From 1081e5f691bc67f0e48a15b6c7c8138b927b9d44 Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Thu, 5 Jul 2018 11:39:48 -0500 Subject: [PATCH] mon/MonCap: take addr for MonCap::is_capable Signed-off-by: Sage Weil --- src/mgr/DaemonServer.cc | 3 +- src/mgr/MgrSession.h | 4 +++ src/mon/MonCap.cc | 15 +++++---- src/mon/MonCap.h | 3 +- src/mon/Monitor.cc | 3 +- src/mon/OSDMonitor.cc | 21 +++++++----- src/mon/Session.h | 7 +++- src/test/mon/moncap.cc | 74 +++++++++++++++++++++++++++-------------- 8 files changed, 87 insertions(+), 43 deletions(-) diff --git a/src/mgr/DaemonServer.cc b/src/mgr/DaemonServer.cc index 6515d3a52409c..ebdacaf69011a 100644 --- a/src/mgr/DaemonServer.cc +++ b/src/mgr/DaemonServer.cc @@ -713,7 +713,8 @@ bool DaemonServer::_allowed_command( CEPH_ENTITY_TYPE_MGR, s->entity_name, module, prefix, param_str_map, - cmd_r, cmd_w, cmd_x); + cmd_r, cmd_w, cmd_x, + s->get_peer_addr()); dout(10) << " " << s->entity_name << " " << (capable ? "" : "not ") << "capable" << dendl; diff --git a/src/mgr/MgrSession.h b/src/mgr/MgrSession.h index c921ca09ead2f..c61a80b63e7e3 100644 --- a/src/mgr/MgrSession.h +++ b/src/mgr/MgrSession.h @@ -27,6 +27,10 @@ struct MgrSession : public RefCountedObject { explicit MgrSession(CephContext *cct) : RefCountedObject(cct, 0) {} ~MgrSession() override {} + + const entity_addr_t& get_peer_addr() { + return inst.addr; + } }; typedef boost::intrusive_ptr MgrSessionRef; diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc index f4e909b8bd1f6..1fbf2c8200a8a 100644 --- a/src/mon/MonCap.cc +++ b/src/mon/MonCap.cc @@ -381,18 +381,21 @@ void MonCap::set_allow_all() text = "allow *"; } -bool MonCap::is_capable(CephContext *cct, - int daemon_type, - EntityName name, - const string& service, - const string& command, const map& command_args, - bool op_may_read, bool op_may_write, bool op_may_exec) const +bool MonCap::is_capable( + CephContext *cct, + int daemon_type, + EntityName name, + const string& service, + const string& command, const map& command_args, + bool op_may_read, bool op_may_write, bool op_may_exec, + const entity_addr_t& addr) const { if (cct) ldout(cct, 20) << "is_capable service=" << service << " command=" << command << (op_may_read ? " read":"") << (op_may_write ? " write":"") << (op_may_exec ? " exec":"") + << " addr " << addr << " on cap " << *this << dendl; mon_rwxa_t allow = 0; diff --git a/src/mon/MonCap.h b/src/mon/MonCap.h index 5de2cb3773c4a..b0fe6e73e335e 100644 --- a/src/mon/MonCap.h +++ b/src/mon/MonCap.h @@ -166,7 +166,8 @@ struct MonCap { EntityName name, const string& service, const string& command, const map& command_args, - bool op_may_read, bool op_may_write, bool op_may_exec) const; + bool op_may_read, bool op_may_write, bool op_may_exec, + const entity_addr_t& addr) const; void encode(bufferlist& bl) const; void decode(bufferlist::const_iterator& bl); diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc index 50c76c32c6d82..a184381c459a5 100644 --- a/src/mon/Monitor.cc +++ b/src/mon/Monitor.cc @@ -2863,7 +2863,8 @@ bool Monitor::_allowed_command(MonSession *s, const string &module, CEPH_ENTITY_TYPE_MON, s->entity_name, module, prefix, param_str_map, - cmd_r, cmd_w, cmd_x); + cmd_r, cmd_w, cmd_x, + s->get_peer_addr()); dout(10) << __func__ << " " << (capable ? "" : "not ") << "capable" << dendl; return capable; diff --git a/src/mon/OSDMonitor.cc b/src/mon/OSDMonitor.cc index 3eb2bf424edcc..6a7bf6234995f 100644 --- a/src/mon/OSDMonitor.cc +++ b/src/mon/OSDMonitor.cc @@ -113,17 +113,20 @@ bool