From: Wido den Hollander Date: Thu, 7 Aug 2014 11:21:20 +0000 (+0200) Subject: mds: Make min/max UID configurable for who is allowed to create a snapshot X-Git-Tag: v0.85~51^2~2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=6bd2b0fc6e6ef428addb824cd3d0534ac358b58a;p=ceph.git mds: Make min/max UID configurable for who is allowed to create a snapshot This way administrators can configure which UIDs are allowed to create snapshots on CephFS. In certain situations it might be desirable that regular users are not allowed to create snapshots. For example on shared hosting environments. Fixes: #9029 --- diff --git a/src/common/config_opts.h b/src/common/config_opts.h index d73e5dcc0674..ee4353f2af93 100644 --- a/src/common/config_opts.h +++ b/src/common/config_opts.h @@ -383,6 +383,8 @@ OPTION(mds_op_history_size, OPT_U32, 20) // Max number of completed ops to tr OPTION(mds_op_history_duration, OPT_U32, 600) // Oldest completed op to track OPTION(mds_op_complaint_time, OPT_FLOAT, 30) // how many seconds old makes an op complaint-worthy OPTION(mds_op_log_threshold, OPT_INT, 5) // how many op log messages to show in one go +OPTION(mds_snap_min_uid, OPT_U32, 0) // The minimum UID required to create a snapshot +OPTION(mds_snap_max_uid, OPT_U32, 65536) // The maximum UID allowed to create a snapshot // If true, compact leveldb store on mount OPTION(osd_compact_leveldb_on_mount, OPT_BOOL, false) diff --git a/src/mds/Server.cc b/src/mds/Server.cc index 394c7edff1b9..dbf0f07da33e 100644 --- a/src/mds/Server.cc +++ b/src/mds/Server.cc @@ -7370,8 +7370,15 @@ void Server::handle_client_mksnap(MDRequestRef& mdr) reply_request(mdr, -EPERM); return; } - + const string &snapname = req->get_filepath().last_dentry(); + + if (mdr->client_request->get_caller_uid() < g_conf->mds_snap_min_uid || mdr->client_request->get_caller_uid() > g_conf->mds_snap_max_uid) { + dout(20) << "mksnap " << snapname << " on " << *diri << " denied to uid " << mdr->client_request->get_caller_uid() << dendl; + reply_request(mdr, -EPERM); + return; + } + dout(10) << "mksnap " << snapname << " on " << *diri << dendl; // lock snap