From 0b474c52abd3d528c041544f73b1d27d7d1b1320 Mon Sep 17 00:00:00 2001 From: John Spray Date: Mon, 16 Nov 2015 10:57:56 +0000 Subject: [PATCH] mon: don't require OSD W for MRemoveSnaps Use ability to execute "osd pool rmsnap" command as a signal that the client should be permitted to send MRemoveSnaps too. Note that we don't also require the W ability, unlike Monitor::_allowed_command -- this is slightly more permissive handling, but anyone crafting caps that explicitly permit "osd pool rmsnap" needs to know what they are doing. Fixes: #13777 Signed-off-by: John Spray --- src/mon/MonCap.cc | 2 ++ src/mon/OSDMonitor.cc | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc index 989893b20269a..a2540b56411c3 100644 --- a/src/mon/MonCap.cc +++ b/src/mon/MonCap.cc @@ -134,6 +134,8 @@ void MonCapGrant::expand_profile(EntityName name) const profile_grants.push_back(MonCapGrant("mds", MON_CAP_ALL)); profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); + // This command grant is checked explicitly in MRemoveSnaps handling + profile_grants.push_back(MonCapGrant("osd pool rmsnap")); profile_grants.push_back(MonCapGrant("log", MON_CAP_W)); } if (profile == "osd" || profile == "mds" || profile == "mon") { diff --git a/src/mon/OSDMonitor.cc b/src/mon/OSDMonitor.cc index ca10faad6508e..040332c823a32 100644 --- a/src/mon/OSDMonitor.cc +++ b/src/mon/OSDMonitor.cc @@ -2278,7 +2278,8 @@ bool OSDMonitor::preprocess_remove_snaps(MonOpRequestRef op) MonSession *session = m->get_session(); if (!session) goto ignore; - if (!session->is_capable("osd", MON_CAP_R | MON_CAP_W)) { + if (!session->caps.is_capable(g_ceph_context, session->entity_name, + "osd", "osd pool rmsnap", {}, true, true, false)) { dout(0) << "got preprocess_remove_snaps from entity with insufficient caps " << session->caps << dendl; goto ignore; -- 2.39.5