mon: MonCap: add new profiles

Adds three new profiles:

  read-only:  able to issue all read-only (MON_CAP_R) commands.  Any
  command that may take additional caps (MON_CAP_W or MON_CAP_X) won't
  be allowed.

  read-write: able to issue all read-write (MON_CAP_R | MON_CAP_W)
  commands.  Commands that require MON_CAP_X will not be allowed.

  role-definer: solely able to issue commands on the 'auth' subsystem,
  to which all caps are given (MON_CAP_R | MON_CAP_W | MON_CAP_X).

Fixes: #8899
Signed-off-by: Joao Eduardo Luis <joao.luis@inktank.com>

diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc
index e8d3f7e8bb3fb851da966c2592d27b4f4901c91d..84580b9a4b804e75a50f18e70c4ef4415bbf973f 100644 (file)
--- a/src/mon/MonCap.cc
+++ b/src/mon/MonCap.cc
@@ -174,6 +174,25 @@ void MonCapGrant::expand_profile(entity_name_t name) const
     profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
     profile_grants.push_back(MonCapGrant("pg", MON_CAP_R));
   }
+
+  if (profile == "read-only") {
+    // grants READ-ONLY caps monitor-wide
+    // 'auth' requires MON_CAP_X even for RO, which we do not grant here.
+    profile_grants.push_back(mon_rwxa_t(MON_CAP_R));
+  }
+
+  if (profile == "read-write") {
+    // grants READ-WRITE caps monitor-wide
+    // 'auth' requires MON_CAP_X for all operations, which we do not grant.
+    profile_grants.push_back(mon_rwxa_t(MON_CAP_R | MON_CAP_W));
+  }
+
+  if (profile == "role-definer") {
+    // grants ALL caps to the auth subsystem, read-only on the
+    // monitor subsystem and nothing else.
+    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
+    profile_grants.push_back(MonCapGrant("auth", MON_CAP_ALL));
+  }
 }
 
 mon_rwxa_t MonCapGrant::get_allowed(CephContext *cct,