mon: MonCommands.h: have 'auth' read-only operations require 'x' cap

This reintroduces the same semantics that were in place in dumpling prior
to the refactoring of the cap/command matching code.

We haven't added this requirement to auth read-write operations as that
would have the potential to break a lot of well-configured keyrings once
the users upgraded, without any significant gain -- we assume that if
they have set 'rw' caps on a given entity, they are indeed expecting said
entity to be sort-of-privileged entities with regard to monitor access.

Fixes: #7919
Signed-off-by: Joao Eduardo Luis <joao.luis@inktank.com>
Reviewed-by: Sage Weil <sage@inktank.com>

diff --git a/doc/release-notes.rst b/doc/release-notes.rst
index 1ee61e7630a7673277f39118583e38349372a07d..ccf0998d9bc6b086bc002a09e4c03a97b77884c9 100644 (file)
--- a/doc/release-notes.rst
+++ b/doc/release-notes.rst
@@ -512,6 +512,17 @@ Upgrading
   no longer included in the listxattr(2) results to prevent problems with
   'cp -a' and similar tools.
 
+* Monitor 'auth' read-only commands now expect the user to have 'rx' caps.
+  This is the same behavior that was present in dumpling, but in emperor
+  and more recent development releases the 'r' cap was sufficient.  The
+  affected commands are::
+
+    ceph auth export
+    ceph auth get
+    ceph auth get-key
+    ceph auth print-key
+    ceph auth list
+
 Notable Changes
 ---------------
 * ceph-conf: stop creating bogus log files (Josh Durgin, Sage Weil)

diff --git a/src/mon/MonCommands.h b/src/mon/MonCommands.h
index 02228dd78c17619ffd6a62eba31899c3b2ed5af3..a8e138afd23c34e081515b381298d430513a42be 100644 (file)
--- a/src/mon/MonCommands.h
+++ b/src/mon/MonCommands.h
@@ -152,16 +152,16 @@ COMMAND("pg set_nearfull_ratio name=ratio,type=CephFloat,range=0.0|1.0", \
 
 COMMAND("auth export name=entity,type=CephString,req=false", \
                "write keyring for requested entity, or master keyring if none given", \
-       "auth", "r", "cli,rest")
+       "auth", "rx", "cli,rest")
 COMMAND("auth get name=entity,type=CephString", \
-       "write keyring file with requested key", "auth", "r", "cli,rest")
+       "write keyring file with requested key", "auth", "rx", "cli,rest")
 COMMAND("auth get-key name=entity,type=CephString", "display requested key", \
-       "auth", "r", "cli,rest")
+       "auth", "rx", "cli,rest")
 COMMAND("auth print-key name=entity,type=CephString", "display requested key", \
-       "auth", "r", "cli,rest")
+       "auth", "rx", "cli,rest")
 COMMAND("auth print_key name=entity,type=CephString", "display requested key", \
-       "auth", "r", "cli,rest")
-COMMAND("auth list", "list authentication state", "auth", "r", "cli,rest")
+       "auth", "rx", "cli,rest")
+COMMAND("auth list", "list authentication state", "auth", "rx", "cli,rest")
 COMMAND("auth import", "auth import: read keyring file from -i <file>", \
        "auth", "rw", "cli,rest")
 COMMAND("auth add " \