From: Sage Weil <sage@redhat.com>
Date: Tue, 3 Jul 2018 19:31:52 +0000 (-0500)
Subject: mon/MonCap: parse 'network ...' suffix
X-Git-Tag: v14.0.1~601^2~11
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=5038627c9a647aff87515c93fe33743739e4dc7c;p=ceph.git

mon/MonCap: parse 'network ...' suffix

Allow an optional network constraint to any grant.

Signed-off-by: Sage Weil <sage@redhat.com>
---

diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc
index 05ceaaa97c497..f4e909b8bd1f6 100644
--- a/src/mon/MonCap.cc
+++ b/src/mon/MonCap.cc
@@ -113,6 +113,8 @@ ostream& operator<<(ostream& out, const MonCapGrant& m)
   }
   if (m.allow != 0)
     out << " " << m.allow;
+  if (m.network.size())
+    out << " network " << m.network;
   return out;
 }
 
@@ -127,7 +129,8 @@ BOOST_FUSION_ADAPT_STRUCT(MonCapGrant,
 			  (std::string, profile)
 			  (std::string, command)
 			  (kvmap, command_args)
-			  (mon_rwxa_t, allow))
+			  (mon_rwxa_t, allow)
+			  (std::string, network))
 
 BOOST_FUSION_ADAPT_STRUCT(StringConstraint,
                           (StringConstraint::MatchType, match_type)
@@ -484,8 +487,9 @@ struct MonCapParser : qi::grammar<Iterator, MonCap()>
     quoted_string %=
       lexeme['"' >> +(char_ - '"') >> '"'] | 
       lexeme['\'' >> +(char_ - '\'') >> '\''];
-    unquoted_word %= +char_("a-zA-Z0-9_.-");
+    unquoted_word %= +char_("a-zA-Z0-9_./-");
     str %= quoted_string | unquoted_word;
+    network_str %= +char_("/.:a-fA-F0-9][");
 
     spaces = +(lit(' ') | lit('\n') | lit('\t'));
 
@@ -501,13 +505,15 @@ struct MonCapParser : qi::grammar<Iterator, MonCap()>
 			    >> qi::attr(string()) >> qi::attr(string())
 			    >> str
 			    >> -(spaces >> lit("with") >> spaces >> kv_map)
-			    >> qi::attr(0);
+			    >> qi::attr(0)
+			    >> -(spaces >> lit("network") >> spaces >> network_str);
 
     // service foo rwxa
     service_match %= -spaces >> lit("allow") >> spaces >> lit("service") >> (lit('=') | spaces)
 			     >> str >> qi::attr(string()) >> qi::attr(string())
 			     >> qi::attr(map<string,StringConstraint>())
-                             >> spaces >> rwxa;
+                             >> spaces >> rwxa
+			     >> -(spaces >> lit("network") >> spaces >> network_str);
 
     // profile foo
     profile_match %= -spaces >> -(lit("allow") >> spaces)
@@ -516,13 +522,15 @@ struct MonCapParser : qi::grammar<Iterator, MonCap()>
 			     >> str
 			     >> qi::attr(string())
 			     >> qi::attr(map<string,StringConstraint>())
-			     >> qi::attr(0);
+			     >> qi::attr(0)
+			     >> -(spaces >> lit("network") >> spaces >> network_str);
 
     // rwxa
     rwxa_match %= -spaces >> lit("allow") >> spaces
 			  >> qi::attr(string()) >> qi::attr(string()) >> qi::attr(string())
 			  >> qi::attr(map<string,StringConstraint>())
-			  >> rwxa;
+			  >> rwxa
+			  >> -(spaces >> lit("network") >> spaces >> network_str);
 
     // rwxa := * | [r][w][x]
     rwxa =
@@ -547,7 +555,7 @@ struct MonCapParser : qi::grammar<Iterator, MonCap()>
   qi::rule<Iterator, unsigned()> rwxa;
   qi::rule<Iterator, string()> quoted_string;
   qi::rule<Iterator, string()> unquoted_word;
-  qi::rule<Iterator, string()> str;
+  qi::rule<Iterator, string()> str, network_str;
 
   qi::rule<Iterator, StringConstraint()> str_match, str_prefix, str_regex;
   qi::rule<Iterator, pair<string, StringConstraint>()> kv_pair;
diff --git a/src/mon/MonCap.h b/src/mon/MonCap.h
index de3581f313c21..5de2cb3773c4a 100644
--- a/src/mon/MonCap.h
+++ b/src/mon/MonCap.h
@@ -80,6 +80,9 @@ struct MonCapGrant {
   std::string command;
   map<std::string,StringConstraint> command_args;
 
+  // restrict by network
+  std::string network;
+
   mon_rwxa_t allow;
 
   // explicit grants that a profile grant expands to; populated as
diff --git a/src/test/mon/moncap.cc b/src/test/mon/moncap.cc
index 38ecfca7f3781..5ac8bff13423b 100644
--- a/src/test/mon/moncap.cc
+++ b/src/test/mon/moncap.cc
@@ -59,6 +59,13 @@ const char *parse_good[] = {
   "allow command \"foo bar\" with arg=\"baz.xx\"",
   "profile osd",
   "profile \"mds-bootstrap\", profile foo",
+  "allow * network 1.2.3.4/24",
+  "allow * network ::1/128",
+  "allow * network [aa:bb::1]/128",
+  "allow service=foo x network 1.2.3.4/16",
+  "allow command abc network 1.2.3.4/8",
+  "profile osd network 1.2.3.4/32",
+  "allow profile mon network 1.2.3.4/32",
   0
 };