From: Sage Weil <sage@inktank.com>
Date: Wed, 23 May 2012 00:59:22 +0000 (-0700)
Subject: mon: push down 'auth ...' command auth checks
X-Git-Tag: v0.48argonaut~151^2~27^2~8
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=def15d7feaa877176294e5bd118e52dee5459f38;p=ceph.git

mon: push down 'auth ...' command auth checks

Signed-off-by: Sage Weil <sage@inktank.com>
---

diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
index fe192d0d4a98..cf71fc5fb4c8 100644
--- a/src/mon/AuthMonitor.cc
+++ b/src/mon/AuthMonitor.cc
@@ -434,7 +434,16 @@ bool AuthMonitor::preprocess_command(MMonCommand *m)
 	m->cmd[1] == "caps") {
       return false;
     }
-    else if (m->cmd[1] == "export") {
+
+    MonSession *session = m->get_session();
+    if (!session ||
+	(!session->caps.get_allow_all() &&
+	 !mon->_allowed_command(session, m->cmd))) {
+      mon->reply_command(m, -EACCES, "access denied", rdata, paxos->get_version());
+      return true;
+    }
+
+    if (m->cmd[1] == "export") {
       KeyRing keyring;
       export_keyring(keyring);
       if (m->cmd.size() > 2) {
@@ -544,6 +553,14 @@ bool AuthMonitor::prepare_command(MMonCommand *m)
   string rs;
   int err = -EINVAL;
 
+  MonSession *session = m->get_session();
+  if (!session ||
+      (!session->caps.get_allow_all() &&
+       !mon->_allowed_command(session, m->cmd))) {
+    mon->reply_command(m, -EACCES, "access denied", rdata, paxos->get_version());
+    return true;
+  }
+
   // nothing here yet
   if (m->cmd.size() > 1) {
     if (m->cmd[1] == "import") {
diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
index 86583acf4a10..3e3d39da9929 100644
--- a/src/mon/Monitor.cc
+++ b/src/mon/Monitor.cc
@@ -1220,10 +1220,6 @@ void Monitor::handle_command(MMonCommand *m)
       return;
     }
     if (m->cmd[0] == "auth") {
-      if (!session->caps.get_allow_all() && !_allowed_command(session, m->cmd)) {
-	r = -EACCES;
-	goto out;
-      }
       authmon()->dispatch(m);
       return;
     }