From c6e2c97c6e9cbf1e37c53d5d490d65091205928c Mon Sep 17 00:00:00 2001 From: Rishabh Dave Date: Thu, 11 Jul 2024 23:58:22 +0530 Subject: [PATCH] cephfs: disallow removing root_squash via "fs authorize" cmd Removing root_squasn from MDS auth caps through "fs authorize" command should not be allowed as this command it not allowed to/meant for removing caps. Fixes: https://tracker.ceph.com/issues/65808 Signed-off-by: Rishabh Dave --- qa/tasks/cephfs/test_admin.py | 3 --- src/mds/MDSAuthCaps.cc | 6 +++++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/qa/tasks/cephfs/test_admin.py b/qa/tasks/cephfs/test_admin.py index a321c0e3457a6..83700aecd42a3 100644 --- a/qa/tasks/cephfs/test_admin.py +++ b/qa/tasks/cephfs/test_admin.py @@ -2145,9 +2145,6 @@ class TestFsAuthorizeUpdate(CephFSTestCase): caps mon = "allow r fsname=a" caps osd = "allow rw tag cephfs data=a" """ - self.skipTest('this test is broken ATM, see ' - 'https://tracker.ceph.com/issues/65808') - PERM, PATH = 'rw', 'dir1' self.mount_a.run_shell(f'mkdir {PATH}') self.captester = CapTester(self.mount_a, PATH) diff --git a/src/mds/MDSAuthCaps.cc b/src/mds/MDSAuthCaps.cc index 5e4bd995175c2..0cde876143a8b 100644 --- a/src/mds/MDSAuthCaps.cc +++ b/src/mds/MDSAuthCaps.cc @@ -410,7 +410,11 @@ bool MDSAuthCaps::merge_one_cap_grant(MDSCapGrant ng) // fsname and path match but value of root_squash is different. update // its value. if (g.match.root_squash != ng.match.root_squash) { - g.match.root_squash = ng.match.root_squash; + // "fs authorize" command is not allowed to deduct caps. so, we can add + // but not remove root_squash from MDS auth caps. + if (g.match.root_squash == false) { + g.match.root_squash = ng.match.root_squash; + } } // Since fsname and path matched and either perm/spec or root_squash -- 2.39.5