From: Ramana Raja Date: Tue, 15 Nov 2022 19:00:24 +0000 (-0500) Subject: mds/Server: disallow clients that have root_squash X-Git-Tag: v18.2.4~114^2~9 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=f8ddb3f69c80c17703d952238c568eae82ae2362;p=ceph.git mds/Server: disallow clients that have root_squash ... MDS auth caps but don't have CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK feature bit (i.e., can't check the auth caps sent back to it by the MDS) from establishing a session. Do this in Server::handle_client_session(), and Server::handle_client_reconnect(), where old clients try to reconnect to MDS servers after an upgrade. If the client doesn't have the ability to authorize session access based on the MDS auth caps send back to it by the MDS, then the client may buffer changes locally during open and setattr operations when it's not supposed to, e.g., when enforcing root_squash MDS auth caps. Fixes: https://tracker.ceph.com/issues/56067 Signed-off-by: Ramana Raja (cherry picked from commit e64931b6a80d0f3e365ed0fe305b73562cbca502) --- diff --git a/src/mds/MDSAuthCaps.h b/src/mds/MDSAuthCaps.h index 5f3787f9afa1..bbb2589b3a8d 100644 --- a/src/mds/MDSAuthCaps.h +++ b/src/mds/MDSAuthCaps.h @@ -285,6 +285,15 @@ public: } } + bool root_squash_in_caps() const { + for (const MDSCapGrant &g : grants) { + if (g.match.root_squash) { + return true; + } + } + return false; + } + friend std::ostream &operator<<(std::ostream &out, const MDSAuthCaps &cap); private: std::vector grants; diff --git a/src/mds/Server.cc b/src/mds/Server.cc index b34634bba710..1b7524956633 100644 --- a/src/mds/Server.cc +++ b/src/mds/Server.cc @@ -717,6 +717,17 @@ void Server::handle_client_session(const cref_t &m) break; } + if (session->auth_caps.root_squash_in_caps() && !client_metadata.features.test(CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK)) { + CachedStackStringStream css; + *css << "client lacks CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK needed to enforce 'root_squash' MDS auth caps"; + send_reject_message(css->strv()); + mds->clog->warn() << "client session (" << session->info.inst + << ") lacks CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK " + << " needed to enforce 'root_squash' MDS auth caps"; + session->clear(); + break; + + } // Special case for the 'root' metadata path; validate that the claimed // root is actually within the caps of the session if (auto it = client_metadata.find("root"); it != client_metadata.end()) { @@ -1561,6 +1572,12 @@ void Server::handle_client_reconnect(const cref_t &m) *css << "missing required features '" << missing_features << "'"; error_str = css->strv(); } + if (session->auth_caps.root_squash_in_caps() && + !session->info.client_metadata.features.test(CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK)) { + CachedStackStringStream css; + *css << "client lacks CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK needed to enforce 'root_squash' MDS auth caps"; + error_str = css->strv(); + } } if (!error_str.empty()) {