1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab
/*
* Ceph - scalable distributed file system
*
* Copyright (C) 2004-2006 Sage Weil <sage@newdream.net>
*
* This is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License version 2.1, as published by the Free Software
* Foundation. See file COPYING.
*
* OSDCaps: Hold the capabilities associated with a single authenticated
* user key. These are specified by text strings of the form
* "allow r" (which allows reading anything on the OSD)
* "allow rwx auid foo[,bar,baz]" (which allows full access to listed auids)
* "allow rwx pool foo[,bar,baz]" (which allows full access to listed pools)
* "allow *" (which allows full access to EVERYTHING)
*
* The OSD assumes that anyone with * caps is an admin and has full
* message permissions. This means that only the monitor and the OSDs
* should get *
*/
#ifndef CEPH_OSDCAPS_H
#define CEPH_OSDCAPS_H
#include "include/types.h"
#define OSD_POOL_CAP_R 0x01
#define OSD_POOL_CAP_W 0x02
#define OSD_POOL_CAP_X 0x04
#define OSD_POOL_CAP_ALL (OSD_POOL_CAP_R | OSD_POOL_CAP_W | OSD_POOL_CAP_X)
typedef __u8 rwx_t;
static inline ostream& operator<<(ostream& out, rwx_t p) {
if (p & OSD_POOL_CAP_R)
out << "r";
if (p & OSD_POOL_CAP_W)
out << "w";
if (p & OSD_POOL_CAP_X)
out << "x";
return out;
}
struct OSDCap {
rwx_t allow;
rwx_t deny;
OSDCap() : allow(0), deny(0) {}
};
static inline ostream& operator<<(ostream& out, const OSDCap& pc) {
return out << "(allow " << pc.allow << ", deny " << pc.deny << ")";
}
struct CapMap {
virtual ~CapMap();
virtual OSDCap& get_cap(string& name) = 0;
};
struct PoolsMap : public CapMap {
map<string, OSDCap> pools_map;
OSDCap& get_cap(string& name) { return pools_map[name]; }
void dump();
void apply_caps(string& name, int& cap);
};
struct AuidMap : public CapMap {
map<uint64_t, OSDCap> auid_map;
OSDCap& get_cap(string& name) {
uint64_t num = strtoll(name.c_str(), NULL, 10);
return auid_map[num];
}
void apply_caps(uint64_t uid, int& cap);
};
struct OSDCaps {
PoolsMap pools_map;
AuidMap auid_map;
rwx_t default_allow;
rwx_t default_deny;
bool allow_all;
int peer_type;
uint64_t auid;
bool get_next_token(string s, size_t& pos, string& token);
bool is_rwx(string& token, rwx_t& cap_val);
OSDCaps() : default_allow(0), default_deny(0), allow_all(false),
auid(CEPH_AUTH_UID_DEFAULT) {}
bool parse(bufferlist::iterator& iter);
int get_pool_cap(string& pool_name, uint64_t uid = CEPH_AUTH_UID_DEFAULT);
bool is_mon() { return CEPH_ENTITY_TYPE_MON == peer_type; }
bool is_osd() { return CEPH_ENTITY_TYPE_OSD == peer_type; }
bool is_mds() { return CEPH_ENTITY_TYPE_MDS == peer_type; }
void set_allow_all(bool allow) { allow_all = allow; }
void set_peer_type (int pt) { peer_type = pt; }
void set_auid(uint64_t uid) { auid = uid; }
};
static inline ostream& operator<<(ostream& out, const OSDCaps& c) {
return out << "osdcaps(pools=" << c.pools_map.pools_map << " default allow=" << c.default_allow << " default_deny=" << c.default_deny << ")";
}
#endif
|