From: John Spray Date: Fri, 4 Nov 2016 15:50:26 +0000 (+0000) Subject: mds: require MAY_SET_POOL to set pool_ns X-Git-Tag: v11.1.0~336^2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=1dfee37ad1c65f34f7fbc877e90c5b0a219125cd;p=ceph.git mds: require MAY_SET_POOL to set pool_ns The intent of that flag is to enable admins to limit a client to setting layouts to put objects within the OSD auth caps that it has been given, so we should apply it to namespace as well as pool ID. Fixes: http://tracker.ceph.com/issues/17798 Signed-off-by: John Spray --- diff --git a/src/mds/Server.cc b/src/mds/Server.cc index 9207cde01a42..bce73cde3361 100644 --- a/src/mds/Server.cc +++ b/src/mds/Server.cc @@ -3183,9 +3183,8 @@ void Server::handle_client_openc(MDRequestRef& mdr) // file would have inherited anyway from its parent. CDir *parent = dn->get_dir(); CInode *parent_in = parent->get_inode(); - int64_t parent_pool = parent_in->inode.layout.pool_id; - - if (layout.pool_id != parent_pool) { + if (layout.pool_id != parent_in->inode.layout.pool_id + || layout.pool_ns != parent_in->inode.layout.pool_ns) { access |= MAY_SET_POOL; } @@ -4297,7 +4296,8 @@ void Server::handle_set_vxattr(MDRequestRef& mdr, CInode *cur, if (!mds->locker->acquire_locks(mdr, rdlocks, wrlocks, xlocks)) return; - if (cur->inode.layout.pool_id != layout.pool_id) { + if (cur->inode.layout.pool_id != layout.pool_id + || cur->inode.layout.pool_ns != layout.pool_ns) { if (!check_access(mdr, cur, MAY_SET_POOL)) { return; } @@ -4324,7 +4324,8 @@ void Server::handle_set_vxattr(MDRequestRef& mdr, CInode *cur, if (!mds->locker->acquire_locks(mdr, rdlocks, wrlocks, xlocks)) return; - if (cur->inode.layout.pool_id != layout.pool_id) { + if (cur->inode.layout.pool_id != layout.pool_id + || cur->inode.layout.pool_ns != layout.pool_ns) { if (!check_access(mdr, cur, MAY_SET_POOL)) { return; }