mds/Server: disallow clients that have root_squash

... MDS auth caps but don't have CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK
feature bit (i.e., can't check the auth caps sent back to it by the
MDS) from establishing a session. Do this in
Server::handle_client_session(), and Server::handle_client_reconnect(),
where old clients try to reconnect to MDS servers after an upgrade.

If the client doesn't have the ability to authorize session access
based on the MDS auth caps send back to it by the MDS, then the
client may buffer changes locally during open and setattr operations
when it's not supposed to, e.g., when enforcing root_squash MDS auth
caps.

Fixes: https://tracker.ceph.com/issues/56067
Signed-off-by: Ramana Raja <rraja@redhat.com>
(cherry picked from commit e64931b6a80d0f3e365ed0fe305b73562cbca502)

diff --git a/src/mds/MDSAuthCaps.h b/src/mds/MDSAuthCaps.h
index 5f3787f9afa1cd9174de0fba47ae734d9cd9cb53..bbb2589b3a8d719a41f6efb87f001a024788dfce 100644 (file)
--- a/src/mds/MDSAuthCaps.h
+++ b/src/mds/MDSAuthCaps.h
@@ -285,6 +285,15 @@ public:
     }
   }
 
+  bool root_squash_in_caps() const {
+    for (const MDSCapGrant &g : grants) {
+      if (g.match.root_squash) {
+        return true;
+      }
+    }
+    return false;
+  }
+
   friend std::ostream &operator<<(std::ostream &out, const MDSAuthCaps &cap);
 private:
   std::vector<MDSCapGrant> grants;

diff --git a/src/mds/Server.cc b/src/mds/Server.cc
index b34634bba7103477869b83db45e8e9c11601aada..1b75249566332b868e969170b67a5f962fd7b305 100644 (file)
--- a/src/mds/Server.cc
+++ b/src/mds/Server.cc
@@ -717,6 +717,17 @@ void Server::handle_client_session(const cref_t<MClientSession> &m)
        break;
       }
 
+      if (session->auth_caps.root_squash_in_caps() && !client_metadata.features.test(CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK)) {
+       CachedStackStringStream css;
+       *css << "client lacks CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK needed to enforce 'root_squash' MDS auth caps";
+       send_reject_message(css->strv());
+       mds->clog->warn() << "client session (" << session->info.inst
+                          << ") lacks CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK "
+                          << " needed to enforce 'root_squash' MDS auth caps";
+       session->clear();
+       break;
+
+      }
       // Special case for the 'root' metadata path; validate that the claimed
       // root is actually within the caps of the session
       if (auto it = client_metadata.find("root"); it != client_metadata.end()) {
@@ -1561,6 +1572,12 @@ void Server::handle_client_reconnect(const cref_t<MClientReconnect> &m)
        *css << "missing required features '" << missing_features << "'";
        error_str = css->strv();
       }
+      if (session->auth_caps.root_squash_in_caps() &&
+          !session->info.client_metadata.features.test(CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK)) {
+       CachedStackStringStream css;
+       *css << "client lacks CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK needed to enforce 'root_squash' MDS auth caps";
+       error_str = css->strv();
+      }
     }
 
     if (!error_str.empty()) {