From: Rishabh Dave <ridave@redhat.com>
Date: Wed, 16 Sep 2020 10:59:24 +0000 (+0530)
Subject: mon/MonCap: check profile_grants too while checking caps
X-Git-Tag: v16.1.0~1049^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F37190%2Fhead;p=ceph.git

mon/MonCap: check profile_grants too while checking caps

When checking if a certain fs subcommand can and should be executed in
FSCommands.cc, check permissions in "profile_grants" too when the caps
for that entity contains a cap profile.

Fixes: https://tracker.ceph.com/issues/47423
Signed-off-by: Rishabh Dave <ridave@redhat.com>
---

diff --git a/src/mon/MonCap.h b/src/mon/MonCap.h
index d38ffc54be778..ab4e35bc90ce7 100644
--- a/src/mon/MonCap.h
+++ b/src/mon/MonCap.h
@@ -195,13 +195,22 @@ struct MonCap {
     return ret;
   }
 
-  bool fs_name_capable(string_view fs_name, __u8 mask) {
-    for (auto& g: grants) {
+  bool fs_name_capable(const EntityName& ename, string_view fs_name,
+		       __u8 mask) {
+    for (auto& g : grants) {
       if (g.is_allow_all()) {
 	return true;
       }
-      if (g.fs_name.empty() || g.fs_name == fs_name) {
-	if (mask & g.allow) {
+
+      if ((g.fs_name.empty() || g.fs_name == fs_name) && (mask & g.allow)) {
+	  return true;
+      }
+
+      g.expand_profile(ename);
+      for (auto& pg : g.profile_grants) {
+	if ((pg.service == "fs" || pg.service == "mds") &&
+	    (pg.fs_name.empty() || pg.fs_name == fs_name) &&
+	    (pg.allow & mask)) {
 	  return true;
 	}
       }
diff --git a/src/mon/Session.h b/src/mon/Session.h
index 0502dcc77a923..77925fe47b86d 100644
--- a/src/mon/Session.h
+++ b/src/mon/Session.h
@@ -111,7 +111,7 @@ struct MonSession : public RefCountedObject {
   }
 
   bool fs_name_capable(string_view fsname, __u8 mask) {
-    return caps.fs_name_capable(fsname, mask);
+    return caps.fs_name_capable(entity_name, fsname, mask);
   }
 
   const entity_addr_t& get_peer_socket_addr() {