diff options
| author | Joao Eduardo Luis <joao.luis@inktank.com> | 2014-04-03 19:21:08 +0200 |
|---|---|---|
| committer | Sage Weil <sage@inktank.com> | 2014-04-04 21:51:27 +0200 |
| commit | db266a3fb2985605738201f59f07fa504c91c770 (patch) | |
| tree | 11bc6e8ea53e1bbe194f52f71c96051c0ff14946 | |
| parent | Merge pull request #1602 from ceph/wip-cache-create-fix (diff) | |
| download | ceph-db266a3fb2985605738201f59f07fa504c91c770.tar.xz ceph-db266a3fb2985605738201f59f07fa504c91c770.zip | |
mon: MonCommands.h: have 'auth' read-only operations require 'x' cap
This reintroduces the same semantics that were in place in dumpling prior
to the refactoring of the cap/command matching code.
We haven't added this requirement to auth read-write operations as that
would have the potential to break a lot of well-configured keyrings once
the users upgraded, without any significant gain -- we assume that if
they have set 'rw' caps on a given entity, they are indeed expecting said
entity to be sort-of-privileged entities with regard to monitor access.
Fixes: #7919
Signed-off-by: Joao Eduardo Luis <joao.luis@inktank.com>
Reviewed-by: Sage Weil <sage@inktank.com>
| -rw-r--r-- | doc/release-notes.rst | 11 | ||||
| -rw-r--r-- | src/mon/MonCommands.h | 12 |
2 files changed, 17 insertions, 6 deletions
diff --git a/doc/release-notes.rst b/doc/release-notes.rst index 1ee61e7630a..ccf0998d9bc 100644 --- a/doc/release-notes.rst +++ b/doc/release-notes.rst @@ -512,6 +512,17 @@ Upgrading no longer included in the listxattr(2) results to prevent problems with 'cp -a' and similar tools. +* Monitor 'auth' read-only commands now expect the user to have 'rx' caps. + This is the same behavior that was present in dumpling, but in emperor + and more recent development releases the 'r' cap was sufficient. The + affected commands are:: + + ceph auth export + ceph auth get + ceph auth get-key + ceph auth print-key + ceph auth list + Notable Changes --------------- * ceph-conf: stop creating bogus log files (Josh Durgin, Sage Weil) diff --git a/src/mon/MonCommands.h b/src/mon/MonCommands.h index 02228dd78c1..a8e138afd23 100644 --- a/src/mon/MonCommands.h +++ b/src/mon/MonCommands.h @@ -152,16 +152,16 @@ COMMAND("pg set_nearfull_ratio name=ratio,type=CephFloat,range=0.0|1.0", \ COMMAND("auth export name=entity,type=CephString,req=false", \ "write keyring for requested entity, or master keyring if none given", \ - "auth", "r", "cli,rest") + "auth", "rx", "cli,rest") COMMAND("auth get name=entity,type=CephString", \ - "write keyring file with requested key", "auth", "r", "cli,rest") + "write keyring file with requested key", "auth", "rx", "cli,rest") COMMAND("auth get-key name=entity,type=CephString", "display requested key", \ - "auth", "r", "cli,rest") + "auth", "rx", "cli,rest") COMMAND("auth print-key name=entity,type=CephString", "display requested key", \ - "auth", "r", "cli,rest") + "auth", "rx", "cli,rest") COMMAND("auth print_key name=entity,type=CephString", "display requested key", \ - "auth", "r", "cli,rest") -COMMAND("auth list", "list authentication state", "auth", "r", "cli,rest") + "auth", "rx", "cli,rest") +COMMAND("auth list", "list authentication state", "auth", "rx", "cli,rest") COMMAND("auth import", "auth import: read keyring file from -i <file>", \ "auth", "rw", "cli,rest") COMMAND("auth add " \ |