From 47950f2a970f8a8ff2d260d12373f447529bf9da Mon Sep 17 00:00:00 2001 From: Jason Dillaman Date: Wed, 20 Jun 2018 21:30:47 -0400 Subject: [PATCH] mon/OSDMonitor: enforce caps for all remaining pool ops Signed-off-by: Jason Dillaman (cherry picked from commit 61c06200fe59996bba2bb65fc402207bc10fd459) (cherry picked from commit fb4526690ccd29f1a03d3cd7e5484b9e2191b04b) (cherry picked from commit 877a319a4e9e328b2954c210d1bc6da29931dc31) --- src/mon/OSDMonitor.cc | 20 +++++++------------- 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/src/mon/OSDMonitor.cc b/src/mon/OSDMonitor.cc index 45619793d16e6..fec7b0e93b958 100644 --- a/src/mon/OSDMonitor.cc +++ b/src/mon/OSDMonitor.cc @@ -7928,6 +7928,13 @@ bool OSDMonitor::enforce_pool_op_caps(MonOpRequestRef op) } break; default: + if (!session->is_capable("osd", MON_CAP_W)) { + dout(0) << "got pool op from entity with insufficient privileges. " + << "message: " << *m << std::endl + << "caps: " << session->caps << dendl; + _pool_op_reply(op, -EPERM, osdmap.get_epoch()); + return true; + } break; } @@ -8015,19 +8022,6 @@ bool OSDMonitor::preprocess_pool_op_create(MonOpRequestRef op) { op->mark_osdmon_event(__func__); MPoolOp *m = static_cast(op->get_req()); - MonSession *session = m->get_session(); - if (!session) { - _pool_op_reply(op, -EPERM, osdmap.get_epoch()); - return true; - } - if (!session->is_capable("osd", MON_CAP_W)) { - dout(5) << "attempt to create new pool without sufficient auid privileges!" - << "message: " << *m << std::endl - << "caps: " << session->caps << dendl; - _pool_op_reply(op, -EPERM, osdmap.get_epoch()); - return true; - } - int64_t pool = osdmap.lookup_pg_pool_name(m->name.c_str()); if (pool >= 0) { _pool_op_reply(op, 0, osdmap.get_epoch()); -- 2.39.5