From 9c694ffc7eda5cf7979e5260db9119047ffada6a Mon Sep 17 00:00:00 2001 From: Douglas Fuller Date: Mon, 13 Nov 2017 16:40:43 -0500 Subject: [PATCH] cephfs, mon/AuthMonitor, OSD/osdcap: make 'all' a synonym for '*' Define the string 'all' to be a synonym for the wildcard '*'. This avoids confusion in the event that some auth caps (typically with ceph fs authorize) are not quoted and thus '*' is expanded by the shell. Signed-off-by: Douglas Fuller --- doc/cephfs/client-auth.rst | 3 +++ doc/man/8/ceph-authtool.rst | 2 +- doc/rados/operations/user-management.rst | 2 +- src/mds/MDSAuthCaps.cc | 2 ++ src/mon/AuthMonitor.cc | 2 +- src/mon/MonCap.cc | 1 + src/osd/OSDCap.cc | 9 ++++++--- src/test/osd/osdcap.cc | 7 ++++++- 8 files changed, 21 insertions(+), 7 deletions(-) diff --git a/doc/cephfs/client-auth.rst b/doc/cephfs/client-auth.rst index 1bc0576af53..78dd81fe970 100644 --- a/doc/cephfs/client-auth.rst +++ b/doc/cephfs/client-auth.rst @@ -50,6 +50,9 @@ Note that if a client's read access is restricted to a path, they will only be able to mount the filesystem when specifying a readable path in the mount command (see below). +Supplying ``all`` or ``*`` as the filesystem name will grant access to every +file system. Note that it is usually necessary to quote ``*`` to protect it from +the shell. See `User Management - Add a User to a Keyring`_. for additional details on user management diff --git a/doc/man/8/ceph-authtool.rst b/doc/man/8/ceph-authtool.rst index 56a0639cc8b..475b0a21fa5 100644 --- a/doc/man/8/ceph-authtool.rst +++ b/doc/man/8/ceph-authtool.rst @@ -151,7 +151,7 @@ The capspec determines what kind of operations the entity can perform:: x = can call any class method (same as class-read class-write) class-read = can call class methods that are reads class-write = can call class methods that are writes - * = equivalent to rwx, plus the ability to run osd admin commands, + * or "all" = equivalent to rwx, plus the ability to run osd admin commands, i.e. ceph osd tell ... The match criteria restrict a grant based on the pool being accessed. diff --git a/doc/rados/operations/user-management.rst b/doc/rados/operations/user-management.rst index 33b58c02252..a976ff2b6af 100644 --- a/doc/rados/operations/user-management.rst +++ b/doc/rados/operations/user-management.rst @@ -222,7 +222,7 @@ Application Tags Access may be restricted to specific pools as defined by their application metadata. The ``*`` wildcard may be used for the ``key`` argument, the -``value`` argument, or both. +``value`` argument, or both. ``all`` is a synony for ``*``. Namespace --------- diff --git a/src/mds/MDSAuthCaps.cc b/src/mds/MDSAuthCaps.cc index e22e449cd42..4ada87cf728 100644 --- a/src/mds/MDSAuthCaps.cc +++ b/src/mds/MDSAuthCaps.cc @@ -72,6 +72,8 @@ struct MDSCapParser : qi::grammar capspec = spaces >> ( lit("*")[_val = MDSCapSpec(true, true, true, true)] | + lit("all")[_val = MDSCapSpec(true, true, true, true)] + | (lit("rwp"))[_val = MDSCapSpec(true, true, false, true)] | (lit("rw"))[_val = MDSCapSpec(true, true, false, false)] diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc index 9fbc4f089d2..9c60e37944f 100644 --- a/src/mon/AuthMonitor.cc +++ b/src/mon/AuthMonitor.cc @@ -1300,7 +1300,7 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op) } } - if (filesystem != "*") { + if (filesystem != "*" && filesystem != "all") { auto fs = mon->mdsmon()->get_fsmap().get_filesystem(filesystem); if (!fs) { ss << "filesystem " << filesystem << " does not exist."; diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc index c93644f6811..094a3332248 100644 --- a/src/mon/MonCap.cc +++ b/src/mon/MonCap.cc @@ -530,6 +530,7 @@ struct MonCapParser : qi::grammar // rwxa := * | [r][w][x] rwxa = (lit("*")[_val = MON_CAP_ANY]) | + (lit("all")[_val = MON_CAP_ANY]) | ( eps[_val = 0] >> ( lit('r')[_val |= MON_CAP_R] || lit('w')[_val |= MON_CAP_W] || diff --git a/src/osd/OSDCap.cc b/src/osd/OSDCap.cc index 95c94ebfef8..ba5a7eb821a 100644 --- a/src/osd/OSDCap.cc +++ b/src/osd/OSDCap.cc @@ -398,6 +398,8 @@ struct OSDCapParser : qi::grammar spaces = +ascii::space; + wildcard = (lit('*') | lit("all")) [_val = "*"]; + pool_name %= -(spaces >> lit("pool") >> (lit('=') | spaces) >> str); nspace %= (spaces >> lit("namespace") >> (lit('=') | spaces) @@ -408,8 +410,8 @@ struct OSDCapParser : qi::grammar object_prefix %= -(spaces >> lit("object_prefix") >> spaces >> str); pooltag %= (spaces >> lit("tag") >> spaces >> str // application - >> spaces >> (str | char_('*')) // key - >> -spaces >> lit('=') >> -spaces >> (str | char_('*'))); // value + >> spaces >> (wildcard | str) // key + >> -spaces >> lit('=') >> -spaces >> (wildcard | str)); // value match = ( pooltag [_val = phoenix::construct(_1)] | @@ -421,7 +423,7 @@ struct OSDCapParser : qi::grammar // rwxa := * | [r][w][x] [class-read] [class-write] rwxa = - (spaces >> lit("*")[_val = OSD_CAP_ANY]) | + (spaces >> wildcard[_val = OSD_CAP_ANY]) | ( eps[_val = 0] >> ( spaces >> @@ -459,6 +461,7 @@ struct OSDCapParser : qi::grammar qi::rule quoted_string, equoted_string; qi::rule unquoted_word; qi::rule str, estr; + qi::rule wildcard; qi::rule auid; qi::rule class_name; qi::rule class_cap; diff --git a/src/test/osd/osdcap.cc b/src/test/osd/osdcap.cc index 2d7629d1088..b6a9309420f 100644 --- a/src/test/osd/osdcap.cc +++ b/src/test/osd/osdcap.cc @@ -79,6 +79,7 @@ const char *parse_good[] = { "allow rwx tag application key =value", "allow rwx tag application key= value", "allow rwx tag application key = value", + "allow all tag application all=all", 0 }; @@ -909,7 +910,11 @@ TEST(OSDCap, OutputParsed) {"allow rwx tag application key=value", "osdcap[grant(app application key key val value rwx)]"}, {"allow rwx namespace ns* tag application key=value", - "osdcap[grant(namespace ns* app application key key val value rwx)]"} + "osdcap[grant(namespace ns* app application key key val value rwx)]"}, + {"allow all", + "osdcap[grant(*)]"}, + {"allow rwx tag application all=all", + "osdcap[grant(app application key * val * rwx)]"} }; size_t num_tests = sizeof(test_values) / sizeof(*test_values); -- 2.39.5