From bbf037d6f77f87232c1339791dc5933b5c7ad666 Mon Sep 17 00:00:00 2001 From: Jason Dillaman Date: Fri, 11 Oct 2019 10:45:15 -0400 Subject: [PATCH] mon: dropped daemon type argument for MonCap This was a placeholder for handling MGR caps within the MonCap class. Now that the MGR has its own MgrCap class, this is no longer required. Signed-off-by: Jason Dillaman (cherry picked from commit dbb1b54d492134b677b4e239415c0579e34032b4) Conflicts: src/mon/MonCap.h: trivial resolution src/mon/Monitor.cc: trivial resolution --- src/mon/MonCap.cc | 30 ++------ src/mon/MonCap.h | 7 +- src/mon/Monitor.cc | 1 - src/mon/OSDMonitor.cc | 4 +- src/mon/Session.h | 1 - src/test/mon/moncap.cc | 157 +++++++++++++++++------------------------ 6 files changed, 69 insertions(+), 131 deletions(-) diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc index a0e91c3614b9b..b262929aeb5f1 100644 --- a/src/mon/MonCap.cc +++ b/src/mon/MonCap.cc @@ -146,7 +146,7 @@ void MonCapGrant::parse_network() &network_prefix); } -void MonCapGrant::expand_profile(int daemon_type, const EntityName& name) const +void MonCapGrant::expand_profile(const EntityName& name) const { // only generate this list once if (!profile_grants.empty()) @@ -166,25 +166,6 @@ void MonCapGrant::expand_profile(int daemon_type, const EntityName& name) const return; } - switch (daemon_type) { - case CEPH_ENTITY_TYPE_MON: - expand_profile_mon(name); - return; - case CEPH_ENTITY_TYPE_MGR: - expand_profile_mgr(name); - return; - } -} - -void MonCapGrant::expand_profile_mgr(const EntityName& name) const -{ - if (profile == "crash") { - profile_grants.push_back(MonCapGrant("crash post")); - } -} - -void MonCapGrant::expand_profile_mon(const EntityName& name) const -{ if (profile == "mon") { profile_grants.push_back(MonCapGrant("mon", MON_CAP_ALL)); profile_grants.push_back(MonCapGrant("log", MON_CAP_ALL)); @@ -333,17 +314,16 @@ void MonCapGrant::expand_profile_mon(const EntityName& name) const } mon_rwxa_t MonCapGrant::get_allowed(CephContext *cct, - int daemon_type, EntityName name, const std::string& s, const std::string& c, const map& c_args) const { if (profile.length()) { - expand_profile(daemon_type, name); + expand_profile(name); mon_rwxa_t a; for (list::const_iterator p = profile_grants.begin(); p != profile_grants.end(); ++p) - a = a | p->get_allowed(cct, daemon_type, name, s, c, c_args); + a = a | p->get_allowed(cct, name, s, c, c_args); return a; } if (service.length()) { @@ -420,7 +400,6 @@ void MonCap::set_allow_all() bool MonCap::is_capable( CephContext *cct, - int daemon_type, EntityName name, const string& service, const string& command, const map& command_args, @@ -458,8 +437,7 @@ bool MonCap::is_capable( } // check enumerated caps - allow = allow | p->get_allowed(cct, daemon_type, name, service, command, - command_args); + allow = allow | p->get_allowed(cct, name, service, command, command_args); if ((!op_may_read || (allow & MON_CAP_R)) && (!op_may_write || (allow & MON_CAP_W)) && (!op_may_exec || (allow & MON_CAP_X))) { diff --git a/src/mon/MonCap.h b/src/mon/MonCap.h index 67ed105ebda51..7f74ea99b12e5 100644 --- a/src/mon/MonCap.h +++ b/src/mon/MonCap.h @@ -96,9 +96,7 @@ struct MonCapGrant { // needed by expand_profile() (via is_match()) and cached here. mutable list profile_grants; - void expand_profile(int daemon_type, const EntityName& name) const; - void expand_profile_mon(const EntityName& name) const; - void expand_profile_mgr(const EntityName& name) const; + void expand_profile(const EntityName& name) const; MonCapGrant() : allow(0) {} // cppcheck-suppress noExplicitConstructor @@ -121,7 +119,6 @@ struct MonCapGrant { * @return bits we allow */ mon_rwxa_t get_allowed(CephContext *cct, - int daemon_type, ///< CEPH_ENTITY_TYPE_* EntityName name, const