From 22c0982c744f34c5ac2375a45788956976a259c1 Mon Sep 17 00:00:00 2001 From: Kotresh HR Date: Tue, 27 May 2025 12:24:00 +0530 Subject: [PATCH] mds: Fix multifs auth caps check The fsname is not take into consideration while validating the access check for the operations. This patch fixes the same. Fixes: https://tracker.ceph.com/issues/72167 Signed-off-by: Kotresh HR (cherry picked from commit 1a5e083eb297dc611c8098abb67faf34fd8e4499) --- src/mds/MDSAuthCaps.cc | 14 ++++++++++---- src/mds/MDSAuthCaps.h | 6 ++++-- src/mds/Server.cc | 3 ++- src/mds/SessionMap.cc | 4 ++-- src/mds/SessionMap.h | 2 +- 5 files changed, 19 insertions(+), 10 deletions(-) diff --git a/src/mds/MDSAuthCaps.cc b/src/mds/MDSAuthCaps.cc index 8c8a196d2ff..0fc599bc9aa 100644 --- a/src/mds/MDSAuthCaps.cc +++ b/src/mds/MDSAuthCaps.cc @@ -133,11 +133,16 @@ void MDSCapMatch::normalize_path() // drop .. } -bool MDSCapMatch::match(string_view target_path, +bool MDSCapMatch::match(string_view fs_name, + string_view target_path, const int caller_uid, const int caller_gid, const vector *caller_gid_list) const { + if (!match_fs(fs_name)) { + return false; + } + if (uid != MDS_AUTH_UID_ANY) { if (uid != caller_uid) return false; @@ -224,7 +229,8 @@ bool MDSAuthCaps::path_capable(string_view inode_path) const * This is true if any of the 'grant' clauses in the capability match the * requested path + op. */ -bool MDSAuthCaps::is_capable(string_view inode_path, +bool MDSAuthCaps::is_capable(string_view fs_name, + string_view inode_path, uid_t inode_uid, gid_t inode_gid, unsigned inode_mode, uid_t caller_uid, gid_t caller_gid, @@ -233,7 +239,7 @@ bool MDSAuthCaps::is_capable(string_view inode_path, uid_t new_uid, gid_t new_gid, const entity_addr_t& addr) const { - ldout(g_ceph_context, 10) << __func__ << " inode(path /" << inode_path + ldout(g_ceph_context, 10) << __func__ << "fs_name " << fs_name << " inode(path /" << inode_path << " owner " << inode_uid << ":" << inode_gid << " mode 0" << std::oct << inode_mode << std::dec << ") by caller " << caller_uid << ":" << caller_gid @@ -251,7 +257,7 @@ bool MDSAuthCaps::is_capable(string_view inode_path, continue; } - if (grant.match.match(inode_path, caller_uid, caller_gid, caller_gid_list) && + if (grant.match.match(fs_name, inode_path, caller_uid, caller_gid, caller_gid_list) && grant.spec.allows(mask & (MAY_READ|MAY_EXECUTE), mask & MAY_WRITE)) { if (grant.match.root_squash && ((caller_uid == 0) || (caller_gid == 0)) && (mask & MAY_WRITE)) { diff --git a/src/mds/MDSAuthCaps.h b/src/mds/MDSAuthCaps.h index f77fd965a2f..b75ed9f2487 100644 --- a/src/mds/MDSAuthCaps.h +++ b/src/mds/MDSAuthCaps.h @@ -133,7 +133,8 @@ struct MDSCapMatch { } // check whether this grant matches against a given file and caller uid:gid - bool match(std::string_view target_path, + bool match(std::string_view fs_name, + std::string_view target_path, const int caller_uid, const int caller_gid, const std::vector *caller_gid_list) const; @@ -252,7 +253,8 @@ public: bool parse(std::string_view str, std::ostream *err); bool allow_all() const; - bool is_capable(std::string_view inode_path, + bool is_capable(std::string_view fs_name, + std::string_view inode_path, uid_t inode_uid, gid_t inode_gid, unsigned inode_mode, uid_t uid, gid_t gid, const std::vector *caller_gid_list, unsigned mask, uid_t new_uid, gid_t new_gid, diff --git a/src/mds/Server.cc b/src/mds/Server.cc index c525c93e186..42e8a579f18 100644 --- a/src/mds/Server.cc +++ b/src/mds/Server.cc @@ -3387,8 +3387,9 @@ void Server::handle_peer_auth_pin_ack(MDRequestRef& mdr, const cref_tsession) { + std::string_view fs_name = mds->mdsmap->get_fs_name(); int r = mdr->session->check_access( - in, mask, + fs_name, in, mask, mdr->client_request->get_caller_uid(), mdr->client_request->get_caller_gid(), &mdr->client_request->get_caller_gid_list(), diff --git a/src/mds/SessionMap.cc b/src/mds/SessionMap.cc index 0f6038eb82b..2c101f83e0f 100644 --- a/src/mds/SessionMap.cc +++ b/src/mds/SessionMap.cc @@ -1036,7 +1036,7 @@ void Session::decode(bufferlist::const_iterator &p) _update_human_name(); } -int Session::check_access(CInode *in, unsigned mask, +int Session::check_access(std::string_view fs_name, CInode *in, unsigned mask, int caller_uid, int caller_gid, const vector *caller_gid_list, int new_uid, int new_gid) @@ -1087,7 +1087,7 @@ int Session::check_access(CInode *in, unsigned mask, return -CEPHFS_EIO; } - if (!auth_caps.is_capable(path, inode->uid, inode->gid, inode->mode, + if (!auth_caps.is_capable(fs_name, path, inode->uid, inode->gid, inode->mode, caller_uid, caller_gid, caller_gid_list, mask, new_uid, new_gid, info.inst.addr)) { diff --git a/src/mds/SessionMap.h b/src/mds/SessionMap.h index ed12ccee25b..f6d65d3c010 100644 --- a/src/mds/SessionMap.h +++ b/src/mds/SessionMap.h @@ -383,7 +383,7 @@ public: completed_requests_dirty = false; } - int check_access(CInode *in, unsigned mask, int caller_uid, int caller_gid, + int check_access(std::string_view fs_name, CInode *in, unsigned mask, int caller_uid, int caller_gid, const std::vector *gid_list, int new_uid, int new_gid); bool fs_name_capable(std::string_view fs_name, unsigned mask) const { -- 2.39.5