From: John Spray Date: Fri, 2 Oct 2015 10:16:45 +0000 (+0100) Subject: mds: add MDSAuthCaps.maybe_capable(path) X-Git-Tag: v10.0.3~48^2~4^2~10 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=a327dd8327acd5055ae5ec2d760cd9a0d0cf94da;p=ceph.git mds: add MDSAuthCaps.maybe_capable(path) To allow us to query whether a client is potentially capable of accessing a particular path, ignoring uids/gids (used to validate the client's claims about its mounted root) Signed-off-by: John Spray --- diff --git a/src/mds/MDSAuthCaps.cc b/src/mds/MDSAuthCaps.cc index ccabe0017a8..c8887800bcc 100644 --- a/src/mds/MDSAuthCaps.cc +++ b/src/mds/MDSAuthCaps.cc @@ -118,6 +118,16 @@ bool MDSCapMatch::match(const std::string &target_path, if (std::find(gids.begin(), gids.end(), caller_gid) == gids.end()) return false; } + + if (!match_path(target_path)) { + return false; + } + + return true; +} + +bool MDSCapMatch::match_path(const std::string &target_path) const +{ if (path.length()) { if (target_path.find(path) != 0) return false; @@ -128,9 +138,25 @@ bool MDSCapMatch::match(const std::string &target_path, target_path[path.length()] != '/') return false; } + return true; } +/** + * Is the client *potentially* able to access this path? Actual + * permission will depend on uids/modes in the full is_capable. + */ +bool MDSAuthCaps::path_capable(const std::string &inode_path) const +{ + for (const auto &i : grants) { + if (i.match.match_path(inode_path)) { + return true; + } + } + + return false; +} + /** * For a given filesystem path, query whether this capability carries` * authorization to read or write. diff --git a/src/mds/MDSAuthCaps.h b/src/mds/MDSAuthCaps.h index e75e7e7f691..0ecf8ac4a0a 100644 --- a/src/mds/MDSAuthCaps.h +++ b/src/mds/MDSAuthCaps.h @@ -94,6 +94,8 @@ struct MDSCapMatch { bool match(const std::string &target_path, const int caller_uid, const int caller_gid) const; + + bool match_path(const std::string &target_path) const; }; struct MDSCapGrant { @@ -126,6 +128,7 @@ public: uid_t inode_uid, gid_t inode_gid, unsigned inode_mode, uid_t uid, gid_t gid, unsigned mask, uid_t new_uid, gid_t new_gid) const; + bool path_capable(const std::string &inode_path) const; friend std::ostream &operator<<(std::ostream &out, const MDSAuthCaps &cap); };