std::string& service, const std::string& command, @@ -159,7 +156,6 @@ struct MonCap { * This method actually checks a description of a particular operation against * what the capability has specified. * - * @param daemon_type CEPH_ENTITY_TYPE_* for the service (MON or MGR) * @param service service name * @param command command id * @param command_args @@ -169,7 +165,6 @@ struct MonCap { * @return true if the operation is allowed, false otherwise */ bool is_capable(CephContext *cct, - int daemon_type, EntityName name, const string& service, const string& command, const map& command_args, diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc index 1c46c38774d87..1549580b973a1 100644 --- a/src/mon/Monitor.cc +++ b/src/mon/Monitor.cc @@ -3088,7 +3088,6 @@ bool Monitor::_allowed_command(MonSession *s, const string &module, bool capable = s->caps.is_capable( g_ceph_context, - CEPH_ENTITY_TYPE_MON, s->entity_name, module, prefix, param_str_map, cmd_r, cmd_w, cmd_x, diff --git a/src/mon/OSDMonitor.cc b/src/mon/OSDMonitor.cc index c8441c3ebd5ca..4f8f4d421fa4e 100644 --- a/src/mon/OSDMonitor.cc +++ b/src/mon/OSDMonitor.cc @@ -223,8 +223,7 @@ bool is_unmanaged_snap_op_permitted(CephContext* cct, typedef std::map CommandArgs; if (mon_caps.is_capable( - cct, CEPH_ENTITY_TYPE_MON, - entity_name, "osd", + cct, entity_name, "osd", "osd pool op unmanaged-snap", (pool_name == nullptr ? CommandArgs{} /* pool DNE, require unrestricted cap */ : @@ -3861,7 +3860,6 @@ bool OSDMonitor::preprocess_remove_snaps(MonOpRequestRef op) goto ignore; if (!session->caps.is_capable( cct, - CEPH_ENTITY_TYPE_MON, session->entity_name, "osd", "osd pool rmsnap", {}, true, true, false, session->get_peer_socket_addr())) { diff --git a/src/mon/Session.h b/src/mon/Session.h index 8981599573ad6..fba33381f75e3 100644 --- a/src/mon/Session.h +++ b/src/mon/Session.h @@ -95,7 +95,6 @@ struct MonSession : public RefCountedObject { map args; return caps.is_capable( g_ceph_context, - CEPH_ENTITY_TYPE_MON, entity_name, service, "", args, mask & MON_CAP_R, mask & MON_CAP_W, mask & MON_CAP_X, diff --git a/src/test/mon/moncap.cc b/src/test/mon/moncap.cc index 388227ccb808f..1c151b1e3994f 100644 --- a/src/test/mon/moncap.cc +++ b/src/test/mon/moncap.cc @@ -188,8 +188,8 @@ TEST(MonCap, AllowAll) { ASSERT_TRUE(cap.parse("allow *", NULL)); ASSERT_TRUE(cap.is_allow_all()); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, EntityName(), - "foo", "asdf", map(), true, true, true, entity_addr_t())); + ASSERT_TRUE(cap.is_capable(NULL, {}, "foo", "asdf", {}, true, true, true, + {})); MonCap cap2; ASSERT_FALSE(cap2.is_allow_all()); @@ -207,17 +207,11 @@ TEST(MonCap, Network) { b.parse("192.168.2.3"); c.parse("192.167.2.3"); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, EntityName(), - "foo", "asdf", map(), - true, true, true, + ASSERT_TRUE(cap.is_capable(NULL, {}, "foo", "asdf", {}, true, true, true, a)); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, EntityName(), - "foo", "asdf", map(), - true, true, true, + ASSERT_TRUE(cap.is_capable(NULL, {}, "foo", "asdf", {}, true, true, true, b)); - ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, EntityName(), - "foo", "asdf", map(), - true, true, true, + ASSERT_FALSE(cap.is_capable(NULL, {}, "foo", "asdf", {}, true, true, true, c)); } @@ -230,87 +224,62 @@ TEST(MonCap, ProfileOSD) { name.from_str("osd.123"); map ca; - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "osd", "", ca, true, false, false, - entity_addr_t())); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "osd", "", ca, true, true, false, - entity_addr_t())); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "osd", "", ca, true, true, true, - entity_addr_t())); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "osd", "", ca, true, true, true, - entity_addr_t())); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "mon", "", ca, true, false,false, - entity_addr_t())); - - ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "mds", "", ca, true, true, true, - entity_addr_t())); - ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "mon", "", ca, true, true, true, - entity_addr_t())); + ASSERT_TRUE(cap.is_capable(NULL, name, "osd", "", ca, true, false, false, + {})); + ASSERT_TRUE(cap.is_capable(NULL, name, "osd", "", ca, true, true, false, {})); + ASSERT_TRUE(cap.is_capable(NULL, name, "osd", "", ca, true, true, true, {})); + ASSERT_TRUE(cap.is_capable(NULL, name, "osd", "", ca, true, true, true, {})); + ASSERT_TRUE(cap.is_capable(NULL, name, "mon", "", ca, true, false, false, + {})); + + ASSERT_FALSE(cap.is_capable(NULL, name, "mds", "", ca, true, true, true, {})); + ASSERT_FALSE(cap.is_capable(NULL, name, "mon", "", ca, true, true, true, {})); ca.clear(); - ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key get", ca, true, true, true, - entity_addr_t())); + ASSERT_FALSE(cap.is_capable(NULL, name, "", "config-key get", ca, true, true, + true, {})); ca["key"] = "daemon-private/osd.123"; - ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key get", ca, true, true, true, - entity_addr_t())); + ASSERT_FALSE(cap.is_capable(NULL, name, "", "config-key get", ca, true, true, + true, {})); ca["key"] = "daemon-private/osd.12/asdf"; - ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key get", ca, true, true, true, - entity_addr_t())); + ASSERT_FALSE(cap.is_capable(NULL, name, "", "config-key get", ca, true, true, + true, {})); ca["key"] = "daemon-private/osd.123/"; - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key get", ca, true, true, true, - entity_addr_t())); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key get", ca, true, true, true, - entity_addr_t())); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key get", ca, true, true, true, - entity_addr_t())); + ASSERT_TRUE(cap.is_capable(NULL, name, "", "config-key get", ca, true, true, + true, {})); + ASSERT_TRUE(cap.is_capable(NULL, name, "", "config-key get", ca, true, true, + true, {})); + ASSERT_TRUE(cap.is_capable(NULL, name, "", "config-key get", ca, true, true, + true, {})); ca["key"] = "daemon-private/osd.123/foo"; - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key get", ca, true, true, true, - entity_addr_t())); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key put", ca, true, true, true, - entity_addr_t())); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key set", ca, true, true, true, - entity_addr_t())); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key exists", ca, true, true, true, - entity_addr_t())); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key delete", ca, true, true, true, - entity_addr_t())); + ASSERT_TRUE(cap.is_capable(NULL, name, "", "config-key get", ca, true, true, + true, {})); + ASSERT_TRUE(cap.is_capable(NULL, name, "", "config-key put", ca, true, true, + true, {})); + ASSERT_TRUE(cap.is_capable(NULL, name, "", "config-key set", ca, true, true, + true, {})); + ASSERT_TRUE(cap.is_capable(NULL, name, "", "config-key exists", ca, true, + true, true, {})); + ASSERT_TRUE(cap.is_capable(NULL, name, "", "config-key delete", ca, true, + true, true, {})); } TEST(MonCap, CommandRegEx) { MonCap cap; ASSERT_FALSE(cap.is_allow_all()); - ASSERT_TRUE(cap.parse("allow command abc with arg regex \"^[0-9a-z.]*$\"", NULL)); + ASSERT_TRUE(cap.parse("allow command abc with arg regex \"^[0-9a-z.]*$\"", + NULL)); EntityName name; name.from_str("osd.123"); - ASSERT_TRUE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_OSD, name, "", - "abc", {{"arg", "12345abcde"}}, true, true, true, - entity_addr_t())); - ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_OSD, name, "", - "abc", {{"arg", "~!