mds: check relevant caps for fs include root_squash

When denying client reconnects because the MDS caps include root_squash and the
client features do not include CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK, ensure those
caps are only for the file system the MDS is joined to.

Fixes: https://tracker.ceph.com/issues/65733
Signed-off-by: Patrick Donnelly <pdonnell@redhat.com>

diff --git a/src/mds/MDSAuthCaps.h b/src/mds/MDSAuthCaps.h
index bca063ecb33f840a414b5701b126320bafa0e76e..e3394c4f22705ec2e196ed0b9711a95ecfa73867 100644 (file)
--- a/src/mds/MDSAuthCaps.h
+++ b/src/mds/MDSAuthCaps.h
@@ -303,10 +303,12 @@ public:
     }
   }
 
-  bool root_squash_in_caps() const {
-    for (const MDSCapGrant &g : grants) {
-      if (g.match.root_squash) {
-        return true;
+  bool root_squash_in_caps(std::string_view fs_name) const {
+    for (const MDSCapGrant& g : grants) {
+      if (g.match.match_fs(fs_name)) {
+        if (g.match.root_squash) {
+          return true;
+        }
       }
     }
     return false;

diff --git a/src/mds/Server.cc b/src/mds/Server.cc
index c3074379fc308eebdd5050fa60a84ab1ef3faef5..40fbccc56cd4e0cd2acd925ff3e6d539a827ce36 100644 (file)
--- a/src/mds/Server.cc
+++ b/src/mds/Server.cc
@@ -719,7 +719,9 @@ void Server::handle_client_session(const cref_t<MClientSession> &m)
        break;
       }
 
-      if (session->auth_caps.root_squash_in_caps() && !client_metadata.features.test(CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK)) {
+      std::string_view fs_name = mds->mdsmap->get_fs_name();
+      bool client_caps_check = client_metadata.features.test(CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK);
+      if (session->auth_caps.root_squash_in_caps(fs_name) && !client_caps_check) {
        CachedStackStringStream css;
        *css << "client lacks CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK needed to enforce 'root_squash' MDS auth caps";
        send_reject_message(css->strv());
@@ -1585,8 +1587,9 @@ void Server::handle_client_reconnect(const cref_t<MClientReconnect> &m)
        *css << "missing required features '" << missing_features << "'";
        error_str = css->strv();
       }
-      if (session->auth_caps.root_squash_in_caps() &&
-          !session->info.client_metadata.features.test(CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK)) {
+      std::string_view fs_name = mds->mdsmap->get_fs_name();
+      bool client_caps_check = session->info.client_metadata.features.test(CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK);
+      if (session->auth_caps.root_squash_in_caps(fs_name) && !client_caps_check) {
        CachedStackStringStream css;
        *css << "client lacks CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK needed to enforce 'root_squash' MDS auth caps";
        error_str = css->strv();