cephfs: disallow removing root_squash via "fs authorize" cmd

Removing root_squasn from MDS auth caps through "fs authorize" command
should not be allowed as this command it not allowed to/meant for
removing caps.

Fixes: https://tracker.ceph.com/issues/65808
Signed-off-by: Rishabh Dave <ridave@redhat.com>

diff --git a/qa/tasks/cephfs/test_admin.py b/qa/tasks/cephfs/test_admin.py
index a321c0e3457a64e2f5b548e4a50ee0fb8fcbf431..83700aecd42a3500150b6e7b039416caece5d643 100644 (file)
--- a/qa/tasks/cephfs/test_admin.py
+++ b/qa/tasks/cephfs/test_admin.py
@@ -2145,9 +2145,6 @@ class TestFsAuthorizeUpdate(CephFSTestCase):
                 caps mon = "allow r fsname=a"
                 caps osd = "allow rw tag cephfs data=a"
         """
-        self.skipTest('this test is broken ATM, see '
-                      'https://tracker.ceph.com/issues/65808')
-
         PERM, PATH = 'rw', 'dir1'
         self.mount_a.run_shell(f'mkdir {PATH}')
         self.captester = CapTester(self.mount_a, PATH)

diff --git a/src/mds/MDSAuthCaps.cc b/src/mds/MDSAuthCaps.cc
index 5e4bd995175c263c5ded004a2d2594b3592ebe49..0cde876143a8ba486e2bf69d7f28cc2d97cda1b2 100644 (file)
--- a/src/mds/MDSAuthCaps.cc
+++ b/src/mds/MDSAuthCaps.cc
@@ -410,7 +410,11 @@ bool MDSAuthCaps::merge_one_cap_grant(MDSCapGrant ng)
       // fsname and path match but value of root_squash is different. update
       // its value.
       if (g.match.root_squash != ng.match.root_squash) {
-       g.match.root_squash = ng.match.root_squash;
+       // "fs authorize" command is not allowed to deduct caps. so, we can add
+       // but not remove root_squash from MDS auth caps.
+       if (g.match.root_squash == false) {
+         g.match.root_squash = ng.match.root_squash;
+       }
       }
 
       // Since fsname and path matched and either perm/spec or root_squash