From: Sage Weil <sage@redhat.com>
Date: Tue, 22 Oct 2019 15:10:14 +0000 (-0500)
Subject: mon: allow mgr to tell mon.foo smart
X-Git-Tag: v15.1.0~1178^2~2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=64b9fd8b5826985a79ffc137335ac540f4db36a1;p=ceph.git

mon: allow mgr to tell mon.foo smart

The mgr profile needs to do a tell command to the mon, which was restricted
to *only* allow_all (*) caps.  Additionally allow whitelisted commands,
and whitelist 'smart'.  This is somewhat imprecise since it conflates
tell vs cli commands in the MonCap, but since those don't overlap it should
be fine.

Signed-off-by: Sage Weil <sage@redhat.com>
---

diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc
index 4cfc13ece81f..3fb5723323a5 100644
--- a/src/mon/MonCap.cc
+++ b/src/mon/MonCap.cc
@@ -224,6 +224,8 @@ void MonCapGrant::expand_profile_mon(const EntityName& name) const
     // ssh orchestrator provisions new daemon keys
     profile_grants.push_back(MonCapGrant("auth get-or-create"));
     profile_grants.push_back(MonCapGrant("auth rm"));
+    // tell commands (this is a bit of a kludge)
+    profile_grants.push_back(MonCapGrant("smart"));
   }
   if (profile == "osd" || profile == "mds" || profile == "mon" ||
       profile == "mgr") {
diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
index 68362eb069cd..6e9a817f7f72 100644
--- a/src/mon/Monitor.cc
+++ b/src/mon/Monitor.cc
@@ -3161,7 +3161,27 @@ void Monitor::handle_tell_command(MonOpRequestRef op)
     return;
   }
   if (!session->caps.is_allow_all()) {
-    reply_tell_command(op, -EPERM, "insufficient caps");
+    // see if command is whitelisted
+    cmdmap_t cmdmap;
+    stringstream ss;
+    if (!cmdmap_from_json(m->cmd, &cmdmap, ss)) {
+      reply_command(op, -EINVAL, ss.str(), 0);
+    }
+    map<string,string> param_str_map;
+    _generate_command_map(cmdmap, param_str_map);
+    string prefix;
+    if (!cmd_getval(g_ceph_context, cmdmap, "prefix", prefix)) {
+      reply_command(op, -EINVAL, "no prefix", 0);
+    }
+    if (!session->caps.is_capable(
+	  g_ceph_context,
+	  CEPH_ENTITY_TYPE_MON,
+	  session->entity_name,
+	  "mon", prefix, param_str_map,
+	  true, true, true,
+	  session->get_peer_socket_addr())) {
+      reply_tell_command(op, -EPERM, "insufficient caps");
+    }
   }
   // pass it to asok
   cct->get_admin_socket()->queue_tell_command(m);