From 4db0b88d135b11013ba1693d640719ee9d5f632a Mon Sep 17 00:00:00 2001 From: Joao Eduardo Luis Date: Fri, 13 Apr 2018 15:25:33 +0100 Subject: [PATCH] mon/AuthMonitor: don't validate fs caps on authorize The monitor will have no idea how to validate fs caps during `fs authorize`. Instead, validate solely the built osd and mds caps. Signed-off-by: Joao Eduardo Luis --- src/mon/AuthMonitor.cc | 58 ++++++++++++++++++++++++++---------------- src/mon/AuthMonitor.h | 4 +-- 2 files changed, 38 insertions(+), 24 deletions(-) diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc index 878230d4f09..aff80e9440e 100644 --- a/src/mon/AuthMonitor.cc +++ b/src/mon/AuthMonitor.cc @@ -1083,6 +1083,35 @@ int AuthMonitor::do_osd_new( return 0; } +bool AuthMonitor::valid_caps( + const string& type, + const string& caps, + ostream *out) +{ + if (type == "mon" || type == "mgr") { + MonCap tmp; + if (!tmp.parse(caps, out)) { + return false; + } + } else if (type == "osd") { + OSDCap ocap; + if (!ocap.parse(caps, out)) { + return false; + } + } else if (type == "mds") { + MDSAuthCaps mdscap; + if (!mdscap.parse(g_ceph_context, caps, out)) { + return false; + } + } else { + if (out) { + *out << "unknown cap type '" << type << "'"; + } + return false; + } + return true; +} + bool AuthMonitor::valid_caps(const vector& caps, ostream *out) { for (vector::const_iterator p = caps.begin(); @@ -1091,23 +1120,7 @@ bool AuthMonitor::valid_caps(const vector& caps, ostream *out) *out << "cap '" << *p << "' has no value"; return false; } - if (*p == "mon" || *p == "mgr") { - MonCap tmp; - if (!tmp.parse(*(p+1), out)) { - return false; - } - } else if (*p == "osd") { - OSDCap ocap; - if (!ocap.parse(*(p+1), out)) { - return false; - } - } else if (*p == "mds") { - MDSAuthCaps mdscap; - if (!mdscap.parse(g_ceph_context, *(p+1), out)) { - return false; - } - } else { - *out << "unknown cap type '" << *p << "'"; + if (!valid_caps(*p, *(p+1), out)) { return false; } } @@ -1395,11 +1408,6 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op) string mds_cap_string, osd_cap_string; string osd_cap_wanted = "r"; - if (!valid_caps(caps_vec, &ss)) { - err = -EINVAL; - goto done; - } - for (auto it = caps_vec.begin(); it != caps_vec.end() && (it + 1) != caps_vec.end(); it += 2) { @@ -1441,6 +1449,12 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op) { "mds", _encode_cap(mds_cap_string) } }; + if (!valid_caps("osd", osd_cap_string, &ss) || + !valid_caps("mds", mds_cap_string, &ss)) { + err = -EINVAL; + goto done; + } + EntityAuth entity_auth; if (mon->key_server.get_auth(entity, entity_auth)) { for (const auto &sys_cap : wanted_caps) { diff --git a/src/mon/AuthMonitor.h b/src/mon/AuthMonitor.h index b4ddf47b857..825ed7ee33a 100644 --- a/src/mon/AuthMonitor.h +++ b/src/mon/AuthMonitor.h @@ -132,8 +132,8 @@ private: pending_auth.push_back(inc); } - /* validate mon/osd/mds caps ; don't care about caps for other services as - * we don't know how to validate them */ + /* validate mon/osd/mds caps; fail on unrecognized service/type */ + bool valid_caps(const string& type, const string& caps, ostream *out); bool valid_caps(const vector& caps, ostream *out); void on_active() override; -- 2.39.5