diff options
author | Sage Weil <sage@inktank.com> | 2013-07-22 09:27:35 -0700 |
---|---|---|
committer | Sage Weil <sage@inktank.com> | 2013-07-22 09:27:35 -0700 |
commit | e58b0e93209595971fd8cfb4f44c07d06f38351b (patch) | |
tree | e4be95cee610dd186a416e2450150652dba40fce | |
parent | da2cb0901d6cdb5106deb8294b312e83dffd83db (diff) | |
parent | 3dec530de6d0c1a71ab206228b23ac57cfe0b420 (diff) | |
download | ceph-e58b0e93209595971fd8cfb4f44c07d06f38351b.tar.gz |
Merge remote-tracking branch 'gh/wip-mon-caps' into next
Reviewed-by: Joao Eduardo Luis <joao.luis@inktank.com>
-rwxr-xr-x | qa/workunits/mon/caps.sh | 55 | ||||
-rw-r--r-- | src/mon/MonCap.cc | 14 | ||||
-rw-r--r-- | src/mon/Monitor.cc | 7 |
3 files changed, 70 insertions, 6 deletions
diff --git a/qa/workunits/mon/caps.sh b/qa/workunits/mon/caps.sh new file mode 100755 index 00000000000..f5aebbbb9f4 --- /dev/null +++ b/qa/workunits/mon/caps.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +tmp=/tmp/cephtest-mon-caps-madness + +exit_on_error=1 + +[[ ! -z $TEST_EXIT_ON_ERROR ]] && exit_on_error=$TEST_EXIT_ON_ERROR + +expect() +{ + cmd=$1 + expected_ret=$2 + + echo $cmd + eval $cmd >&/dev/null + ret=$? + + if [[ $ret -ne $expected_ret ]]; then + echo "Error: Expected return $expected_ret, got $ret" + [[ $exit_on_error -eq 1 ]] && exit 1 + return 1 + fi + + return 0 +} + +expect "ceph auth get-or-create client.bazar > $tmp.bazar.keyring" 0 +expect "ceph -k $tmp.bazar.keyring --user bazar mon_status" 13 +ceph auth del client.bazar + +c="'allow command \"auth list\", allow command mon_status'" +expect "ceph auth get-or-create client.foo mon $c > $tmp.foo.keyring" 0 +expect "ceph -k $tmp.foo.keyring --user foo mon_status" 0 +expect "ceph -k $tmp.foo.keyring --user foo auth list" 0 +expect "ceph -k $tmp.foo.keyring --user foo auth export" 13 +expect "ceph -k $tmp.foo.keyring --user foo auth del client.bazar" 13 +expect "ceph -k $tmp.foo.keyring --user foo osd dump" 13 +expect "ceph -k $tmp.foo.keyring --user foo pg dump" 13 +expect "ceph -k $tmp.foo.keyring --user foo quorum_status" 13 +ceph auth del client.foo + +c="'allow command service with prefix=list, allow command mon_status'" +expect "ceph auth get-or-create client.bar mon $c > $tmp.bar.keyring" 0 +expect "ceph -k $tmp.bar.keyring --user bar mon_status" 0 +expect "ceph -k $tmp.bar.keyring --user bar auth list" 13 +expect "ceph -k $tmp.bar.keyring --user bar auth export" 13 +expect "ceph -k $tmp.bar.keyring --user bar auth del client.foo" 13 +expect "ceph -k $tmp.bar.keyring --user bar osd dump" 13 +expect "ceph -k $tmp.bar.keyring --user bar pg dump" 13 +expect "ceph -k $tmp.bar.keyring --user bar quorum_status" 13 +ceph auth del client.bar + +rm $tmp.bazar.keyring $tmp.foo.keyring $tmp.bar.keyring + +echo OK
\ No newline at end of file diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc index 1114ca3b9da..8e35b775247 100644 --- a/src/mon/MonCap.cc +++ b/src/mon/MonCap.cc @@ -261,15 +261,21 @@ bool MonCap::is_capable(CephContext *cct, if (cct) ldout(cct, 20) << " allow so far " << allow << ", doing grant " << *p << dendl; - if (p->is_allow_all()) + if (p->is_allow_all()) { + if (cct) + ldout(cct, 20) << " allow all" << dendl; return true; + } // check enumerated caps allow = allow | p->get_allowed(cct, name, service, command, command_args); - if (!((op_may_read && !(allow & MON_CAP_R)) || - (op_may_write && !(allow & MON_CAP_W)) || - (op_may_exec && !(allow & MON_CAP_X)))) + if ((!op_may_read || (allow & MON_CAP_R)) && + (!op_may_write || (allow & MON_CAP_W)) && + (!op_may_exec || (allow & MON_CAP_X))) { + if (cct) + ldout(cct, 20) << " match" << dendl; return true; + } } return false; } diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc index 90750dd7b11..7e484e8db6b 100644 --- a/src/mon/Monitor.cc +++ b/src/mon/Monitor.cc @@ -1523,8 +1523,10 @@ bool Monitor::_allowed_command(MonSession *s, map<string, cmd_vartype>& cmd) { bool retval = false; - if (s->caps.is_allow_all()) + if (s->caps.is_allow_all()) { + dout(10) << __func__ << " allow_all" << dendl; return true; + } string prefix; cmd_getval(g_ceph_context, cmd, "prefix", prefix); @@ -1538,10 +1540,11 @@ bool Monitor::_allowed_command(MonSession *s, map<string, cmd_vartype>& cmd) } if (s->caps.is_capable(g_ceph_context, s->inst.name, - "", prefix, strmap, false, false, false)) { + "", prefix, strmap, false, false, true)) { retval = true; } + dout(10) << __func__ << " = " << retval << dendl; return retval; } |