| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
... MDS auth caps but don't have CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK
feature bit (i.e., can't check the auth caps sent back to it by the
MDS) from establishing a session. Do this in
Server::handle_client_session(), and Server::handle_client_reconnect(),
where old clients try to reconnect to MDS servers after an upgrade.
If the client doesn't have the ability to authorize session access
based on the MDS auth caps send back to it by the MDS, then the
client may buffer changes locally during open and setattr operations
when it's not supposed to, e.g., when enforcing root_squash MDS auth
caps.
Fixes: https://tracker.ceph.com/issues/56067
Signed-off-by: Ramana Raja <rraja@redhat.com>
|
| |
|
|
|
| |
Fixes: https://tracker.ceph.com/issues/57154
Signed-off-by: Xiubo Li <xiubli@redhat.com>
|
| |
|
|
|
|
|
| |
Need to add writeable/readable members and send them back to clients.
Fixes: https://tracker.ceph.com/issues/57154
Signed-off-by: Xiubo Li <xiubli@redhat.com>
|
| |
|
|
|
|
|
| |
Will send this to clients.
Fixes: https://tracker.ceph.com/issues/57154
Signed-off-by: Xiubo Li <xiubli@redhat.com>
|
| |
|
|
|
| |
Fixes: https://tracker.ceph.com/issues/57154
Signed-off-by: Xiubo Li <xiubli@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When "fs authorize" subcommand is executed for the second time with
different caps, the subcommand exits with error. Modify the behaviour so
that the caps passed every subsequent time is incorporated in to the caps
that are already present in the entity's keyring.
Behaviour before this commit -
$ ./bin/ceph fs authorize a client.x1 / rw
[client.x1]
key = AQBirqxg5KHeFxAAgOm6lHMYych6OTI+y1HJKw==
$ ./bin/ceph fs authorize b client.x1 / rw
Error EINVAL: client.x1 already has fs capabilities that differ from those supplied. To generate a new auth key for client.x1, first remove client.x1 from configuration files, execute 'ceph auth rm client.x1', then execute this command again.
$ ./bin/ceph auth get client.x1
[client.x1]
key = AQBirqxg5KHeFxAAgOm6lHMYych6OTI+y1HJKw==
caps mds = "allow rw fsname=a"
caps mon = "allow r fsname=a"
caps osd = "allow rw tag cephfs data=a"
exported keyring for client.x1
After this commit -
$ ./bin/ceph fs authorize a client.x1 / rw
[client.x1]
key = AQDvrqxgU3I3FBAAJWwF6ZtcOVeHH8TA8CwWmQ==
$ ./bin/ceph fs authorize b client.x1 / rw
updated caps for client.x1
$ ./bin/ceph auth get client.x1
[client.x1]
key = AQDvrqxgU3I3FBAAJWwF6ZtcOVeHH8TA8CwWmQ==
caps mds = "allow rw fsname=a, allow rw fsname=b"
caps mon = "allow r fsname=a, allow r fsname=b"
caps osd = "allow rw tag cephfs data=a, allow rw tag cephfs data=b"
exported keyring for client.x1
Fixes: https://tracker.ceph.com/issues/47264
Signed-off-by: Rishabh Dave <ridave@redhat.com>
MDSAuthCaps: bug fixes
Signed-off-by: Rishabh Dave <ridave@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
MDS caps can contain 5 components: name of a CephFS, a path inside
CephFS, a flag for enabling root squashing mechanism, a UID and list of
GIDs. These 5 components result in 31 combinations, so there can be 31
types of MDS caps. Out of these, the current main branch only allows 11
combinations. This restriction is strange and inappropriate. Ideally,
all combinations should be allowed.
This strange restriction must've been created unintentionally by
previous developers while adding FS name and root squash to MDS caps. A
TODO for a allowing a subset of these combination was also left in
codebase:
https://github.com/ceph/ceph/blob/reef/src/mds/MDSAuthCaps.cc#L69
Fixes: https://tracker.ceph.com/issues/59388
Signed-off-by: Rishabh Dave <ridave@redhat.com>
|
| |
|
|
|
|
|
| |
Variable g_ceph_context is global, therefore use it directly instead of
passing it as a parameter to method.
Signed-off-by: Rishabh Dave <ridave@redhat.com>
|
| |
|
|
|
| |
Fixes: https://tracker.ceph.com/issues/50532
Signed-off-by: Kotresh HR <khiremat@redhat.com>
|
| |
|
|
| |
Signed-off-by: Patrick Donnelly <pdonnell@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement a root_squash mode in MDS auth caps to deny operations for
clients with uid=0 or gid=0 that need write access. It's mainly to
prevent operations such as accidental `sudo rm -rf /path`.
The root squash mode can be enforced in one of the following ways in
the MDS caps,
'allow rw root_squash'
(across file systems)
or
'allow rw fsname=a root_squash'
(on a file system)
or
'allow rw fsname=a path=/vol/group/subvol00 root_squash'
(on a file system path)
Fixes: https://tracker.ceph.com/issues/42451
Signed-off-by: Ramana Raja <rraja@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add new auth caps to restrict access to clients based on fsnames. To
specify this, for example:
mds 'allow rw fsname=cephfs1'
This will restrict client access to fs name "cephfs1" only. Messages to
active MDS assigned to any other FSMap will be dropped. Standby MDS not
associated with an FSMap will accept messages from clients. To allow
multiple file systems, create MDS cap as follows -
mds 'allow rw fsname=cephfs1, allow rw fsname=cephfs2'
Fixes: http://tracker.ceph.com/issues/15070
Signed-off-by: Douglas Fuller <dfuller@redhat.com>
Signed-off-by: Rishabh Dave <ridave@redhat.com>
|
| |
|
|
|
|
|
|
| |
Part of a changeset to allow building all of 'common' without relying
on 'using namespace std' or 'using namespace ceph' at toplevel in
headers.
Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
some code coexist in crimson seastar environment and posix environment,
so add namespace to avoid same function conflict, for example add namespace
for CephContext, since the new namespace for classic ceph-osd,
need modify all files declare use CephContext by including "common_fwd.h"
which defined the namespace for each environment.
Signed-off-by: Chunmei Liu <chunmei.liu@intel.com>
|
| |
|
|
|
| |
Fixes: https://tracker.ceph.com/issues/42311
Signed-off-by: Varsha Rao <varao@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Session setup in ms_handle_authentication is (historically) racy where multiple
connections from the same client can come in before one is finally accepted. A
session should only be created after ms_handle_accept. The MDS did some
backflips before this commit to ensure this.
Moreover, with the msgr2 changes, it is even more necessary since the address
nonce is not set until before ms_handle_accept is called.
Signed-off-by: Patrick Donnelly <pdonnell@redhat.com>
|
| |
|
|
| |
Signed-off-by: Sage Weil <sage@redhat.com>
|
| |
|
|
| |
Signed-off-by: Sage Weil <sage@redhat.com>
|
| |
|
|
|
|
|
|
| |
For controlling whether a client is allowed to create or delete
snapshots
Fixes: http://tracker.ceph.com/issues/24284
Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
|
| |
|
|
|
|
|
| |
Added const references to various function parameters in order to avoid
copying data unnecessarily and enhancing performance
Signed-off-by: Wilson E. Alvarez <wilson.e.alvarez1@gmail.com>
|
| |
|
|
|
|
| |
This is necessary to allow many interfaces to take mempool allocated strings.
Signed-off-by: Patrick Donnelly <pdonnell@redhat.com>
|
| |
|
|
|
| |
Fixes: http://tracker.ceph.com/issues/19075
Signed-off-by: John Spray <john.spray@redhat.com>
|
| |
|
|
| |
Signed-off-by: Greg Farnum <gfarnum@redhat.com>
|
| |
|
|
|
|
|
| |
Use explicit keyword for constructors with one argument to
prevent implicit usage as conversion functions.
Signed-off-by: Danny Al-Gaaf <danny.al-gaaf@bisect.de>
|
| |
|
|
| |
Signed-off-by: John Spray <john.spray@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
To allow us to query whether a client is
potentially capable of accessing a particular
path, ignoring uids/gids (used to validate
the client's claims about its mounted root)
Signed-off-by: John Spray <john.spray@redhat.com>
|
| |
|
|
|
|
|
| |
For controlling whether a client is allowed
to modify the pool field in file/dir layouts.
Signed-off-by: John Spray <john.spray@redhat.com>
|
| |
|
|
|
|
|
|
| |
The check is a no-op. We already verify the uid/gid combo is valid and
that the dir is writeable with MAY_WRITE. The new file is always set to
the caller uid:gid.
Signed-off-by: Sage Weil <sage@redhat.com>
|
| |
|
|
|
|
| |
Verify both the caller uid and gid are a match for the given rule.
Signed-off-by: Sage Weil <sage@redhat.com>
|
| |
|
|
| |
Signed-off-by: Sage Weil <sage@redhat.com>
|
| | |
|
| |
|
|
| |
Signed-off-by: Nishtha Rai <nishtha3rai@gmail.com>
|
| |
|
|
|
|
| |
Empty path is '', not '/'.
Signed-off-by: Sage Weil <sage@redhat.com>
|
| |
|
|
|
| |
signed-off-by: Nishtha Rai <nishtha3rai@gmail.com>
Signed-off-by: Sage Weil <sage@redhat.com>
|
| |
|
|
|
|
|
| |
Use an empty string for no path--this is more efficient. This generalizes
to losing any leading '/' character.
Signed-off-by: Sage Weil <sage@redhat.com>
|
| |
|
|
|
|
| |
We will need this to evaluate the unix permissions.
Signed-off-by: Sage Weil <sage@redhat.com>
|
| |
|
|
|
|
|
| |
int64_t for uid, so we can do a negative "none" value.
gid_t (uint32_t) for gid.
Signed-off-by: Sage Weil <sage@redhat.com>
|
| |
|
|
| |
Signed-off-by: Sage Weil <sage@redhat.com>
|
| |
|
|
| |
Signed-off-by: Sage Weil <sage@redhat.com>
|
| |
|
|
| |
Signed-off-by: Sage Weil <sage@redhat.com>
|
| |
|
|
|
|
| |
Also, fix this so that 'any' implies that we can read or write.
Signed-off-by: Sage Weil <sage@redhat.com>
|
| |
|
|
| |
Signed-off-by: Sage Weil <sage@redhat.com>
|
| |
|
|
| |
Signed-off-by: Sage Weil <sage@redhat.com>
|
| |
|
|
|
|
|
| |
CID 1244228: Uninitialized scalar field (UNINIT_CTOR)
/mds/MDSAuthCaps.h: 29 in MDSCapSpec::MDSCapSpec()()
Signed-off-by: Greg Farnum <greg@inktank.com>
|
| |
|
|
| |
Signed-off-by: John Spray <john.spray@redhat.com>
|
|
|
Signed-off-by: John Spray <john.spray@redhat.com>
|
