From: Joao Eduardo Luis <joao.luis@inktank.com>
Date: Mon, 8 Sep 2014 16:00:20 +0000 (+0100)
Subject: mon: MonCap: add new profiles
X-Git-Tag: v0.87~41^2~11
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=d6b702ce46d1a6af90579b326fb2696479f46790;p=ceph.git

mon: MonCap: add new profiles

Adds three new profiles:

  read-only:  able to issue all read-only (MON_CAP_R) commands.  Any
  command that may take additional caps (MON_CAP_W or MON_CAP_X) won't
  be allowed.

  read-write: able to issue all read-write (MON_CAP_R | MON_CAP_W)
  commands.  Commands that require MON_CAP_X will not be allowed.

  role-definer: solely able to issue commands on the 'auth' subsystem,
  to which all caps are given (MON_CAP_R | MON_CAP_W | MON_CAP_X).

Fixes: #8899

Signed-off-by: Joao Eduardo Luis <joao.luis@inktank.com>
---

diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc
index e8d3f7e8bb3f..84580b9a4b80 100644
--- a/src/mon/MonCap.cc
+++ b/src/mon/MonCap.cc
@@ -174,6 +174,25 @@ void MonCapGrant::expand_profile(entity_name_t name) const
     profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
     profile_grants.push_back(MonCapGrant("pg", MON_CAP_R));
   }
+
+  if (profile == "read-only") {
+    // grants READ-ONLY caps monitor-wide
+    // 'auth' requires MON_CAP_X even for RO, which we do not grant here.
+    profile_grants.push_back(mon_rwxa_t(MON_CAP_R));
+  }
+
+  if (profile == "read-write") {
+    // grants READ-WRITE caps monitor-wide
+    // 'auth' requires MON_CAP_X for all operations, which we do not grant.
+    profile_grants.push_back(mon_rwxa_t(MON_CAP_R | MON_CAP_W));
+  }
+
+  if (profile == "role-definer") {
+    // grants ALL caps to the auth subsystem, read-only on the
+    // monitor subsystem and nothing else.
+    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
+    profile_grants.push_back(MonCapGrant("auth", MON_CAP_ALL));
+  }
 }
 
 mon_rwxa_t MonCapGrant::get_allowed(CephContext *cct,