From: Sage Weil Date: Thu, 4 Jun 2015 20:37:56 +0000 (-0700) Subject: mds/MDSAuthCaps: use bitmask for is_capable() X-Git-Tag: v10.0.0~123^2~98 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=d0e4fae9926fb889e61d5b549fbac19bcab0069a;p=ceph.git mds/MDSAuthCaps: use bitmask for is_capable() Signed-off-by: Sage Weil --- diff --git a/src/mds/MDSAuthCaps.cc b/src/mds/MDSAuthCaps.cc index 73df5e2cc8d..afb1f8a02fb 100644 --- a/src/mds/MDSAuthCaps.cc +++ b/src/mds/MDSAuthCaps.cc @@ -115,14 +115,13 @@ bool MDSCapMatch::match(const std::string &target_path, * This is true if any of the 'grant' clauses in the capability match the * requested path + op. */ -bool MDSAuthCaps::is_capable(const std::string &path, int uid, - bool may_read, bool may_write) const +bool MDSAuthCaps::is_capable(const std::string &path, int uid, unsigned mask) const { for (std::vector::const_iterator i = grants.begin(); i != grants.end(); ++i) { if (i->match.match(path, uid) && - i->spec.allows(may_read, may_write)) { + i->spec.allows(mask & (MAY_READ|MAY_EXECUTE), mask & MAY_WRITE)) { return true; } } diff --git a/src/mds/MDSAuthCaps.h b/src/mds/MDSAuthCaps.h index f76a12f20ff..d78315ddcc0 100644 --- a/src/mds/MDSAuthCaps.h +++ b/src/mds/MDSAuthCaps.h @@ -20,6 +20,13 @@ #include #include +// unix-style capabilities +enum { + MAY_READ = 1, + MAY_WRITE = 2, + MAY_EXECUTE = 4, +}; + // what we can do struct MDSCapSpec { bool read; @@ -77,7 +84,6 @@ struct MDSCapGrant { class MDSAuthCaps { -protected: std::vector grants; public: @@ -88,8 +94,7 @@ public: bool parse(const std::string &str, std::ostream *err); bool allow_all() const; - bool is_capable(const std::string &path, int uid, - bool may_read, bool may_write) const; + bool is_capable(const std::string &path, int uid, unsigned mask) const; friend std::ostream &operator<<(std::ostream &out, const MDSAuthCaps &cap); }; diff --git a/src/test/mds/TestMDSAuthCaps.cc b/src/test/mds/TestMDSAuthCaps.cc index fde3cc5b333..447b7e359ab 100644 --- a/src/test/mds/TestMDSAuthCaps.cc +++ b/src/test/mds/TestMDSAuthCaps.cc @@ -103,26 +103,26 @@ TEST(MDSAuthCaps, AllowAll) { ASSERT_TRUE(cap.parse("allow *", NULL)); ASSERT_TRUE(cap.allow_all()); - ASSERT_TRUE(cap.is_capable("/foo/bar", 0, true, true)); + ASSERT_TRUE(cap.is_capable("/foo/bar", 0, MAY_READ | MAY_WRITE)); } TEST(MDSAuthCaps, AllowUid) { MDSAuthCaps cap; ASSERT_TRUE(cap.parse("allow * uid=10", NULL)); ASSERT_FALSE(cap.allow_all()); - ASSERT_TRUE(cap.is_capable("/foo", 10, true, true)); - ASSERT_FALSE(cap.is_capable("/foo", -1, true, true)); - ASSERT_FALSE(cap.is_capable("/foo", 0, true, true)); + ASSERT_TRUE(cap.is_capable("/foo", 10, MAY_READ | MAY_WRITE)); + ASSERT_FALSE(cap.is_capable("/foo", -1, MAY_READ | MAY_WRITE)); + ASSERT_FALSE(cap.is_capable("/foo", 0, MAY_READ | MAY_WRITE)); } TEST(MDSAuthCaps, AllowPath) { MDSAuthCaps cap; ASSERT_TRUE(cap.parse("allow * path=/sandbox", NULL)); ASSERT_FALSE(cap.allow_all()); - ASSERT_TRUE(cap.is_capable("/sandbox/foo", 0, true, true)); - ASSERT_TRUE(cap.is_capable("/sandbox", 0, true, true)); - ASSERT_FALSE(cap.is_capable("/sandboxed", 0, true, true)); - ASSERT_FALSE(cap.is_capable("/foo", 0, true, true)); + ASSERT_TRUE(cap.is_capable("/sandbox/foo", 0, MAY_READ | MAY_WRITE)); + ASSERT_TRUE(cap.is_capable("/sandbox", 0, MAY_READ | MAY_WRITE)); + ASSERT_FALSE(cap.is_capable("/sandboxed", 0, MAY_READ | MAY_WRITE)); + ASSERT_FALSE(cap.is_capable("/foo", 0, MAY_READ | MAY_WRITE)); } TEST(MDSAuthCaps, OutputParsed) {