From: Nishtha Rai <nishtha3rai@gmail.com>
Date: Tue, 21 Jul 2015 15:09:40 +0000 (+0530)
Subject: MDSAuthCaps: add logic for group bits check
X-Git-Tag: v10.0.0~123^2~64
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=5b318aa9771b5918dc9dbd9e8cbce4d853d56d93;p=ceph.git

MDSAuthCaps: add logic for group bits check

Signed-off-by: Nishtha Rai <nishtha3rai@gmail.com>
---

diff --git a/qa/workunits/fs/test_auth_caps.sh b/qa/workunits/fs/test_auth_caps.sh
index 20e36f15e3fd..8e7d7e38cbca 100644
--- a/qa/workunits/fs/test_auth_caps.sh
+++ b/qa/workunits/fs/test_auth_caps.sh
@@ -3,15 +3,17 @@
 cleanup()
 {
 	echo "*** Restoring to old state"
-	sudo rm -rf mnt.admin/foo1 mnt.admin/foo2 mnt.admin/foo3 mnt.admin/foo4
+	sudo rm -rf mnt.admin/foo1 mnt.admin/foo2 mnt.admin/foo3 mnt.admin/foo4 mnt.admin/foo5 mnt.admin/foo6
 	fusermount -u mnt.admin
 	fusermount -u mnt.foo
-	rmdir mnt.admin mnt.foo
+	fusermount -u mnt.grp
+	rmdir mnt.admin mnt.foo mnt.grp
+	rm keyring.foo keyring.grp
 }
 trap cleanup INT TERM EXIT
 
 echo "*** Creating directories for mount"
-mkdir -p mnt.admin mnt.foo
+mkdir -p mnt.admin mnt.foo mnt.grp
 
 
 echo "*** Trying mount as admin"
@@ -27,17 +29,32 @@ eval $AUTH
 ./ceph auth import -i keyring.foo
 ./ceph-fuse mnt.foo -n client.foo -k keyring.foo
 
+
+echo "*** Trying mount as client.grp"
+GID="$(id -g)"
+GRP_AUTH_TEMPLATE='./ceph-authtool -C keyring.grp -n client.grp --cap osd "allow rw" --cap mon "allow rw" --cap mds "allow rw uid=UID gids=GID" --gen-key'
+GRP_AUTH="$(echo $GRP_AUTH_TEMPLATE | sed -e 's/UID/'$UID'/g')"
+GRP_AUTH="$(echo $GRP_AUTH | sed -e 's/GID/'$GID'/g')"
+eval $GRP_AUTH
+./ceph auth import -i keyring.grp
+./ceph-fuse mnt.grp -n client.grp -k keyring.grp
+
+
 echo "*** Creating directories for client.admin"
 sudo mkdir -m 777 mnt.admin/foo1
 sudo mkdir -m 700 mnt.admin/foo2
 sudo mkdir -m 755 mnt.admin/foo3
 sudo mkdir -m 755 mnt.admin/foo4
+sudo mkdir -m 775 mnt.admin/foo5
+sudo mkdir -m 755 mnt.admin/foo6
 
 echo "*** Granting ownership of directories to other users"
 sudo chown $USER mnt.admin/foo1
 sudo chown $USER mnt.admin/foo2
 sudo chown $USER mnt.admin/foo3
 sudo chown $OTH_UID mnt.admin/foo4
+sudo chgrp $GID mnt.admin/foo5
+sudo chgrp $GID mnt.admin/foo6
 
 echo "*** Testing auth checks"
 expect_false()
@@ -49,5 +66,7 @@ mkdir mnt.foo/foo1/asdf
 expect_false mkdir mnt.foo/foo2/asdf
 mkdir mnt.foo/foo3/asdf
 expect_false mkdir mnt.foo/foo4/asdf
+mkdir mnt.grp/foo5/asdf
+expect_false mkdir mnt.grp/foo6/asdf
 
 
diff --git a/src/mds/MDSAuthCaps.cc b/src/mds/MDSAuthCaps.cc
index 89c61d1285e3..17682ac80be8 100644
--- a/src/mds/MDSAuthCaps.cc
+++ b/src/mds/MDSAuthCaps.cc
@@ -160,6 +160,12 @@ bool MDSAuthCaps::is_capable(const std::string &inode_path,
           (!(mask & MAY_EXECUTE) || (inode_mode & S_IXUSR))) {
           return true;
         }
+      } else if (std::find(i->match.gids.begin(), i->match.gids.end(), inode_gid) != i->match.gids.end()) {
+        if ((!(mask & MAY_READ) || (inode_mode & S_IRGRP)) &&
+          (!(mask & MAY_WRITE) || (inode_mode & S_IWGRP)) &&
+          (!(mask & MAY_EXECUTE) || (inode_mode & S_IXGRP))) {
+          return true;
+        }
       } else {
         if ((!(mask & MAY_READ) || (inode_mode & S_IROTH)) &&
           (!(mask & MAY_WRITE) || (inode_mode & S_IWOTH)) &&
@@ -167,13 +173,6 @@ bool MDSAuthCaps::is_capable(const std::string &inode_path,
           return true;
         }
       }
-
-	  // use fcntl.h macros for the file mode:
-	  //  S_IRUSR  S_IRGRP  S_ROTH
-	  //  S_IWUSR  S_IWGRP  S_WOTH
-	  //  S_IXUSR  S_IXGRP  S_XOTH
-
-	  // WRITE ME
     }
   }