mon/MonCap: check profile_grants too while checking caps

When checking if a certain fs subcommand can and should be executed in
FSCommands.cc, check permissions in "profile_grants" too when the caps
for that entity contains a cap profile.

Fixes: https://tracker.ceph.com/issues/47423
Signed-off-by: Rishabh Dave <ridave@redhat.com>

diff --git a/src/mon/MonCap.h b/src/mon/MonCap.h
index d38ffc54be7780d98aafcb9615474faeb18b1da9..ab4e35bc90ce7cb704d590246821953dc4105d64 100644 (file)
--- a/src/mon/MonCap.h
+++ b/src/mon/MonCap.h
@@ -195,13 +195,22 @@ struct MonCap {
     return ret;
   }
 
-  bool fs_name_capable(string_view fs_name, __u8 mask) {
-    for (auto& g: grants) {
+  bool fs_name_capable(const EntityName& ename, string_view fs_name,
+                      __u8 mask) {
+    for (auto& g : grants) {
       if (g.is_allow_all()) {
        return true;
       }
-      if (g.fs_name.empty() || g.fs_name == fs_name) {
-       if (mask & g.allow) {
+
+      if ((g.fs_name.empty() || g.fs_name == fs_name) && (mask & g.allow)) {
+         return true;
+      }
+
+      g.expand_profile(ename);
+      for (auto& pg : g.profile_grants) {
+       if ((pg.service == "fs" || pg.service == "mds") &&
+           (pg.fs_name.empty() || pg.fs_name == fs_name) &&
+           (pg.allow & mask)) {
          return true;
        }
       }

diff --git a/src/mon/Session.h b/src/mon/Session.h
index 0502dcc77a9231e16eccbc6f629bc8b9b3b969c6..77925fe47b86d0882cdfe6a0e09cd6b87d95e3bb 100644 (file)
--- a/src/mon/Session.h
+++ b/src/mon/Session.h
@@ -111,7 +111,7 @@ struct MonSession : public RefCountedObject {
   }
 
   bool fs_name_capable(string_view fsname, __u8 mask) {
-    return caps.fs_name_capable(fsname, mask);
+    return caps.fs_name_capable(entity_name, fsname, mask);
   }
 
   const entity_addr_t& get_peer_socket_addr() {