From: Sage Weil Date: Thu, 5 Jul 2018 16:40:06 +0000 (-0500) Subject: mon/MonCap: enforce network constraint (if present) X-Git-Tag: v14.0.1~601^2~9 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=556426e66a25d90eff078514fb6bdb21dfd344cb;p=ceph.git mon/MonCap: enforce network constraint (if present) Signed-off-by: Sage Weil --- diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc index 1fbf2c8200a8a..ad1e61a833257 100644 --- a/src/mon/MonCap.cc +++ b/src/mon/MonCap.cc @@ -22,6 +22,7 @@ #include "MonCap.h" #include "include/stringify.h" +#include "include/ipaddr.h" #include "common/debug.h" #include "common/Formatter.h" @@ -138,6 +139,12 @@ BOOST_FUSION_ADAPT_STRUCT(StringConstraint, // +void MonCapGrant::parse_network() +{ + network_valid = ::parse_network(network.c_str(), &network_parsed, + &network_prefix); +} + void MonCapGrant::expand_profile(int daemon_type, const EntityName& name) const { // only generate this list once @@ -398,11 +405,21 @@ bool MonCap::is_capable( << " addr " << addr << " on cap " << *this << dendl; + mon_rwxa_t allow = 0; for (vector::const_iterator p = grants.begin(); p != grants.end(); ++p) { if (cct) - ldout(cct, 20) << " allow so far " << allow << ", doing grant " << *p << dendl; + ldout(cct, 20) << " allow so far " << allow << ", doing grant " << *p + << dendl; + + if (p->network.size() && + (!p->network_valid || + !network_contains(p->network_parsed, + p->network_prefix, + addr))) { + continue; + } if (p->is_allow_all()) { if (cct) @@ -585,6 +602,9 @@ bool MonCap::parse(const string& str, ostream *err) //bool r = qi::phrase_parse(iter, end, g, ascii::space, foo); if (r && iter == end) { text = str; + for (auto& g : grants) { + g.parse_network(); + } return true; } diff --git a/src/mon/MonCap.h b/src/mon/MonCap.h index b0fe6e73e335e..67ed105ebda51 100644 --- a/src/mon/MonCap.h +++ b/src/mon/MonCap.h @@ -83,6 +83,13 @@ struct MonCapGrant { // restrict by network std::string network; + // these are filled in by parse_network(), called by MonCap::parse() + entity_addr_t network_parsed; + unsigned network_prefix = 0; + bool network_valid = true; + + void parse_network(); + mon_rwxa_t allow; // explicit grants that a profile grant expands to; populated as diff --git a/src/test/mon/moncap.cc b/src/test/mon/moncap.cc index 93598774e8bfc..680266d7f06ff 100644 --- a/src/test/mon/moncap.cc +++ b/src/test/mon/moncap.cc @@ -197,6 +197,30 @@ TEST(MonCap, AllowAll) { ASSERT_TRUE(cap2.is_allow_all()); } +TEST(MonCap, Network) { + MonCap cap; + bool r = cap.parse("allow * network 192.168.0.0/16, allow * network 10.0.0.0/8", NULL); + ASSERT_TRUE(r); + + entity_addr_t a, b, c; + a.parse("10.1.2.3"); + b.parse("192.168.2.3"); + c.parse("192.167.2.3"); + + ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, EntityName(), + "foo", "asdf", map(), + true, true, true, + a)); + ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, EntityName(), + "foo", "asdf", map(), + true, true, true, + b)); + ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, EntityName(), + "foo", "asdf", map(), + true, true, true, + c)); +} + TEST(MonCap, ProfileOSD) { MonCap cap; bool r = cap.parse("allow profile osd", NULL);