mon: push down 'auth ...' command auth checks

Signed-off-by: Sage Weil <sage@inktank.com>

diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
index fe192d0d4a98ecf889e5e59f43138db96b3a3d87..cf71fc5fb4c899535f3b89333c7e7ae2dcbfd734 100644 (file)
--- a/src/mon/AuthMonitor.cc
+++ b/src/mon/AuthMonitor.cc
@@ -434,7 +434,16 @@ bool AuthMonitor::preprocess_command(MMonCommand *m)
        m->cmd[1] == "caps") {
       return false;
     }
-    else if (m->cmd[1] == "export") {
+
+    MonSession *session = m->get_session();
+    if (!session ||
+       (!session->caps.get_allow_all() &&
+        !mon->_allowed_command(session, m->cmd))) {
+      mon->reply_command(m, -EACCES, "access denied", rdata, paxos->get_version());
+      return true;
+    }
+
+    if (m->cmd[1] == "export") {
       KeyRing keyring;
       export_keyring(keyring);
       if (m->cmd.size() > 2) {
@@ -544,6 +553,14 @@ bool AuthMonitor::prepare_command(MMonCommand *m)
   string rs;
   int err = -EINVAL;
 
+  MonSession *session = m->get_session();
+  if (!session ||
+      (!session->caps.get_allow_all() &&
+       !mon->_allowed_command(session, m->cmd))) {
+    mon->reply_command(m, -EACCES, "access denied", rdata, paxos->get_version());
+    return true;
+  }
+
   // nothing here yet
   if (m->cmd.size() > 1) {
     if (m->cmd[1] == "import") {

diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
index 86583acf4a1014bf34e2292a7410482aea605592..3e3d39da9929a5b48ea0901ece41fe453d7f433d 100644 (file)
--- a/src/mon/Monitor.cc
+++ b/src/mon/Monitor.cc
@@ -1220,10 +1220,6 @@ void Monitor::handle_command(MMonCommand *m)
       return;
     }
     if (m->cmd[0] == "auth") {
-      if (!session->caps.get_allow_all() && !_allowed_command(session, m->cmd)) {
-       r = -EACCES;
-       goto out;
-      }
       authmon()->dispatch(m);
       return;
     }