From: Jason Dillaman <dillaman@redhat.com>
Date: Mon, 16 Sep 2019 17:17:40 +0000 (-0400)
Subject: mon/MonCap: new 'rbd-mirror-peer' profile
X-Git-Tag: v15.1.0~1462^2~5
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=aece2949503485ea32594223576705caed97eb10;p=ceph.git

mon/MonCap: new 'rbd-mirror-peer' profile

This is similar to the 'rbd' profile but allows read access
to rbd/mirror config-keys and allows peer config-keys to be
updated.

Signed-off-by: Jason Dillaman <dillaman@redhat.com>
---

diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc
index 3d2adb5a4d08..006fe839185b 100644
--- a/src/mon/MonCap.cc
+++ b/src/mon/MonCap.cc
@@ -19,6 +19,7 @@
 #include <boost/spirit/include/phoenix.hpp>
 #include <boost/fusion/adapted/struct/adapt_struct.hpp>
 #include <boost/fusion/include/adapt_struct.hpp>
+#include <boost/algorithm/string/predicate.hpp>
 
 #include "MonCap.h"
 #include "include/stringify.h"
@@ -297,7 +298,7 @@ void MonCapGrant::expand_profile_mon(const EntityName& name) const
     profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
     profile_grants.push_back(MonCapGrant("pg", MON_CAP_R));
   }
-  if (profile == "rbd" || profile == "rbd-mirror") {
+  if (boost::starts_with(profile, "rbd")) {
     profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
     profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
     profile_grants.push_back(MonCapGrant("pg", MON_CAP_R));
@@ -314,6 +315,14 @@ void MonCapGrant::expand_profile_mon(const EntityName& name) const
     StringConstraint constraint(StringConstraint::MATCH_TYPE_PREFIX,
                                 "rbd/mirror/");
     profile_grants.push_back(MonCapGrant("config-key get", "key", constraint));
+  } else if (profile == "rbd-mirror-peer") {
+    StringConstraint constraint(StringConstraint::MATCH_TYPE_REGEX,
+                                "rbd/mirror/[^/]+");
+    profile_grants.push_back(MonCapGrant("config-key get", "key", constraint));
+
+    constraint = StringConstraint(StringConstraint::MATCH_TYPE_PREFIX,
+                                  "rbd/mirror/peer/");
+    profile_grants.push_back(MonCapGrant("config-key set", "key", constraint));
   }
 
   if (profile == "role-definer") {