is_unmanaged_snap_op_permitted(CephContext* cct, const KeyServer& key_server, const EntityName& entity_name, const MonCap& mon_caps, + const entity_addr_t& peer_socket_addr, const std::string* pool_name) { typedef std::map CommandArgs; - if (mon_caps.is_capable(cct, CEPH_ENTITY_TYPE_MON, - entity_name, "osd", - "osd pool op unmanaged-snap", - (pool_name == nullptr ? - CommandArgs{} /* pool DNE, require unrestricted cap */ : - CommandArgs{{"poolname", *pool_name}}), - false, true, false)) { + if (mon_caps.is_capable( + cct, CEPH_ENTITY_TYPE_MON, + entity_name, "osd", + "osd pool op unmanaged-snap", + (pool_name == nullptr ? + CommandArgs{} /* pool DNE, require unrestricted cap */ : + CommandArgs{{"poolname", *pool_name}}), + false, true, false, + peer_socket_addr)) { return true; } @@ -3340,7 +3343,8 @@ bool OSDMonitor::preprocess_remove_snaps(MonOpRequestRef op) cct, CEPH_ENTITY_TYPE_MON, session->entity_name, - "osd", "osd pool rmsnap", {}, true, true, false)) { + "osd", "osd pool rmsnap", {}, true, true, false, + session->get_peer_addr())) { dout(0) << "got preprocess_remove_snaps from entity with insufficient caps " << session->caps << dendl; goto ignore; @@ -11893,6 +11897,7 @@ bool OSDMonitor::enforce_pool_op_caps(MonOpRequestRef op) if (!is_unmanaged_snap_op_permitted(cct, mon->key_server, session->entity_name, session->caps, + session->get_peer_addr(), pool_name)) { dout(0) << "got unmanaged-snap pool op from entity with insufficient " << "privileges. message: " << *m << std::endl diff --git a/src/mon/Session.h b/src/mon/Session.h index 6c97f686255fd..957dd5041debf 100644 --- a/src/mon/Session.h +++ b/src/mon/Session.h @@ -94,7 +94,12 @@ struct MonSession : public RefCountedObject { CEPH_ENTITY_TYPE_MON, entity_name, service, "", args, - mask & MON_CAP_R, mask & MON_CAP_W, mask & MON_CAP_X); + mask & MON_CAP_R, mask & MON_CAP_W, mask & MON_CAP_X, + get_peer_addr()); + } + + const entity_addr_t& get_peer_addr() { + return inst.addr; } }; diff --git a/src/test/mon/moncap.cc b/src/test/mon/moncap.cc index 5ac8bff13423b..93598774e8bfc 100644 --- a/src/test/mon/moncap.cc +++ b/src/test/mon/moncap.cc @@ -189,7 +189,7 @@ TEST(MonCap, AllowAll) { ASSERT_TRUE(cap.parse("allow *", NULL)); ASSERT_TRUE(cap.is_allow_all()); ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, EntityName(), - "foo", "asdf", map(), true, true, true)); + "foo", "asdf", map(), true, true, true, entity_addr_t())); MonCap cap2; ASSERT_FALSE(cap2.is_allow_all()); @@ -207,48 +207,66 @@ TEST(MonCap, ProfileOSD) { map ca; ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "osd", "", ca, true, false, false)); + name, "osd", "", ca, true, false, false, + entity_addr_t())); ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "osd", "", ca, true, true, false)); + name, "osd", "", ca, true, true, false, + entity_addr_t())); ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "osd", "", ca, true, true, true)); + name, "osd", "", ca, true, true, true, + entity_addr_t())); ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "osd", "", ca, true, true, true)); + name, "osd", "", ca, true, true, true, + entity_addr_t())); ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "mon", "", ca, true, false,false)); + name, "mon", "", ca, true, false,false, + entity_addr_t())); ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "mds", "", ca, true, true, true)); + name, "mds", "", ca, true, true, true, + entity_addr_t())); ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "mon", "", ca, true, true, true)); + name, "mon", "", ca, true, true, true, + entity_addr_t())); ca.clear(); ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key get", ca, true, true, true)); + name, "", "config-key get", ca, true, true, true, + entity_addr_t())); ca["key"] = "daemon-private/osd.123"; ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key get", ca, true, true, true)); + name, "", "config-key get", ca, true, true, true, + entity_addr_t())); ca["key"] = "daemon-private/osd.12/asdf"; ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key get", ca, true, true, true)); + name, "", "config-key get", ca, true, true, true, + entity_addr_t())); ca["key"] = "daemon-private/osd.123/"; ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key get", ca, true, true, true)); + name, "", "config-key get", ca, true, true, true, + entity_addr_t())); ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key get", ca, true, true, true)); + name, "", "config-key get", ca, true, true, true, + entity_addr_t())); ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key get", ca, true, true, true)); + name, "", "config-key get", ca, true, true, true, + entity_addr_t())); ca["key"] = "daemon-private/osd.123/foo"; ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key get", ca, true, true, true)); + name, "", "config-key get", ca, true, true, true, + entity_addr_t())); ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key put", ca, true, true, true)); + name, "", "config-key put", ca, true, true, true, + entity_addr_t())); ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key set", ca, true, true, true)); + name, "", "config-key set", ca, true, true, true, + entity_addr_t())); ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key exists", ca, true, true, true)); + name, "", "config-key exists", ca, true, true, true, + entity_addr_t())); ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key delete", ca, true, true, true)); + name, "", "config-key delete", ca, true, true, true, + entity_addr_t())); } TEST(MonCap, CommandRegEx) { @@ -259,13 +277,16 @@ TEST(MonCap, CommandRegEx) { EntityName name; name.from_str("osd.123"); ASSERT_TRUE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_OSD, name, "", - "abc", {{"arg", "12345abcde"}}, true, true, true)); + "abc", {{"arg", "12345abcde"}}, true, true, true, + entity_addr_t())); ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_OSD, name, "", - "abc", {{"arg", "~!@#$"}}, true, true, true)); + "abc", {{"arg", "~!@#$"}}, true, true, true, + entity_addr_t())); ASSERT_TRUE(cap.parse("allow command abc with arg regex \"[*\"", NULL)); ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_OSD, name, "", - "abc", {{"arg", ""}}, true, true, true)); + "abc", {{"arg", ""}}, true, true, true, + entity_addr_t())); } TEST(MonCap, ProfileBootstrapRBD) { @@ -280,17 +301,20 @@ TEST(MonCap, ProfileBootstrapRBD) { {"entity", "client.rbd"}, {"caps_mon", "profile rbd"}, {"caps_osd", "profile rbd pool=foo, profile rbd-read-only"}, - }, true, true, true)); + }, true, true, true, + entity_addr_t())); ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "", "auth get-or-create", { {"entity", "client.rbd"}, {"caps_mon", "allow *"}, {"caps_osd", "profile rbd"}, - }, true, true, true)); + }, true, true, true, + entity_addr_t())); ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "", "auth get-or-create", { {"entity", "client.rbd"}, {"caps_mon", "profile rbd"}, {"caps_osd", "profile rbd pool=foo, allow *, profile rbd-read-only"}, - }, true, true, true)); + }, true, true, true, + entity_addr_t())); } -- 2.39.5