From: Joao Eduardo Luis Date: Thu, 3 Apr 2014 17:21:08 +0000 (+0100) Subject: mon: MonCommands.h: have 'auth' read-only operations require 'x' cap X-Git-Tag: v0.79~9 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=db266a3fb2985605738201f59f07fa504c91c770;p=ceph.git mon: MonCommands.h: have 'auth' read-only operations require 'x' cap This reintroduces the same semantics that were in place in dumpling prior to the refactoring of the cap/command matching code. We haven't added this requirement to auth read-write operations as that would have the potential to break a lot of well-configured keyrings once the users upgraded, without any significant gain -- we assume that if they have set 'rw' caps on a given entity, they are indeed expecting said entity to be sort-of-privileged entities with regard to monitor access. Fixes: #7919 Signed-off-by: Joao Eduardo Luis Reviewed-by: Sage Weil --- diff --git a/doc/release-notes.rst b/doc/release-notes.rst index 1ee61e7630a7..ccf0998d9bc6 100644 --- a/doc/release-notes.rst +++ b/doc/release-notes.rst @@ -512,6 +512,17 @@ Upgrading no longer included in the listxattr(2) results to prevent problems with 'cp -a' and similar tools. +* Monitor 'auth' read-only commands now expect the user to have 'rx' caps. + This is the same behavior that was present in dumpling, but in emperor + and more recent development releases the 'r' cap was sufficient. The + affected commands are:: + + ceph auth export + ceph auth get + ceph auth get-key + ceph auth print-key + ceph auth list + Notable Changes --------------- * ceph-conf: stop creating bogus log files (Josh Durgin, Sage Weil) diff --git a/src/mon/MonCommands.h b/src/mon/MonCommands.h index 02228dd78c17..a8e138afd23c 100644 --- a/src/mon/MonCommands.h +++ b/src/mon/MonCommands.h @@ -152,16 +152,16 @@ COMMAND("pg set_nearfull_ratio name=ratio,type=CephFloat,range=0.0|1.0", \ COMMAND("auth export name=entity,type=CephString,req=false", \ "write keyring for requested entity, or master keyring if none given", \ - "auth", "r", "cli,rest") + "auth", "rx", "cli,rest") COMMAND("auth get name=entity,type=CephString", \ - "write keyring file with requested key", "auth", "r", "cli,rest") + "write keyring file with requested key", "auth", "rx", "cli,rest") COMMAND("auth get-key name=entity,type=CephString", "display requested key", \ - "auth", "r", "cli,rest") + "auth", "rx", "cli,rest") COMMAND("auth print-key name=entity,type=CephString", "display requested key", \ - "auth", "r", "cli,rest") + "auth", "rx", "cli,rest") COMMAND("auth print_key name=entity,type=CephString", "display requested key", \ - "auth", "r", "cli,rest") -COMMAND("auth list", "list authentication state", "auth", "r", "cli,rest") + "auth", "rx", "cli,rest") +COMMAND("auth list", "list authentication state", "auth", "rx", "cli,rest") COMMAND("auth import", "auth import: read keyring file from -i ", \ "auth", "rw", "cli,rest") COMMAND("auth add " \