Merge remote-tracking branch 'gh/wip-mon-caps' into next

Reviewed-by: Joao Eduardo Luis <joao.luis@inktank.com>

3 files changed, 70 insertions, 6 deletions

diff --git a/qa/workunits/mon/caps.sh b/qa/workunits/mon/caps.sh
new file mode 100755
index 00000000000..f5aebbbb9f4
--- /dev/null
+++ b/qa/workunits/mon/caps.sh
@@ -0,0 +1,55 @@
+#!/bin/bash
+
+tmp=/tmp/cephtest-mon-caps-madness
+
+exit_on_error=1
+
+[[ ! -z $TEST_EXIT_ON_ERROR ]] && exit_on_error=$TEST_EXIT_ON_ERROR
+
+expect()
+{
+  cmd=$1
+  expected_ret=$2
+
+  echo $cmd
+  eval $cmd >&/dev/null
+  ret=$?
+
+  if [[ $ret -ne $expected_ret ]]; then
+    echo "Error: Expected return $expected_ret, got $ret"
+    [[ $exit_on_error -eq 1 ]] && exit 1
+    return 1
+  fi
+
+  return 0
+}
+
+expect "ceph auth get-or-create client.bazar > $tmp.bazar.keyring" 0
+expect "ceph -k $tmp.bazar.keyring --user bazar mon_status" 13
+ceph auth del client.bazar
+
+c="'allow command \"auth list\", allow command mon_status'"
+expect "ceph auth get-or-create client.foo mon $c > $tmp.foo.keyring" 0
+expect "ceph -k $tmp.foo.keyring --user foo mon_status" 0
+expect "ceph -k $tmp.foo.keyring --user foo auth list" 0
+expect "ceph -k $tmp.foo.keyring --user foo auth export" 13
+expect "ceph -k $tmp.foo.keyring --user foo auth del client.bazar" 13
+expect "ceph -k $tmp.foo.keyring --user foo osd dump" 13
+expect "ceph -k $tmp.foo.keyring --user foo pg dump" 13
+expect "ceph -k $tmp.foo.keyring --user foo quorum_status" 13
+ceph auth del client.foo
+
+c="'allow command service with prefix=list, allow command mon_status'"
+expect "ceph auth get-or-create client.bar mon $c > $tmp.bar.keyring" 0
+expect "ceph -k $tmp.bar.keyring --user bar mon_status" 0
+expect "ceph -k $tmp.bar.keyring --user bar auth list" 13
+expect "ceph -k $tmp.bar.keyring --user bar auth export" 13
+expect "ceph -k $tmp.bar.keyring --user bar auth del client.foo" 13
+expect "ceph -k $tmp.bar.keyring --user bar osd dump" 13
+expect "ceph -k $tmp.bar.keyring --user bar pg dump" 13
+expect "ceph -k $tmp.bar.keyring --user bar quorum_status" 13
+ceph auth del client.bar
+
+rm $tmp.bazar.keyring $tmp.foo.keyring $tmp.bar.keyring
+
+echo OK
\ No newline at end of file
diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc
index 1114ca3b9da..8e35b775247 100644
--- a/src/mon/MonCap.cc
+++ b/src/mon/MonCap.cc
@@ -261,15 +261,21 @@ bool MonCap::is_capable(CephContext *cct,
     if (cct)
       ldout(cct, 20) << " allow so far " << allow << ", doing grant " << *p << dendl;
 
-    if (p->is_allow_all())
+    if (p->is_allow_all()) {
+      if (cct)
+	ldout(cct, 20) << " allow all" << dendl;
       return true;
+    }
 
     // check enumerated caps
     allow = allow | p->get_allowed(cct, name, service, command, command_args);
-    if (!((op_may_read && !(allow & MON_CAP_R)) ||
-	  (op_may_write && !(allow & MON_CAP_W)) ||
-	  (op_may_exec && !(allow & MON_CAP_X))))
+    if ((!op_may_read || (allow & MON_CAP_R)) &&
+	(!op_may_write || (allow & MON_CAP_W)) &&
+	(!op_may_exec || (allow & MON_CAP_X))) {
+      if (cct)
+	ldout(cct, 20) << " match" << dendl;
       return true;
+    }
   }
   return false;
 }
diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
index 90750dd7b11..7e484e8db6b 100644
--- a/src/mon/Monitor.cc
+++ b/src/mon/Monitor.cc
@@ -1523,8 +1523,10 @@ bool Monitor::_allowed_command(MonSession *s, map<string, cmd_vartype>& cmd)
 {
   bool retval = false;
 
-  if (s->caps.is_allow_all())
+  if (s->caps.is_allow_all()) {
+    dout(10) << __func__ << " allow_all" << dendl;
     return true;
+  }
 
   string prefix;
   cmd_getval(g_ceph_context, cmd, "prefix", prefix);
@@ -1538,10 +1540,11 @@ bool Monitor::_allowed_command(MonSession *s, map<string, cmd_vartype>& cmd)
   }
 
   if (s->caps.is_capable(g_ceph_context, s->inst.name,
-			 "", prefix, strmap, false, false, false)) {
+			 "", prefix, strmap, false, false, true)) {
     retval = true; 
   }
 
+  dout(10) << __func__ << " = " << retval << dendl;
   return retval;
 }