From e895d61f3ef30e08ebfbb8b810ff0df741f7bbab Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Tue, 22 May 2012 18:27:47 -0700 Subject: [PATCH] mon: apply 'r' and 'w' caps to mon and pg commands Signed-off-by: Sage Weil --- src/mon/Monitor.cc | 10 ---------- src/mon/MonmapMonitor.cc | 19 +++++++++++++++++++ src/mon/PGMonitor.cc | 18 ++++++++++++++++++ 3 files changed, 37 insertions(+), 10 deletions(-) diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc index 9e59ab3431ac..426892e4e2b3 100644 --- a/src/mon/Monitor.cc +++ b/src/mon/Monitor.cc @@ -1142,20 +1142,10 @@ void Monitor::handle_command(MMonCommand *m) return; } if (m->cmd[0] == "pg") { - if (!session->caps.get_allow_all() && !_allowed_command(session, m->cmd)) { - r = -EACCES; - rs = "access denied"; - goto out; - } pgmon()->dispatch(m); return; } if (m->cmd[0] == "mon") { - if (!session->caps.get_allow_all() && !_allowed_command(session, m->cmd)) { - r = -EACCES; - rs = "access denied"; - goto out; - } monmon()->dispatch(m); return; } diff --git a/src/mon/MonmapMonitor.cc b/src/mon/MonmapMonitor.cc index 1b7dd2736d93..1b84e463b131 100644 --- a/src/mon/MonmapMonitor.cc +++ b/src/mon/MonmapMonitor.cc @@ -136,6 +136,15 @@ bool MonmapMonitor::preprocess_command(MMonCommand *m) bufferlist rdata; stringstream ss; + MonSession *session = m->get_session(); + if (!session || + (!session->caps.get_allow_all() && + !session->caps.check_privileges(PAXOS_MONMAP, MON_CAP_R) && + !mon->_allowed_command(session, m->cmd))) { + mon->reply_command(m, -EACCES, "access denied", paxos->get_version()); + return true; + } + vector args; for (unsigned i = 1; i < m->cmd.size(); i++) args.push_back(m->cmd[i].c_str()); @@ -279,6 +288,16 @@ bool MonmapMonitor::prepare_command(MMonCommand *m) stringstream ss; string rs; int err = -EINVAL; + + MonSession *session = m->get_session(); + if (!session || + (!session->caps.get_allow_all() && + !session->caps.check_privileges(PAXOS_MONMAP, MON_CAP_R) && + !mon->_allowed_command(session, m->cmd))) { + mon->reply_command(m, -EACCES, "access denied", paxos->get_version()); + return true; + } + if (m->cmd.size() > 1) { if (m->cmd.size() == 4 && m->cmd[1] == "add") { string name = m->cmd[2]; diff --git a/src/mon/PGMonitor.cc b/src/mon/PGMonitor.cc index 85f388631df0..97fbb1b3e7af 100644 --- a/src/mon/PGMonitor.cc +++ b/src/mon/PGMonitor.cc @@ -832,6 +832,15 @@ bool PGMonitor::preprocess_command(MMonCommand *m) bufferlist rdata; stringstream ss; + MonSession *session = m->get_session(); + if (!session || + (!session->caps.get_allow_all() && + !session->caps.check_privileges(PAXOS_PGMAP, MON_CAP_R) && + !mon->_allowed_command(session, m->cmd))) { + mon->reply_command(m, -EACCES, "access denied", rdata, paxos->get_version()); + return true; + } + vector args; for (unsigned i = 1; i < m->cmd.size(); i++) args.push_back(m->cmd[i].c_str()); @@ -1030,6 +1039,15 @@ bool PGMonitor::prepare_command(MMonCommand *m) int r = -EINVAL; string rs; + MonSession *session = m->get_session(); + if (!session || + (!session->caps.get_allow_all() && + !session->caps.check_privileges(PAXOS_PGMAP, MON_CAP_W) && + !mon->_allowed_command(session, m->cmd))) { + mon->reply_command(m, -EACCES, "access denied", paxos->get_version()); + return true; + } + if (m->cmd.size() >= 1 && m->cmd[1] == "force_create_pg") { if (m->cmd.size() <= 2) { ss << "usage: pg force_create_pg "; -- 2.47.3