auth: EACCES, not EPERM

author Sage Weil <sage@redhat.com>

Wed, 23 Oct 2019 18:36:48 +0000 (13:36 -0500)

committer Sage Weil <sage@redhat.com>

Wed, 23 Oct 2019 18:39:46 +0000 (13:39 -0500)
author Sage Weil <sage@redhat.com>
Wed, 23 Oct 2019 18:36:48 +0000 (13:36 -0500)
committer Sage Weil <sage@redhat.com>
Wed, 23 Oct 2019 18:39:46 +0000 (13:39 -0500)
diff --git a/src/auth/cephx/CephxClientHandler.cc b/src/auth/cephx/CephxClientHandler.cc

index 94a9b7a0eb3b95c7872b916aa4696e603add8db7..089b864727183ab10c6c0be6909e97348271abb7 100644 (file)
--- a/src/auth/cephx/CephxClientHandler.cc
+++ b/src/auth/cephx/CephxClientHandler.cc
@@ -154,7 +154,7 @@ int CephxClientHandler::handle_response(
         
        if (!tickets.verify_service_ticket_reply(secret, indata)) {
         ldout(cct, 0) << "could not verify service_ticket reply" << dendl;
-       return -EPERM;
+       return -EACCES;
        }
        ldout(cct, 10) << " want=" << want << " need=" << need << " have=" << have << dendl;
        if (!indata.end()) {
@@ -208,7 +208,7 @@ int CephxClientHandler::handle_response(
    
        if (!tickets.verify_service_ticket_reply(ticket_handler.session_key, indata)) {
          ldout(cct, 0) << "could not verify service_ticket reply" << dendl;
-        return -EPERM;
+        return -EACCES;
        }
        validate_tickets();
        if (!_need_tickets()) {
diff --git a/src/auth/cephx/CephxKeyServer.cc b/src/auth/cephx/CephxKeyServer.cc

index ec9fe99038264dd1255577f295b5646c59824ee4..d6ba3fea15a1ca19f87db664efa0b0cbbf3b51ff 100644 (file)
--- a/src/auth/cephx/CephxKeyServer.cc
+++ b/src/auth/cephx/CephxKeyServer.cc
@@ -436,7 +436,7 @@ int KeyServer::build_session_auth_info(uint32_t service_id,
                                        CephXSessionAuthInfo& info)
  {
    if (!get_service_secret(service_id, info.service_secret, info.secret_id)) {
-    return -EPERM;
+    return -EACCES;
    }
  
    std::scoped_lock l{lock};
diff --git a/src/auth/cephx/CephxServiceHandler.cc b/src/auth/cephx/CephxServiceHandler.cc

index a34f0b4ee3091922c1bca9762ae4cfd45364000e..dfc9baf69574448789f5ed28c1e6830f59e2e51a 100644 (file)
--- a/src/auth/cephx/CephxServiceHandler.cc
+++ b/src/auth/cephx/CephxServiceHandler.cc
@@ -75,12 +75,12 @@ int CephxServiceHandler::handle_request(
        CryptoKey secret;
        if (!key_server->get_secret(entity_name, secret)) {
          ldout(cct, 0) << "couldn't find entity name: " << entity_name << dendl;
-       ret = -EPERM;
+       ret = -EACCES;
         break;
        }
  
        if (!server_challenge) {
-       ret = -EPERM;
+       ret = -EACCES;
         break;
        }      
  
@@ -90,7 +90,7 @@ int CephxServiceHandler::handle_request(
                                          req.client_challenge, &expected_key, error);
        if (!error.empty()) {
         ldout(cct, 0) << " cephx_calc_client_server_challenge error: " << error << dendl;
-       ret = -EPERM;
+       ret = -EACCES;
         break;
        }
  
@@ -99,7 +99,7 @@ int CephxServiceHandler::handle_request(
        if (req.key != expected_key) {
          ldout(cct, 0) << " unexpected key: req.key=" << hex << req.key
                 << " expected_key=" << expected_key << dec << dendl;
-        ret = -EPERM;
+        ret = -EACCES;
         break;
        }
  
@@ -109,7 +109,7 @@ int CephxServiceHandler::handle_request(
  
        EntityAuth eauth;
        if (! key_server->get_auth(entity_name, eauth)) {
-       ret = -EPERM;
+       ret = -EACCES;
         break;
        }
        CephXServiceTicketInfo old_ticket_info;
@@ -229,7 +229,7 @@ int CephxServiceHandler::handle_request(
             cct, *key_server, indata, 0, auth_ticket_info, nullptr,
             nullptr,
             &tmp_bl)) {
-        ret = -EPERM;
+        ret = -EACCES;
         break;
        }
  
