From def15d7feaa877176294e5bd118e52dee5459f38 Mon Sep 17 00:00:00 2001
From: Sage Weil <sage@inktank.com>
Date: Tue, 22 May 2012 17:59:22 -0700
Subject: [PATCH] mon: push down 'auth ...' command auth checks

Signed-off-by: Sage Weil <sage@inktank.com>
---
 src/mon/AuthMonitor.cc | 19 ++++++++++++++++++-
 src/mon/Monitor.cc     |  4 ----
 2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
index fe192d0d4a98e..cf71fc5fb4c89 100644
--- a/src/mon/AuthMonitor.cc
+++ b/src/mon/AuthMonitor.cc
@@ -434,7 +434,16 @@ bool AuthMonitor::preprocess_command(MMonCommand *m)
 	m->cmd[1] == "caps") {
       return false;
     }
-    else if (m->cmd[1] == "export") {
+
+    MonSession *session = m->get_session();
+    if (!session ||
+	(!session->caps.get_allow_all() &&
+	 !mon->_allowed_command(session, m->cmd))) {
+      mon->reply_command(m, -EACCES, "access denied", rdata, paxos->get_version());
+      return true;
+    }
+
+    if (m->cmd[1] == "export") {
       KeyRing keyring;
       export_keyring(keyring);
       if (m->cmd.size() > 2) {
@@ -544,6 +553,14 @@ bool AuthMonitor::prepare_command(MMonCommand *m)
   string rs;
   int err = -EINVAL;
 
+  MonSession *session = m->get_session();
+  if (!session ||
+      (!session->caps.get_allow_all() &&
+       !mon->_allowed_command(session, m->cmd))) {
+    mon->reply_command(m, -EACCES, "access denied", rdata, paxos->get_version());
+    return true;
+  }
+
   // nothing here yet
   if (m->cmd.size() > 1) {
     if (m->cmd[1] == "import") {
diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
index 86583acf4a101..3e3d39da9929a 100644
--- a/src/mon/Monitor.cc
+++ b/src/mon/Monitor.cc
@@ -1220,10 +1220,6 @@ void Monitor::handle_command(MMonCommand *m)
       return;
     }
     if (m->cmd[0] == "auth") {
-      if (!session->caps.get_allow_all() && !_allowed_command(session, m->cmd)) {
-	r = -EACCES;
-	goto out;
-      }
       authmon()->dispatch(m);
       return;
     }
-- 
2.39.5