diff options
| author | Jason Dillaman <dillaman@redhat.com> | 2019-10-11 16:45:15 +0200 |
|---|---|---|
| committer | Jason Dillaman <dillaman@redhat.com> | 2019-10-29 13:35:02 +0100 |
| commit | dbb1b54d492134b677b4e239415c0579e34032b4 (patch) | |
| tree | 9e1c2b602c7f618df0b59be102f15c2a7e1456ba | |
| parent | mgr: stop re-using MonCap for handling MGR caps (diff) | |
| download | ceph-dbb1b54d492134b677b4e239415c0579e34032b4.tar.xz ceph-dbb1b54d492134b677b4e239415c0579e34032b4.zip | |
mon: dropped daemon type argument for MonCap
This was a placeholder for handling MGR caps within the MonCap
class. Now that the MGR has its own MgrCap class, this is no
longer required.
Signed-off-by: Jason Dillaman <dillaman@redhat.com>
| -rw-r--r-- | src/mon/MonCap.cc | 30 | ||||
| -rw-r--r-- | src/mon/MonCap.h | 9 | ||||
| -rw-r--r-- | src/mon/Monitor.cc | 2 | ||||
| -rw-r--r-- | src/mon/OSDMonitor.cc | 4 | ||||
| -rw-r--r-- | src/mon/Session.h | 1 | ||||
| -rw-r--r-- | src/test/mon/moncap.cc | 157 |
6 files changed, 70 insertions, 133 deletions
diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc index 3fb5723323a..6235a22e805 100644 --- a/src/mon/MonCap.cc +++ b/src/mon/MonCap.cc @@ -153,7 +153,7 @@ void MonCapGrant::parse_network() &network_prefix); } -void MonCapGrant::expand_profile(int daemon_type, const EntityName& name) const +void MonCapGrant::expand_profile(const EntityName& name) const { // only generate this list once if (!profile_grants.empty()) @@ -173,25 +173,6 @@ void MonCapGrant::expand_profile(int daemon_type, const EntityName& name) const return; } - switch (daemon_type) { - case CEPH_ENTITY_TYPE_MON: - expand_profile_mon(name); - return; - case CEPH_ENTITY_TYPE_MGR: - expand_profile_mgr(name); - return; - } -} - -void MonCapGrant::expand_profile_mgr(const EntityName& name) const -{ - if (profile == "crash") { - profile_grants.push_back(MonCapGrant("crash post")); - } -} - -void MonCapGrant::expand_profile_mon(const EntityName& name) const -{ if (profile == "mon") { profile_grants.push_back(MonCapGrant("mon", MON_CAP_ALL)); profile_grants.push_back(MonCapGrant("log", MON_CAP_ALL)); @@ -345,17 +326,16 @@ void MonCapGrant::expand_profile_mon(const EntityName& name) const } mon_rwxa_t MonCapGrant::get_allowed(CephContext *cct, - int daemon_type, EntityName name, const std::string& s, const std::string& c, const map<string,string>& c_args) const { if (profile.length()) { - expand_profile(daemon_type, name); + expand_profile(name); mon_rwxa_t a; for (auto p = profile_grants.begin(); p != profile_grants.end(); ++p) - a = a | p->get_allowed(cct, daemon_type, name, s, c, c_args); + a = a | p->get_allowed(cct, name, s, c, c_args); return a; } if (service.length()) { @@ -432,7 +412,6 @@ void MonCap::set_allow_all() bool MonCap::is_capable( CephContext *cct, - int daemon_type, EntityName name, const string& service, const string& command, const map<string,string>& command_args, @@ -470,8 +449,7 @@ bool MonCap::is_capable( } // check enumerated caps - allow = allow | p->get_allowed(cct, daemon_type, name, service, command, - command_args); + allow = allow | p->get_allowed(cct, name, service, command, command_args); if ((!op_may_read || (allow & MON_CAP_R)) && (!op_may_write || (allow & MON_CAP_W)) && (!op_may_exec || (allow & MON_CAP_X))) { diff --git a/src/mon/MonCap.h b/src/mon/MonCap.h index b97b1604d59..5f8227f4617 100644 --- a/src/mon/MonCap.h +++ b/src/mon/MonCap.h @@ -95,15 +95,13 @@ struct MonCapGrant { // needed by expand_profile() (via is_match()) and cached here. mutable std::list<MonCapGrant> profile_grants; - void expand_profile(int daemon_type, const EntityName& name) const; - void expand_profile_mon(const EntityName& name) const; - void expand_profile_mgr(const EntityName& name) const; + void expand_profile(const EntityName& name) const; MonCapGrant() : allow(0) {} // cppcheck-suppress noExplicitConstructor MonCapGrant(mon_rwxa_t a) : allow(a) {} MonCapGrant(std::string s, mon_rwxa_t a) : service(std::move(s)), allow(a) {} - // cppcheck-suppress