From: Sage Weil Date: Thu, 4 Jun 2015 20:35:23 +0000 (-0700) Subject: mds/Server: add check_access() hook X-Git-Tag: v10.0.0~123^2~95 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=a3f7f5aad3b459e6beaf947d50c9140b237d7649;p=ceph.git mds/Server: add check_access() hook For now, we are doing a very basic permission check. No callers yet. Signed-off-by: Sage Weil --- diff --git a/src/mds/Server.cc b/src/mds/Server.cc index da6475b5fb153..c74319fe44b11 100644 --- a/src/mds/Server.cc +++ b/src/mds/Server.cc @@ -2098,6 +2098,35 @@ void Server::handle_slave_auth_pin_ack(MDRequestRef& mdr, MMDSSlaveRequest *ack) // HELPERS +/** + * check whether we are permitted to complete a request + * + * Check whether we have permission to perform the operation specified + * by mask on the given inode, based on the capability in the mdr's + * session. + */ +bool Server::check_access(MDRequestRef& mdr, CInode *in, unsigned mask) +{ + Session *s = mdr->session; + + uid_t uid = mdr->client_request->get_caller_uid(); + + // FIXME: generate a real path + // FIXME: behave with inodes in stray dir + // FIXME: behave with hard links + string path; + + // FIXME: it depends on the inode! + if (s->auth_caps.is_capable(path, uid, mask)) { + return true; + } + + // we are not allowed. + respond_to_request(mdr, -EACCES); + return false; +} + + /** validate_dentry_dir * * verify that the dir exists and would own the dname. diff --git a/src/mds/Server.h b/src/mds/Server.h index c99f7ae2c0833..35212813df1b8 100644 --- a/src/mds/Server.h +++ b/src/mds/Server.h @@ -133,6 +133,7 @@ public: void handle_slave_auth_pin_ack(MDRequestRef& mdr, MMDSSlaveRequest *ack); // some helpers + bool check_access(MDRequestRef& mdr, CInode *in, unsigned mask); CDir *validate_dentry_dir(MDRequestRef& mdr, CInode *diri, const string& dname); CDir *traverse_to_auth_dir(MDRequestRef& mdr, vector &trace, filepath refpath); CDentry *prepare_null_dentry(MDRequestRef& mdr, CDir *dir, const string& dname, bool okexist=false);