From: Sage Weil Date: Thu, 4 Jun 2015 20:52:05 +0000 (-0700) Subject: mds/MDSAuthCaps: pass down inode uid.gid and mode X-Git-Tag: v10.0.0~123^2~93 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=65eaf848c612d174c84303e4cebd3d2ffbf843e8;p=ceph.git mds/MDSAuthCaps: pass down inode uid.gid and mode We will need this to evaluate the unix permissions. Signed-off-by: Sage Weil --- diff --git a/src/mds/MDSAuthCaps.cc b/src/mds/MDSAuthCaps.cc index 52f7a231bb82..609836e1b5ad 100644 --- a/src/mds/MDSAuthCaps.cc +++ b/src/mds/MDSAuthCaps.cc @@ -116,13 +116,21 @@ bool MDSCapMatch::match(const std::string &target_path, * This is true if any of the 'grant' clauses in the capability match the * requested path + op. */ -bool MDSAuthCaps::is_capable(const std::string &path, uid_t uid, unsigned mask) const +bool MDSAuthCaps::is_capable(const std::string &inode_path, + uid_t inode_uid, gid_t inode_gid, unsigned inode_mode, + uid_t uid, unsigned mask) const { for (std::vector::const_iterator i = grants.begin(); i != grants.end(); ++i) { - if (i->match.match(path, uid) && + if (i->match.match(inode_path, uid) && i->spec.allows(mask & (MAY_READ|MAY_EXECUTE), mask & MAY_WRITE)) { + // check unix permissions? + if (i->match.uid != MDS_AUTH_UID_ANY) { + + // WRITE ME + + } return true; } } diff --git a/src/mds/MDSAuthCaps.h b/src/mds/MDSAuthCaps.h index a51e74db572b..b4debb95caf4 100644 --- a/src/mds/MDSAuthCaps.h +++ b/src/mds/MDSAuthCaps.h @@ -93,7 +93,9 @@ public: bool parse(const std::string &str, std::ostream *err); bool allow_all() const; - bool is_capable(const std::string &path, uid_t uid, unsigned mask) const; + bool is_capable(const std::string &inode_path, + uid_t inode_uid, gid_t inode_gid, unsigned inode_mode, + uid_t uid, unsigned mask) const; friend std::ostream &operator<<(std::ostream &out, const MDSAuthCaps &cap); }; diff --git a/src/mds/Server.cc b/src/mds/Server.cc index 56ae21aab261..a7228aafa23f 100644 --- a/src/mds/Server.cc +++ b/src/mds/Server.cc @@ -2117,7 +2117,8 @@ bool Server::check_access(MDRequestRef& mdr, CInode *in, unsigned mask) string path; // FIXME: it depends on the inode! - if (s->auth_caps.is_capable(path, uid, mask)) { + if (s->auth_caps.is_capable(path, in->inode.uid, in->inode.gid, in->inode.mode, + uid, mask)) { return true; } diff --git a/src/test/mds/TestMDSAuthCaps.cc b/src/test/mds/TestMDSAuthCaps.cc index 447b7e359abd..3c644d7ebcb8 100644 --- a/src/test/mds/TestMDSAuthCaps.cc +++ b/src/test/mds/TestMDSAuthCaps.cc @@ -103,26 +103,26 @@ TEST(MDSAuthCaps, AllowAll) { ASSERT_TRUE(cap.parse("allow *", NULL)); ASSERT_TRUE(cap.allow_all()); - ASSERT_TRUE(cap.is_capable("/foo/bar", 0, MAY_READ | MAY_WRITE)); + ASSERT_TRUE(cap.is_capable("/foo/bar", 0, 0, 0777, 0, MAY_READ | MAY_WRITE)); } TEST(MDSAuthCaps, AllowUid) { MDSAuthCaps cap; ASSERT_TRUE(cap.parse("allow * uid=10", NULL)); ASSERT_FALSE(cap.allow_all()); - ASSERT_TRUE(cap.is_capable("/foo", 10, MAY_READ | MAY_WRITE)); - ASSERT_FALSE(cap.is_capable("/foo", -1, MAY_READ | MAY_WRITE)); - ASSERT_FALSE(cap.is_capable("/foo", 0, MAY_READ | MAY_WRITE)); + ASSERT_TRUE(cap.is_capable("/foo", 0, 0, 0777, 10, MAY_READ | MAY_WRITE)); + ASSERT_FALSE(cap.is_capable("/foo", 0, 0, 0777, -1, MAY_READ | MAY_WRITE)); + ASSERT_FALSE(cap.is_capable("/foo", 0, 0, 0777, 0, MAY_READ | MAY_WRITE)); } TEST(MDSAuthCaps, AllowPath) { MDSAuthCaps cap; ASSERT_TRUE(cap.parse("allow * path=/sandbox", NULL)); ASSERT_FALSE(cap.allow_all()); - ASSERT_TRUE(cap.is_capable("/sandbox/foo", 0, MAY_READ | MAY_WRITE)); - ASSERT_TRUE(cap.is_capable("/sandbox", 0, MAY_READ | MAY_WRITE)); - ASSERT_FALSE(cap.is_capable("/sandboxed", 0, MAY_READ | MAY_WRITE)); - ASSERT_FALSE(cap.is_capable("/foo", 0, MAY_READ | MAY_WRITE)); + ASSERT_TRUE(cap.is_capable("/sandbox/foo", 0, 0, 0777, 0, MAY_READ | MAY_WRITE)); + ASSERT_TRUE(cap.is_capable("/sandbox", 0, 0, 0777, 0, MAY_READ | MAY_WRITE)); + ASSERT_FALSE(cap.is_capable("/sandboxed", 0, 0, 0777, 0, MAY_READ | MAY_WRITE)); + ASSERT_FALSE(cap.is_capable("/foo", 0, 0, 0777, 0, MAY_READ | MAY_WRITE)); } TEST(MDSAuthCaps, OutputParsed) {