From e7a721f0d2642047bdf0548da224698da7a2ce86 Mon Sep 17 00:00:00 2001 From: Rishabh Dave Date: Wed, 16 Sep 2020 16:29:24 +0530 Subject: [PATCH] mon/MonCap: check profile_grants too while checking caps When checking if a certain fs subcommand can and should be executed in FSCommands.cc, check permissions in "profile_grants" too when the caps for that entity contains a cap profile. Fixes: https://tracker.ceph.com/issues/47423 Signed-off-by: Rishabh Dave --- src/mon/MonCap.h | 17 +++++++++++++---- src/mon/Session.h | 2 +- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/src/mon/MonCap.h b/src/mon/MonCap.h index d38ffc54be778..ab4e35bc90ce7 100644 --- a/src/mon/MonCap.h +++ b/src/mon/MonCap.h @@ -195,13 +195,22 @@ struct MonCap { return ret; } - bool fs_name_capable(string_view fs_name, __u8 mask) { - for (auto& g: grants) { + bool fs_name_capable(const EntityName& ename, string_view fs_name, + __u8 mask) { + for (auto& g : grants) { if (g.is_allow_all()) { return true; } - if (g.fs_name.empty() || g.fs_name == fs_name) { - if (mask & g.allow) { + + if ((g.fs_name.empty() || g.fs_name == fs_name) && (mask & g.allow)) { + return true; + } + + g.expand_profile(ename); + for (auto& pg : g.profile_grants) { + if ((pg.service == "fs" || pg.service == "mds") && + (pg.fs_name.empty() || pg.fs_name == fs_name) && + (pg.allow & mask)) { return true; } } diff --git a/src/mon/Session.h b/src/mon/Session.h index 0502dcc77a923..77925fe47b86d 100644 --- a/src/mon/Session.h +++ b/src/mon/Session.h @@ -111,7 +111,7 @@ struct MonSession : public RefCountedObject { } bool fs_name_capable(string_view fsname, __u8 mask) { - return caps.fs_name_capable(fsname, mask); + return caps.fs_name_capable(entity_name, fsname, mask); } const entity_addr_t& get_peer_socket_addr() { -- 2.47.3