mon: apply 'r' and 'w' caps to mon and pg commands

Signed-off-by: Sage Weil <sage@inktank.com>

diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
index 9e59ab3431ace2722c4167386509854b32f6fc1f..426892e4e2b330ba9c0a4f34a9c1ce134e480343 100644 (file)
--- a/src/mon/Monitor.cc
+++ b/src/mon/Monitor.cc
@@ -1142,20 +1142,10 @@ void Monitor::handle_command(MMonCommand *m)
       return;
     }
     if (m->cmd[0] == "pg") {
-      if (!session->caps.get_allow_all() && !_allowed_command(session, m->cmd)) {
-       r = -EACCES;
-       rs = "access denied";
-       goto out;
-      }
       pgmon()->dispatch(m);
       return;
     }
     if (m->cmd[0] == "mon") {
-      if (!session->caps.get_allow_all() && !_allowed_command(session, m->cmd)) {
-       r = -EACCES;
-       rs = "access denied";
-       goto out;
-      }
       monmon()->dispatch(m);
       return;
     }

diff --git a/src/mon/MonmapMonitor.cc b/src/mon/MonmapMonitor.cc
index 1b7dd2736d93a735f015ec5cde0ffe66008b3e9d..1b84e463b1317c49a72b77e8fbaeaa2d8bfd9342 100644 (file)
--- a/src/mon/MonmapMonitor.cc
+++ b/src/mon/MonmapMonitor.cc
@@ -136,6 +136,15 @@ bool MonmapMonitor::preprocess_command(MMonCommand *m)
   bufferlist rdata;
   stringstream ss;
 
+  MonSession *session = m->get_session();
+  if (!session ||
+      (!session->caps.get_allow_all() &&
+       !session->caps.check_privileges(PAXOS_MONMAP, MON_CAP_R) &&
+       !mon->_allowed_command(session, m->cmd))) {
+    mon->reply_command(m, -EACCES, "access denied", paxos->get_version());
+    return true;
+  }
+
   vector<const char*> args;
   for (unsigned i = 1; i < m->cmd.size(); i++)
     args.push_back(m->cmd[i].c_str());
@@ -279,6 +288,16 @@ bool MonmapMonitor::prepare_command(MMonCommand *m)
   stringstream ss;
   string rs;
   int err = -EINVAL;
+
+  MonSession *session = m->get_session();
+  if (!session ||
+      (!session->caps.get_allow_all() &&
+       !session->caps.check_privileges(PAXOS_MONMAP, MON_CAP_R) &&
+       !mon->_allowed_command(session, m->cmd))) {
+    mon->reply_command(m, -EACCES, "access denied", paxos->get_version());
+    return true;
+  }
+
   if (m->cmd.size() > 1) {
     if (m->cmd.size() == 4 && m->cmd[1] == "add") {
       string name = m->cmd[2];

diff --git a/src/mon/PGMonitor.cc b/src/mon/PGMonitor.cc
index 85f388631df09245a82f500f6b4c39ff37e26cd9..97fbb1b3e7afd9521e7cc7fbefa4b92920a53bc4 100644 (file)
--- a/src/mon/PGMonitor.cc
+++ b/src/mon/PGMonitor.cc
@@ -832,6 +832,15 @@ bool PGMonitor::preprocess_command(MMonCommand *m)
   bufferlist rdata;
   stringstream ss;
 
+  MonSession *session = m->get_session();
+  if (!session ||
+      (!session->caps.get_allow_all() &&
+       !session->caps.check_privileges(PAXOS_PGMAP, MON_CAP_R) &&
+       !mon->_allowed_command(session, m->cmd))) {
+    mon->reply_command(m, -EACCES, "access denied", rdata, paxos->get_version());
+    return true;
+  }
+
   vector<const char*> args;
   for (unsigned i = 1; i < m->cmd.size(); i++)
     args.push_back(m->cmd[i].c_str());
@@ -1030,6 +1039,15 @@ bool PGMonitor::prepare_command(MMonCommand *m)
   int r = -EINVAL;
   string rs;
 
+  MonSession *session = m->get_session();
+  if (!session ||
+      (!session->caps.get_allow_all() &&
+       !session->caps.check_privileges(PAXOS_PGMAP, MON_CAP_W) &&
+       !mon->_allowed_command(session, m->cmd))) {
+    mon->reply_command(m, -EACCES, "access denied", paxos->get_version());
+    return true;
+  }
+
   if (m->cmd.size() >= 1 && m->cmd[1] == "force_create_pg") {
     if (m->cmd.size() <= 2) {
       ss << "usage: pg force_create_pg <pg>";