@#$"}}, true, true, true, - entity_addr_t())); + ASSERT_TRUE(cap.is_capable(nullptr, name, "", "abc", {{"arg", "12345abcde"}}, + true, true, true, {})); + ASSERT_FALSE(cap.is_capable(nullptr, name, "", "abc", {{"arg", "~!@#$"}}, + true, true, true, {})); ASSERT_TRUE(cap.parse("allow command abc with arg regex \"[*\"", NULL)); - ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_OSD, name, "", - "abc", {{"arg", ""}}, true, true, true, - entity_addr_t())); + ASSERT_FALSE(cap.is_capable(nullptr, name, "", "abc", {{"arg", ""}}, true, + true, true, {})); } TEST(MonCap, ProfileBootstrapRBD) { @@ -320,27 +289,27 @@ TEST(MonCap, ProfileBootstrapRBD) { EntityName name; name.from_str("mon.a"); - ASSERT_TRUE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "", + ASSERT_TRUE(cap.is_capable(nullptr, name, "", "auth get-or-create", { {"entity", "client.rbd"}, {"caps_mon", "profile rbd"}, {"caps_osd", "profile rbd pool=foo, profile rbd-read-only"}, }, true, true, true, - entity_addr_t())); - ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "", + {})); + ASSERT_FALSE(cap.is_capable(nullptr, name, "", "auth get-or-create", { {"entity", "client.rbd"}, {"caps_mon", "allow *"}, {"caps_osd", "profile rbd"}, }, true, true, true, - entity_addr_t())); - ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "", + {})); + ASSERT_FALSE(cap.is_capable(nullptr, name, "", "auth get-or-create", { {"entity", "client.rbd"}, {"caps_mon", "profile rbd"}, {"caps_osd", "profile rbd pool=foo, allow *, profile rbd-read-only"}, }, true, true, true, - entity_addr_t())); + {})); } TEST(MonCap, ProfileBootstrapRBDMirror) { @@ -350,34 +319,34 @@ TEST(MonCap, ProfileBootstrapRBDMirror) { EntityName name; name.from_str("mon.a"); - ASSERT_TRUE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "", + ASSERT_TRUE(cap.is_capable(nullptr, name, "", "auth get-or-create", { {"entity", "client.rbd"}, {"caps_mon", "profile rbd-mirror"}, {"caps_osd", "profile rbd pool=foo, profile rbd-read-only"}, }, true, true, true, - entity_addr_t())); - ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "", + {})); + ASSERT_FALSE(cap.is_capable(nullptr, name, "", "auth get-or-create", { {"entity", "client.rbd"}, {"caps_mon", "profile rbd"}, {"caps_osd", "profile rbd pool=foo, profile rbd-read-only"}, }, true, true, true, - entity_addr_t())); - ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "", + {})); + ASSERT_FALSE(cap.is_capable(nullptr, name, "", "auth get-or-create", { {"entity", "client.rbd"}, {"caps_mon", "allow *"}, {"caps_osd", "profile rbd"}, }, true, true, true, - entity_addr_t())); - ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "", + {})); + ASSERT_FALSE(cap.is_capable(nullptr, name, "", "auth get-or-create", { {"entity", "client.rbd"}, {"caps_mon", "profile rbd-mirror"}, {"caps_osd", "profile rbd pool=foo, allow *, profile rbd-read-only"}, }, true, true, true, - entity_addr_t())); + {})); } TEST(MonCap, ProfileRBD) { @@ -387,10 +356,10 @@ TEST(MonCap, ProfileRBD) { EntityName name; name.from_str("mon.a"); - ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "config-key", + ASSERT_FALSE(cap.is_capable(nullptr, name, "config-key", "config-key get", { {"key", "rbd/mirror/peer/1/1234"}, - }, true, false, false, entity_addr_t())); + }, true, false, false, {})); } TEST(MonCap, ProfileRBDMirror) { @@ -400,8 +369,8 @@ TEST(MonCap, ProfileRBDMirror) { EntityName name; name.from_str("mon.a"); - ASSERT_TRUE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "config-key", + ASSERT_TRUE(cap.is_capable(nullptr, name, "config-key", "config-key get", { {"key", "rbd/mirror/peer/1/1234"}, - }, true, false, false, entity_addr_t())); + }, true, false, false, {})); } -- 2.39.5