all() &&
+       !session->caps.check_privileges(PAXOS_OSDMAP, MON_CAP_R) &&
+       !mon->_allowed_command(session, m->cmd))) {
+    mon->reply_command(m, -EACCES, "access denied", rdata, paxos->get_version());
+    return true;
+  }
+
   vector<const char*> args;
   for (unsigned i = 1; i < m->cmd.size(); i++)
     args.push_back(m->cmd[i].c_str());
@@ -1721,6 +1730,16 @@ bool OSDMonitor::prepare_command(MMonCommand *m)
   stringstream ss;
   string rs;
   int err = -EINVAL;
+
+  MonSession *session = m->get_session();
+  if (!session ||
+      (!session->caps.get_allow_all() &&
+       !session->caps.check_privileges(PAXOS_OSDMAP, MON_CAP_W) &&
+       !mon->_allowed_command(session, m->cmd))) {
+    mon->reply_command(m, -EACCES, "access denied", paxos->get_version());
+    return true;
+  }
+
   if (m->cmd.size() > 1) {
     if ((m->cmd.size() == 2 && m->cmd[1] == "setcrushmap") ||
        (m->cmd.size() == 3 && m->cmd[1] == "crush" && m->cmd[2] == "set")) {