@@ -280,7 +280,7 @@ int CephxServiceHandler::handle_request(
                      << entity_name << dendl;
        build_cephx_response_header(cephx_header.request_type, 0, *result_bl);
        if (!key_server->get_rotating_encrypted(entity_name, *result_bl)) {
-        ret = -EPERM;
+        ret = -EACCES;
          break;
        }
      }
diff --git a/src/auth/krb/KrbClientHandler.cpp b/src/auth/krb/KrbClientHandler.cpp

index e39d074e64d1c93fb1922ebed4682f16134cd4ee..1f728b4dd6e0040470a5a3445bcbc4c3fd2f22a3 100644 (file)
--- a/src/auth/krb/KrbClientHandler.cpp
+++ b/src/auth/krb/KrbClientHandler.cpp
@@ -161,7 +161,7 @@ int KrbClientHandler::handle_response(
            << gss_minor_status << " " 
            << status_str 
            << dendl;
-      return (-EPERM);
+      return (-EACCES);
      }
  
      gss_buffer_desc krb_input_name_buff = {0, nullptr};
@@ -244,7 +244,7 @@ int KrbClientHandler::handle_response(
            << gss_minor_status << " " 
            << status_str 
            << dendl;
-      result = (-EPERM);
+      result = (-EACCES);
        break;
    }
  
diff --git a/src/auth/krb/KrbServiceHandler.cpp b/src/auth/krb/KrbServiceHandler.cpp

index d7c0feeb34a0a333d8d3989b99a4a5f00b5ae0e9..3bd679d0ab5f489caea3fdbb60f59915e5f3880f 100644 (file)
--- a/src/auth/krb/KrbServiceHandler.cpp
+++ b/src/auth/krb/KrbServiceHandler.cpp
@@ -124,7 +124,7 @@ int KrbServiceHandler::handle_request(
              << gss_minor_status << " " 
              << status_str 
              << dendl;
-        result = (-EPERM);
+        result = (-EACCES);
          break;
        }
    }
@@ -206,7 +206,7 @@ int KrbServiceHandler::start_session(
          << gss_minor_status << " " 
          << status_str 
          << dendl;
-    return (-EPERM);
+    return (-EACCES);
    } else {
      KrbResponse krb_response;
      krb_response.m_response_type = 
diff --git a/src/ceph.in b/src/ceph.in

index fac4ce3f06e99cf8eaba4e55f5eb7713c77c259e..234bccf024f7afb31504d72a0969601b14f51cd0 100755 (executable)
--- a/src/ceph.in
+++ b/src/ceph.in
@@ -399,7 +399,7 @@ def do_extended_help(parser, args, target, partial):
                                           prefix='get_command_descriptions',
                                           timeout=10)
          if ret:
-            if ret == -errno.EPERM and target[0] in ('osd', 'mds'):
+            if (ret == -errno.EPERM or ret == -errno.EACCES) and target[0] in ('osd', 'mds'):
                  print("Permission denied.  Check that your user has 'allow *' "
                        "capabilities for the target daemon type.", file=sys.stderr)
              elif ret == -errno.EPERM:
diff --git a/src/mds/MDSDaemon.cc b/src/mds/MDSDaemon.cc

index 5595a01a42eb52d965bbf55555512b59b105b058..decc7f47b130e13b65e309d0142179a00a654b66 100644 (file)
--- a/src/mds/MDSDaemon.cc
+++ b/src/mds/MDSDaemon.cc
@@ -500,7 +500,7 @@ void MDSDaemon::handle_command(const cref_t<MCommand> &m)
        << *m->get_connection()->peer_addrs << dendl;
  
      ss << "permission denied";
-    r = -EPERM;
+    r = -EACCES;
    } else if (m->cmd.empty()) {
      r = -EINVAL;
      ss << "no command given";
diff --git a/src/mgr/DaemonServer.cc b/src/mgr/DaemonServer.cc

index 454179727df8ea38fe59d06908ec426c8d58c924..e087f0ea931a97aaa0bf4c12480b2e762480e7f4 100644 (file)
--- a/src/mgr/DaemonServer.cc
+++ b/src/mgr/DaemonServer.cc
@@ -191,12 +191,12 @@ int DaemonServer::ms_handle_authentication(Connection *con)
      catch (buffer::error& e) {
        dout(10) << " session " << s << " " << s->entity_name
                 << " failed to decode caps" << dendl;
-      return -EPERM;
+      return -EACCES;
      }
      if (!s->caps.parse(str)) {
        dout(10) << " session " << s << " " << s->entity_name
                << " failed to parse caps '" << str << "'" << dendl;
-      return -EPERM;
+      return -EACCES;
      }
      dout(10) << " session " << s << " " << s->entity_name
               << " has caps " << s->caps << " '" << str << "'" << dendl;
diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc

index 166f85f17277506f8df327225514557da56b5b76..d570948a7ae891dddec57f402db5f3a93d2a28b3 100644 (file)
--- a/src/mon/Monitor.cc
+++ b/src/mon/Monitor.cc
@@ -3152,7 +3152,7 @@ void Monitor::handle_tell_command(MonOpRequestRef op)
    MCommand *m = static_cast<MCommand*>(op->get_req());
    if (m->fsid != monmap->fsid) {
      dout(0) << "handle_command on fsid " << m->fsid << " != " << monmap->fsid << dendl;
-    reply_command(op, -EPERM, "wrong fsid", 0);
+    reply_command(op, -EACCES, "wrong fsid", 0);
      return;
    }
    MonSession *session = op->get_session();
@@ -3180,7 +3180,7 @@ void Monitor::handle_tell_command(MonOpRequestRef op)
           "mon", prefix, param_str_map,
           true, true, true,
           session->get_peer_socket_addr())) {
-      reply_tell_command(op, -EPERM, "insufficient caps");
+      reply_tell_command(op, -EACCES, "insufficient caps");
      }
    }
    // pass it to asok
@@ -6382,7 +6382,7 @@ int Monitor::ms_handle_authentication(Connection *con)
        derr << __func__ << " corrupt cap data for " << con->get_peer_entity_name()
            << " in auth db" << dendl;
        str.clear();
-      ret = -EPERM;
+      ret = -EACCES;
      }
      if (ret >= 0) {
        if (s->caps.parse(str, NULL)) {
@@ -6391,7 +6391,7 @@ int Monitor::ms_handle_authentication(Connection *con)
        } else {
         derr << __func__ << " unparseable caps '" << str << "' for "
              << con->get_peer_entity_name() << dendl;
-       ret = -EPERM;
+       ret = -EACCES;
        }
      }
    }
diff --git a/src/osd/OSD.cc b/src/osd/OSD.cc

index dbf1e754f70fa700be9db38e8ffbac5365fd620e..5156aa01c38722ef26b3adc1f6f9048e25800e63 100644 (file)
--- a/src/osd/OSD.cc
+++ b/src/osd/OSD.cc
@@ -6723,12 +6723,12 @@ void OSD::handle_command(MCommand *m)
    ConnectionRef con = m->get_connection();
    auto session = ceph::ref_cast<Session>(con->get_priv());
    if (!session) {
-    con->send_message(new MCommandReply(m, -EPERM));
+    con->send_message(new MCommandReply(m, -EACCES));
      m->put();
      return;
    }
    if (!session->caps.allow_all()) {
-    con->send_message(new MCommandReply(m, -EPERM));
+    con->send_message(new MCommandReply(m, -EACCES));
      m->put();
      return;
    }
@@ -7099,7 +7099,7 @@ int OSD::ms_handle_authentication(Connection *con)
      catch (buffer::error& e) {
        dout(10) << __func__ << " session " << s << " " << s->entity_name
                << " failed to decode caps string" << dendl;
-      ret = -EPERM;
+      ret = -EACCES;
      }
      if (!ret) {
        bool success = s->caps.parse(str);
@@ -7111,7 +7111,7 @@ int OSD::ms_handle_authentication(Connection *con)
        } else {
         dout(10) << __func__ << " session " << s << " " << s->entity_name
                  << " failed to parse caps '" << str << "'" << dendl;
-       ret = -EPERM;
+       ret = -EACCES;
        }
      }
    }
author	Sage Weil <sage@redhat.com>
	Wed, 23 Oct 2019 18:36:48 +0000 (13:36 -0500)
committer	Sage Weil <sage@redhat.com>
	Wed, 23 Oct 2019 18:39:46 +0000 (13:39 -0500)
src/auth/cephx/CephxClientHandler.cc		patch \| blob \| history
src/auth/cephx/CephxKeyServer.cc		patch \| blob \| history
src/auth/cephx/CephxServiceHandler.cc		patch \| blob \| history
src/auth/krb/KrbClientHandler.cpp		patch \| blob \| history
src/auth/krb/KrbServiceHandler.cpp		patch \| blob \| history
src/ceph.in		patch \| blob \| history
src/mds/MDSDaemon.cc		patch \| blob \| history
src/mgr/DaemonServer.cc		patch \| blob \| history
src/mon/Monitor.cc		patch \| blob \| history
src/osd/OSD.cc		patch \| blob \| history