From ef3c42cd6481a4c275b593bc60c8ee2142148e9f Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Wed, 23 Oct 2019 13:36:48 -0500 Subject: [PATCH] auth: EACCES, not EPERM EPERM means an operation requires superuser; EACCES more generally means permission denied. We use EACCES elsewhere for ceph auth denials; use it here too for consistency. This fixes qa/workunits/mon/caps.sh. Signed-off-by: Sage Weil --- src/auth/cephx/CephxClientHandler.cc | 4 ++-- src/auth/cephx/CephxKeyServer.cc | 2 +- src/auth/cephx/CephxServiceHandler.cc | 14 +++++++------- src/auth/krb/KrbClientHandler.cpp | 4 ++-- src/auth/krb/KrbServiceHandler.cpp | 4 ++-- src/ceph.in | 2 +- src/mds/MDSDaemon.cc | 2 +- src/mgr/DaemonServer.cc | 4 ++-- src/mon/Monitor.cc | 8 ++++---- src/osd/OSD.cc | 8 ++++---- 10 files changed, 26 insertions(+), 26 deletions(-) diff --git a/src/auth/cephx/CephxClientHandler.cc b/src/auth/cephx/CephxClientHandler.cc index 94a9b7a0eb3b9..089b864727183 100644 --- a/src/auth/cephx/CephxClientHandler.cc +++ b/src/auth/cephx/CephxClientHandler.cc @@ -154,7 +154,7 @@ int CephxClientHandler::handle_response( if (!tickets.verify_service_ticket_reply(secret, indata)) { ldout(cct, 0) << "could not verify service_ticket reply" << dendl; - return -EPERM; + return -EACCES; } ldout(cct, 10) << " want=" << want << " need=" << need << " have=" << have << dendl; if (!indata.end()) { @@ -208,7 +208,7 @@ int CephxClientHandler::handle_response( if (!tickets.verify_service_ticket_reply(ticket_handler.session_key, indata)) { ldout(cct, 0) << "could not verify service_ticket reply" << dendl; - return -EPERM; + return -EACCES; } validate_tickets(); if (!_need_tickets()) { diff --git a/src/auth/cephx/CephxKeyServer.cc b/src/auth/cephx/CephxKeyServer.cc index ec9fe99038264..d6ba3fea15a1c 100644 --- a/src/auth/cephx/CephxKeyServer.cc +++ b/src/auth/cephx/CephxKeyServer.cc @@ -436,7 +436,7 @@ int KeyServer::build_session_auth_info(uint32_t service_id, CephXSessionAuthInfo& info) { if (!get_service_secret(service_id, info.service_secret, info.secret_id)) { - return -EPERM; + return -EACCES; } std::scoped_lock l{lock}; diff --git a/src/auth/cephx/CephxServiceHandler.cc b/src/auth/cephx/CephxServiceHandler.cc index a34f0b4ee3091..dfc9baf695744 100644 --- a/src/auth/cephx/CephxServiceHandler.cc +++ b/src/auth/cephx/CephxServiceHandler.cc @@ -75,12 +75,12 @@ int CephxServiceHandler::handle_request( CryptoKey secret; if (!key_server->get_secret(entity_name, secret)) { ldout(cct, 0) << "couldn't find entity name: " << entity_name << dendl; - ret = -EPERM; + ret = -EACCES; break; } if (!server_challenge) { - ret = -EPERM; + ret = -EACCES; break; } @@ -90,7 +90,7 @@ int CephxServiceHandler::handle_request( req.client_challenge, &expected_key, error); if (!error.empty()) { ldout(cct, 0) << " cephx_calc_client_server_challenge error: " << error << dendl; - ret = -EPERM; + ret = -EACCES; break; } @@ -99,7 +99,7 @@ int CephxServiceHandler::handle_request( if (req.key != expected_key) { ldout(cct, 0) << " unexpected key: req.key=" << hex << req.key << " expected_key=" << expected_key << dec << dendl; - ret = -EPERM; + ret = -EACCES; break; } @@ -109,7 +109,7 @@ int CephxServiceHandler::handle_request( EntityAuth eauth; if (! key_server->get_auth(entity_name, eauth)) { - ret = -EPERM; + ret = -EACCES; break; } CephXServiceTicketInfo old_ticket_info; @@ -229,7 +229,7 @@ int CephxServiceHandler::handle_request( cct, *key_server, indata, 0, auth_ticket_info, nullptr, nullptr, &tmp_bl)) { - ret = -EPERM; + ret = -EACCES; break; } @@ -280,7 +280,7 @@ int CephxServiceHandler::handle_request( << entity_name << dendl; build_cephx_response_header(cephx_header.request_type, 0, *result_bl); if (!key_server->get_rotating_encrypted(entity_name, *result_bl)) { - ret = -EPERM; + ret = -EACCES; break; } } diff --git a/src/auth/krb/KrbClientHandler.cpp b/src/auth/krb/KrbClientHandler.cpp index e39d074e64d1c..1f728b4dd6e00 100644 --- a/src/auth/krb/KrbClientHandler.cpp +++ b/src/auth/krb/KrbClientHandler.cpp @@ -161,7 +161,7 @@ int KrbClientHandler::handle_response( << gss_minor_status << " " << status_str << dendl; - return (-EPERM); + return (-EACCES); } gss_buffer_desc krb_input_name_buff = {0, nullptr}; @@ -244,7 +244,7 @@ int KrbClientHandler::handle_response( << gss_minor_status << " " << status_str << dendl; - result = (-EPERM); + result = (-EACCES); break; } diff --git a/src/auth/krb/KrbServiceHandler.cpp b/src/auth/krb/KrbServiceHandler.cpp index d7c0feeb34a0a..3bd679d0ab5f4 100644 --- a/src/auth/krb/KrbServiceHandler.cpp +++ b/src/auth/krb/KrbServiceHandler.cpp @@ -124,7 +124,7 @@ int KrbServiceHandler::handle_request( << gss_minor_status << " " << status_str << dendl; - result = (-EPERM); + result = (-EACCES); break; } } @@ -206,7 +206,7 @@ int KrbServiceHandler::start_session( << gss_minor_status << " " << status_str << dendl; - return (-EPERM); + return (-EACCES); } else { KrbResponse krb_response; krb_response.m_response_type = diff --git a/src/ceph.in b/src/ceph.in index fac4ce3f06e99..234bccf024f7a 100755 --- a/src/ceph.in +++ b/src/ceph.in @@ -399,7 +399,7 @@ def do_extended_help(parser, args, target, partial): prefix='get_command_descriptions', timeout=10) if ret: - if ret == -errno.EPERM and target[0] in ('osd', 'mds'): + if (ret == -errno.EPERM or ret == -errno.EACCES) and target[0] in ('osd', 'mds'): print("Permission denied. Check that your user has 'allow *' " "capabilities for the target daemon type.", file=sys.stderr) elif ret == -errno.EPERM: diff --git a/src/mds/MDSDaemon.cc b/src/mds/MDSDaemon.cc index 5595a01a42eb5..decc7f47b130e 100644 --- a/src/mds/MDSDaemon.cc +++ b/src/mds/MDSDaemon.cc @@ -500,7 +500,7 @@ void MDSDaemon::handle_command(const cref_t &m) << *m->get_connection()->peer_addrs << dendl; ss << "permission denied"; - r = -EPERM; + r = -EACCES; } else if (m->cmd.empty()) { r = -EINVAL; ss << "no command given"; diff --git a/src/mgr/DaemonServer.cc b/src/mgr/DaemonServer.cc index 454179727df8e..e087f0ea931a9 100644 --- a/src/mgr/DaemonServer.cc +++ b/src/mgr/DaemonServer.cc @@ -191,12 +191,12 @@ int DaemonServer::ms_handle_authentication(Connection *con) catch (buffer::error& e) { dout(10) << " session " << s << " " << s->entity_name << " failed to decode caps" << dendl; - return -EPERM; + return -EACCES; } if (!s->caps.parse(str)) { dout(10) << " session " << s << " " << s->entity_name << " failed to parse caps '" << str << "'" << dendl; - return -EPERM; + return -EACCES; } dout(10) << " session " << s << " " << s->entity_name << " has caps " << s->caps << " '" << str << "'" << dendl; diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc index 166f85f172775..d570948a7ae89 100644 --- a/src/mon/Monitor.cc +++ b/src/mon/Monitor.cc @@ -3152,7 +3152,7 @@ void Monitor::handle_tell_command(MonOpRequestRef op) MCommand *m = static_cast(op->get_req()); if (m->fsid != monmap->fsid) { dout(0) << "handle_command on fsid " << m->fsid << " != " << monmap->fsid << dendl; - reply_command(op, -EPERM, "wrong fsid", 0); + reply_command(op, -EACCES, "wrong fsid", 0); return; } MonSession *session = op->get_session(); @@ -3180,7 +3180,7 @@ void Monitor::handle_tell_command(MonOpRequestRef op) "mon", prefix, param_str_map, true, true, true, session->get_peer_socket_addr())) { - reply_tell_command(op, -EPERM, "insufficient caps"); + reply_tell_command(op, -EACCES, "insufficient caps"); } } // pass it to asok @@ -6382,7 +6382,7 @@ int Monitor::ms_handle_authentication(Connection *con) derr << __func__ << " corrupt cap data for " << con->get_peer_entity_name() << " in auth db" << dendl; str.clear(); - ret = -EPERM; + ret = -EACCES; } if (ret >= 0) { if (s->caps.parse(str, NULL)) { @@ -6391,7 +6391,7 @@ int Monitor::ms_handle_authentication(Connection *con) } else { derr << __func__ << " unparseable caps '" << str << "' for " << con->get_peer_entity_name() << dendl; - ret = -EPERM; + ret = -EACCES; } } } diff --git a/src/osd/OSD.cc b/src/osd/OSD.cc index dbf1e754f70fa..5156aa01c3872 100644 --- a/src/osd/OSD.cc +++ b/src/osd/OSD.cc @@ -6723,12 +6723,12 @@ void OSD::handle_command(MCommand *m) ConnectionRef con = m->get_connection(); auto session = ceph::ref_cast(con->get_priv()); if (!session) { - con->send_message(new MCommandReply(m, -EPERM)); + con->send_message(new MCommandReply(m, -EACCES)); m->put(); return; } if (!session->caps.allow_all()) { - con->send_message(new MCommandReply(m, -EPERM)); + con->send_message(new MCommandReply(m, -EACCES)); m->put(); return; } @@ -7099,7 +7099,7 @@ int OSD::ms_handle_authentication(Connection *con) catch (buffer::error& e) { dout(10) << __func__ << " session " << s << " " << s->entity_name << " failed to decode caps string" << dendl; - ret = -EPERM; + ret = -EACCES; } if (!ret) { bool success = s->caps.parse(str); @@ -7111,7 +7111,7 @@ int OSD::ms_handle_authentication(Connection *con) } else { dout(10) << __func__ << " session " << s << " " << s->entity_name << " failed to parse caps '" << str << "'" << dendl; - ret = -EPERM; + ret = -EACCES; } } } -- 2.39.5