src/mds: allow passing fs names and path in same cap

Allow passing path along with fs names and capspec while creating an MDS
cap. The new syntax looks as follows -

allow rw fsname=<fsname> path=<path>

To provide caps for multiple file systems, pass the same phrase multiple
times separated by commas -

allow rw fsname=<fsname1> path=<path1>, allow rw fsname=<fsname2>
path=<path2>, ...

This commit also makes sure that the old syntax 'allow rw path=<path>'
is supported for backwards compatibility. The old syntax would imply
'allow rw fsname=* path=<path>' and would grant read-write permission for
all FSs containing the path <path>.

Signed-off-by: Rishabh Dave <ridave@redhat.com>

diff --git a/PendingReleaseNotes b/PendingReleaseNotes
index 858c720ef744a04708ce35d3c256a2e5d16d8356..a2d176c331972750f62cd257e30a7c7bdbf2c1c4 100644 (file)
--- a/PendingReleaseNotes
+++ b/PendingReleaseNotes
@@ -157,3 +157,6 @@
   and operate on specific Ceph file systems. The FS can be specificed using
   ``fsname`` in caps. This also affects subcommand ``fs authorize``, the caps
   produce by it will be specific to the FS name passed in its arguments.
+
+* fs: "fs authorize" now sets MON cap to "allow <perm> fsname=<fsname>"
+      instead of setting it to "allow r" all the time.

diff --git a/src/mds/MDSAuthCaps.cc b/src/mds/MDSAuthCaps.cc
index 40db4c1ec1ad51474947acf19a79c8163b8781ff..19c4bab0a0db6e5689bfb62fa1f4f40f5fae6cdd 100644 (file)
--- a/src/mds/MDSAuthCaps.cc
+++ b/src/mds/MDSAuthCaps.cc
@@ -73,6 +73,7 @@ struct MDSCapParser : qi::grammar<Iterator, MDSAuthCaps()>
     match = -(
             (uid >> gidlist)[_val = phoenix::construct<MDSCapMatch>(_1, _2)] |
             (path >> uid >> gidlist)[_val = phoenix::construct<MDSCapMatch>(_1, _2, _3)] |
+             (fs_name >> path)[_val = phoenix::construct<MDSCapMatch>(_2, _1)] |
              (path)[_val = phoenix::construct<MDSCapMatch>(_1)] |
              (fs_name)[_val = phoenix::construct<MDSCapMatch>(std::string(),
                                                              _1)]);

diff --git a/src/mds/mdstypes.h b/src/mds/mdstypes.h
index de38ef79de85901696f2c882706e09447208dddc..7ffc39ffb33da29fd25f3a454b514d3cf424595f 100644 (file)
--- a/src/mds/mdstypes.h
+++ b/src/mds/mdstypes.h
@@ -77,6 +77,7 @@ extern const mds_gid_t MDS_GID_NONE;
 
 typedef int32_t fs_cluster_id_t;
 constexpr fs_cluster_id_t FS_CLUSTER_ID_NONE = -1;
+
 // The namespace ID of the anonymous default filesystem from legacy systems
 constexpr fs_cluster_id_t FS_CLUSTER_ID_ANONYMOUS = 0;
 

diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
index d6b5fe65233bdaa87aabd9aa02a4f512eddd920d..f299724fe22354e93dea9aa05090ccaaf5eab816 100644 (file)
--- a/src/mon/AuthMonitor.cc
+++ b/src/mon/AuthMonitor.cc
@@ -1639,21 +1639,24 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op)
 
       mds_cap_string += mds_cap_string.empty() ? "" : ", ";
       mds_cap_string += "allow " + cap;
-      if (path != "/") {
-       mds_cap_string += " path=" + path;
+
+      if (filesystem != "*" && filesystem != "all") {
+       auto fs = mon->mdsmon()->get_fsmap().get_filesystem(filesystem);
+       if (!fs) {
+         ss << "filesystem " << filesystem << " does not exist.";
+         err = -EINVAL;
+         goto done;
+       } else {
+         mds_cap_string += " fsname=" + std::string(fs->mds_map.get_fs_name());
+       }
       }
-    }
 
-    if (filesystem != "*" && filesystem != "all") {
-      auto fs = mon->mdsmon()->get_fsmap().get_filesystem(filesystem);
-      if (!fs) {
-       ss << "filesystem " << filesystem << " does not exist.";
-       err = -EINVAL;
-       goto done;
+      if (path != "/") {
+       mds_cap_string += " path=" + path;
       }
     }
 
-    osd_cap_string += osd_cap_string.empty()? "" : ", ";
+    osd_cap_string += osd_cap_string.empty() ? "" : ", ";
     osd_cap_string += "allow " + osd_cap_wanted
       + " tag " + pg_pool_t::APPLICATION_NAME_CEPHFS
       + " data=" + filesystem;