mds/Server: disallow clients that have root_squash

... MDS auth caps but don't have CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK
feature bit (i.e., can't check the auth caps sent back to it by the
MDS) from establishing a session. Do this in
Server::handle_client_session(), and Server::handle_client_reconnect(),
where old clients try to reconnect to MDS servers after an upgrade.

If the client doesn't have the ability to authorize session access
based on the MDS auth caps send back to it by the MDS, then the
client may buffer changes locally during open and setattr operations
when it's not supposed to, e.g., when enforcing root_squash MDS auth
caps.

Fixes: https://tracker.ceph.com/issues/56067
Signed-off-by: Ramana Raja <rraja@redhat.com>

diff --git a/src/mds/MDSAuthCaps.h b/src/mds/MDSAuthCaps.h
index 9752f0ec1c8c8d3057d523051f7f485967b1b83d..c1d410eaf76fb174dcdc4ec2c34b5316c87e5a98 100644 (file)
--- a/src/mds/MDSAuthCaps.h
+++ b/src/mds/MDSAuthCaps.h
@@ -299,6 +299,15 @@ public:
     }
   }
 
+  bool root_squash_in_caps() const {
+    for (const MDSCapGrant &g : grants) {
+      if (g.match.root_squash) {
+        return true;
+      }
+    }
+    return false;
+  }
+
   friend std::ostream &operator<<(std::ostream &out, const MDSAuthCaps &cap);
   std::string to_string();
 private:

diff --git a/src/mds/Server.cc b/src/mds/Server.cc
index c0cabfdcfb0f9d0301f857a599217d04baf6c61f..29108539e612204facef220d22ad44e3648c2fe0 100644 (file)
--- a/src/mds/Server.cc
+++ b/src/mds/Server.cc
@@ -713,6 +713,17 @@ void Server::handle_client_session(const cref_t<MClientSession> &m)
        break;
       }
 
+      if (session->auth_caps.root_squash_in_caps() && !client_metadata.features.test(CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK)) {
+       CachedStackStringStream css;
+       *css << "client lacks CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK needed to enforce 'root_squash' MDS auth caps";
+       send_reject_message(css->strv());
+       mds->clog->warn() << "client session (" << session->info.inst
+                          << ") lacks CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK "
+                          << " needed to enforce 'root_squash' MDS auth caps";
+       session->clear();
+       break;
+
+      }
       // Special case for the 'root' metadata path; validate that the claimed
       // root is actually within the caps of the session
       if (auto it = client_metadata.find("root"); it != client_metadata.end()) {
@@ -1555,6 +1566,12 @@ void Server::handle_client_reconnect(const cref_t<MClientReconnect> &m)
        *css << "missing required features '" << missing_features << "'";
        error_str = css->strv();
       }
+      if (session->auth_caps.root_squash_in_caps() &&
+          !session->info.client_metadata.features.test(CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK)) {
+       CachedStackStringStream css;
+       *css << "client lacks CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK needed to enforce 'root_squash' MDS auth caps";
+       error_str = css->strv();
+      }
     }
 
     if (!error_str.empty()) {