noExplicitConstructor + // cppcheck-suppress noExplicitConstructor MonCapGrant(std::string c) : command(std::move(c)) {} MonCapGrant(std::string c, std::string a, StringConstraint co) : command(std::move(c)) { command_args[a] = co; @@ -120,7 +118,6 @@ struct MonCapGrant { * @return bits we allow */ mon_rwxa_t get_allowed(CephContext *cct, - int daemon_type, ///< CEPH_ENTITY_TYPE_* EntityName name, const std::string& service, const std::string& command, @@ -158,7 +155,6 @@ struct MonCap { * This method actually checks a description of a particular operation against * what the capability has specified. * - * @param daemon_type CEPH_ENTITY_TYPE_* for the service (MON or MGR) * @param service service name * @param command command id * @param command_args @@ -168,7 +164,6 @@ struct MonCap { * @return true if the operation is allowed, false otherwise */ bool is_capable(CephContext *cct, - int daemon_type, EntityName name, const std::string& service, const std::string& command, diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc index 623e60224e2..65fbc9ca7ae 100644 --- a/src/mon/Monitor.cc +++ b/src/mon/Monitor.cc @@ -3092,7 +3092,6 @@ bool Monitor::_allowed_command(MonSession *s, const string &module, bool capable = s->caps.is_capable( g_ceph_context, - CEPH_ENTITY_TYPE_MON, s->entity_name, module, prefix, param_str_map, cmd_r, cmd_w, cmd_x, @@ -3175,7 +3174,6 @@ void Monitor::handle_tell_command(MonOpRequestRef op) } if (!session->caps.is_capable( g_ceph_context, - CEPH_ENTITY_TYPE_MON, session->entity_name, "mon", prefix, param_str_map, true, true, true, diff --git a/src/mon/OSDMonitor.cc b/src/mon/OSDMonitor.cc index b15eb8e6873..ce9b6bb1a96 100644 --- a/src/mon/OSDMonitor.cc +++ b/src/mon/OSDMonitor.cc @@ -258,8 +258,7 @@ bool is_unmanaged_snap_op_permitted(CephContext* cct, typedef std::map<std::string, std::string> CommandArgs; if (mon_caps.is_capable( - cct, CEPH_ENTITY_TYPE_MON, - entity_name, "osd", + cct, entity_name, "osd", "osd pool op unmanaged-snap", (pool_name == nullptr ? CommandArgs{} /* pool DNE, require unrestricted cap */ : @@ -4053,7 +4052,6 @@ bool OSDMonitor::preprocess_remove_snaps(MonOpRequestRef op) goto ignore; if (!session->caps.is_capable( cct, - CEPH_ENTITY_TYPE_MON, session->entity_name, "osd", "osd pool rmsnap", {}, true, true, false, session->get_peer_socket_addr())) { diff --git a/src/mon/Session.h b/src/mon/Session.h index 434395a7bf2..4b86dd93da2 100644 --- a/src/mon/Session.h +++ b/src/mon/Session.h @@ -100,7 +100,6 @@ struct MonSession : public RefCountedObject { std::map<std::string,std::string> args; return caps.is_capable( g_ceph_context, - CEPH_ENTITY_TYPE_MON, entity_name, service, "", args, mask & MON_CAP_R, mask & MON_CAP_W, mask & MON_CAP_X, diff --git a/src/test/mon/moncap.cc b/src/test/mon/moncap.cc index 388227ccb80..1c151b1e399 100644 --- a/src/test/mon/moncap.cc +++ b/src/test/mon/moncap.cc @@ -188,8 +188,8 @@ TEST(MonCap, AllowAll) { ASSERT_TRUE(cap.parse("allow *", NULL)); ASSERT_TRUE(cap.is_allow_all()); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, EntityName(), - "foo", "asdf", map<string,string>(), true, true, true, entity_addr_t())); + ASSERT_TRUE(cap.is_capable(NULL, {}, "foo", "asdf", {}, true, true, true, + {})); MonCap cap2; ASSERT_FALSE(cap2.is_allow_all()); @@ -207,17 +207,11 @@ TEST(MonCap, Network) { b.parse("192.168.2.3"); c.parse("192.167.2.3"); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, EntityName(), - "foo", "asdf", map<string,string>(), - true, true, true, + ASSERT_TRUE(cap.is_capable(NULL, {}, "foo", "asdf", {}, true, true, true, a)); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, EntityName(), - "foo", "asdf", map<string,string>(), - true, true, true, + ASSERT_TRUE(cap.is_capable(NULL, {}, "foo", "asdf", {}, true, true, true, b)); - ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, EntityName(), - "foo", "asdf", map<string,string>(), - true, true, true, + ASSERT_FALSE(cap.is_capable(NULL, {}, "foo", "asdf", {}, true, true, true, c)); } @@ -230,87 +224,62 @@ TEST(MonCap, ProfileOSD) { name.from_str("osd.123"); map<string,string> ca; - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "osd", "", ca, true, false, false, - entity_addr_t())); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "osd", "", ca, true, true, false, - entity_addr_t())); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "osd", "", ca, true, true, true, - entity_addr_t())); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "osd", "", ca, true, true, true, - entity_addr_t())); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "mon", "", ca, true, false,false, - entity_addr_t())); - - ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "mds", "", ca, true, true, true, - entity_addr_t())); - ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "mon", "", ca, true, true, true, - entity_addr_t())); + ASSERT_TRUE(cap.is_capable(NULL, name, "osd", "", ca, true, false, false, + {})); + ASSERT_TRUE(cap.is_capable(NULL, name, "osd", "", ca, true, true, false, {})); + ASSERT_TRUE(cap.is_capable(NULL, name, "osd", "", ca, true, true, true, {})); + ASSERT_TRUE(cap.is_capable(NULL, name, "osd", "", ca, true, true, true, {})); + ASSERT_TRUE(cap.is_capable(NULL, name, "mon", "", ca, true, false, false, + {})); + + ASSERT_FALSE(cap.is_capable(NULL, name, "mds", "", ca, true, true, true, {})); + ASSERT_FALSE(cap.is_capable(NULL, name, "mon", "", ca, true, true, true, {})); ca.clear(); - ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key get", ca, true, true, true, - entity_addr_t())); + ASSERT_FALSE(cap.is_capable(NULL, name, "", "config-key get", ca, true, true, + true, {})); ca["key"] = "daemon-private/osd.123"; - ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key get", ca, true, true, true, - entity_addr_t())); + ASSERT_FALSE(cap.is_capable(NULL, name, "", "config-key get", ca, true, true, + true, {})); ca["key"] = "daemon-private/osd.12/asdf"; - ASSERT_FALSE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key get", ca, true, true, true, - entity_addr_t())); + ASSERT_FALSE(cap.is_capable(NULL, name, "", "config-key get", ca, true, true, + true, {})); ca["key"] = "daemon-private/osd.123/"; - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key get", ca, true, true, true, - entity_addr_t())); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key get", ca, true, true, true, - entity_addr_t())); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key get", ca, true, true, true, - entity_addr_t())); + ASSERT_TRUE(cap.is_capable(NULL, name, "", "config-key get", ca, true, true, + true, {})); + ASSERT_TRUE(cap.is_capable(NULL, name, "", "config-key get", ca, true, true, + true, {})); + ASSERT_TRUE(cap.is_capable(NULL, name, "", "config-key get", ca, true, true, + true, {})); ca["key"] = "daemon-private/osd.123/foo"; - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key get", ca, true, true, true, - entity_addr_t())); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key put", ca, true, true, true, - entity_addr_t())); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key set", ca, true, true, true, - entity_addr_t())); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key exists", ca, true, true, true, - entity_addr_t())); - ASSERT_TRUE(cap.is_capable(NULL, CEPH_ENTITY_TYPE_MON, - name, "", "config-key delete", ca, true, true, true, - entity_addr_t())); + ASSERT_TRUE(cap.is_capable(NULL, name, "", "config-key get", ca, true, true, + true, {})); + ASSERT_TRUE(cap.is_capable(NULL, name, "", "config-key put", ca, true, true, + true, {})); + ASSERT_TRUE(cap.is_capable(NULL, name, "", "config-key set", ca, true, true, + true, {})); + ASSERT_TRUE(cap.is_capable(NULL, name, "", "config-key exists", ca, true, + true, true, {})); + ASSERT_TRUE(cap.is_capable(NULL, name, "", "config-key delete", ca, true, + true, true, {})); } TEST(MonCap, CommandRegEx) { MonCap cap; ASSERT_FALSE(cap.is_allow_all()); - ASSERT_TRUE(cap.parse("allow command abc with arg regex \"^[0-9a-z.]*$\"", NULL)); + ASSERT_TRUE(cap.parse("allow command abc with arg regex \"^[0-9a-z.]*$\"", + NULL)); EntityName name; name.from_str("osd.123"); - ASSERT_TRUE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_OSD, name, "", - "abc", {{"arg", "12345abcde"}}, true, true, true, - entity_addr_t())); - ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_OSD, name, "", - "abc", {{"arg", "~!@#$"}}, true, true, true, - entity_addr_t())); + ASSERT_TRUE(cap.is_capable(nullptr, name, "", "abc", {{"arg", "12345abcde"}}, + true, true, true, {})); + ASSERT_FALSE(cap.is_capable(nullptr, name, "", "abc", {{"arg", "~!@#$"}}, + true, true, true, {})); ASSERT_TRUE(cap.parse("allow command abc with arg regex \"[*\"", NULL)); - ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_OSD, name, "", - "abc", {{"arg", ""}}, true, true, true, - entity_addr_t())); + ASSERT_FALSE(cap.is_capable(nullptr, name, "", "abc", {{"arg", ""}}, true, + true, true, {})); } TEST(MonCap, ProfileBootstrapRBD) { @@ -320,27 +289,27 @@ TEST(MonCap, ProfileBootstrapRBD) { EntityName name; name.from_str("mon.a"); - ASSERT_TRUE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "", + ASSERT_TRUE(cap.is_capable(nullptr, name, "", "auth get-or-create", { {"entity", "client.rbd"}, {"caps_mon", "profile rbd"}, {"caps_osd", "profile rbd pool=foo, profile rbd-read-only"}, }, true, true, true, - entity_addr_t())); - ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "", + {})); + ASSERT_FALSE(cap.is_capable(nullptr, name, "", "auth get-or-create", { {"entity", "client.rbd"}, {"caps_mon", "allow *"}, {"caps_osd", "profile rbd"}, }, true, true, true, - entity_addr_t())); - ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "", + {})); + ASSERT_FALSE(cap.is_capable(nullptr, name, "", "auth get-or-create", { {"entity", "client.rbd"}, {"caps_mon", "profile rbd"}, {"caps_osd", "profile rbd pool=foo, allow *, profile rbd-read-only"}, }, true, true, true, - entity_addr_t())); + {})); } TEST(MonCap, ProfileBootstrapRBDMirror) { @@ -350,34 +319,34 @@ TEST(MonCap, ProfileBootstrapRBDMirror) { EntityName name; name.from_str("mon.a"); - ASSERT_TRUE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "", + ASSERT_TRUE(cap.is_capable(nullptr, name, "", "auth get-or-create", { {"entity", "client.rbd"}, {"caps_mon", "profile rbd-mirror"}, {"caps_osd", "profile rbd pool=foo, profile rbd-read-only"}, }, true, true, true, - entity_addr_t())); - ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "", + {})); + ASSERT_FALSE(cap.is_capable(nullptr, name, "", "auth get-or-create", { {"entity", "client.rbd"}, {"caps_mon", "profile rbd"}, {"caps_osd", "profile rbd pool=foo, profile rbd-read-only"}, }, true, true, true, - entity_addr_t())); - ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "", + {})); + ASSERT_FALSE(cap.is_capable(nullptr, name, "", "auth get-or-create", { {"entity", "client.rbd"}, {"caps_mon", "allow *"}, {"caps_osd", "profile rbd"}, }, true, true, true, - entity_addr_t())); - ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "", + {})); + ASSERT_FALSE(cap.is_capable(nullptr, name, "", "auth get-or-create", { {"entity", "client.rbd"}, {"caps_mon", "profile rbd-mirror"}, {"caps_osd", "profile rbd pool=foo, allow *, profile rbd-read-only"}, }, true, true, true, - entity_addr_t())); + {})); } TEST(MonCap, ProfileRBD) { @@ -387,10 +356,10 @@ TEST(MonCap, ProfileRBD) { EntityName name; name.from_str("mon.a"); - ASSERT_FALSE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "config-key", + ASSERT_FALSE(cap.is_capable(nullptr, name, "config-key", "config-key get", { {"key", "rbd/mirror/peer/1/1234"}, - }, true, false, false, entity_addr_t())); + }, true, false, false, {})); } TEST(MonCap, ProfileRBDMirror) { @@ -400,8 +369,8 @@ TEST(MonCap, ProfileRBDMirror) { EntityName name; name.from_str("mon.a"); - ASSERT_TRUE(cap.is_capable(nullptr, CEPH_ENTITY_TYPE_MON, name, "config-key", + ASSERT_TRUE(cap.is_capable(nullptr, name, "config-key", "config-key get", { {"key", "rbd/mirror/peer/1/1234"}, - }, true, false, false, entity_addr_t())); + }, true, false, false, {})); } |