1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
|
// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab
#ifndef CEPH_MGRCAP_H
#define CEPH_MGRCAP_H
#include <iosfwd>
#include "include/common_fwd.h"
#include "include/types.h"
#include "common/entity_name.h"
static const __u8 MGR_CAP_R = (1 << 1); // read
static const __u8 MGR_CAP_W = (1 << 2); // write
static const __u8 MGR_CAP_X = (1 << 3); // execute
static const __u8 MGR_CAP_ANY = 0xff; // *
struct mgr_rwxa_t {
__u8 val = 0U;
mgr_rwxa_t() {}
explicit mgr_rwxa_t(__u8 v) : val(v) {}
mgr_rwxa_t& operator=(__u8 v) {
val = v;
return *this;
}
operator __u8() const {
return val;
}
};
std::ostream& operator<<(std::ostream& out, const mgr_rwxa_t& p);
struct MgrCapGrantConstraint {
enum MatchType {
MATCH_TYPE_NONE,
MATCH_TYPE_EQUAL,
MATCH_TYPE_PREFIX,
MATCH_TYPE_REGEX
};
MatchType match_type = MATCH_TYPE_NONE;
std::string value;
MgrCapGrantConstraint() {}
MgrCapGrantConstraint(MatchType match_type, std::string value)
: match_type(match_type), value(value) {
}
};
std::ostream& operator<<(std::ostream& out, const MgrCapGrantConstraint& c);
struct MgrCapGrant {
/*
* A grant can come in one of four forms:
*
* - a blanket allow ('allow rw', 'allow *')
* - this will match against any service and the read/write/exec flags
* in the mgr code. semantics of what X means are somewhat ad hoc.
*
* - a service allow ('allow service mds rw')
* - this will match against a specific service and the r/w/x flags.
*
* - a module allow ('allow module rbd_support rw, allow module rbd_support with pool=rbd rw')
* - this will match against a specific python add-on module and the r/w/x
* flags.
*
* - a profile ('profile read-only, profile rbd pool=rbd')
* - this will match against specific MGR-enforced semantics of what
* this type of user should need to do. examples include 'read-write',
* 'read-only', 'crash'.
*
* - a command ('allow command foo', 'allow command bar with arg1=val1 arg2 prefix val2')
* this includes the command name (the prefix string)
*
* The command, module, and profile caps can also accept an optional
* key/value map. If not provided, all command arguments and module
* meta-arguments are allowed. If a key/value pair is specified, that
* argument must be present and must match the provided constraint.
*/
typedef std::map<std::string, MgrCapGrantConstraint> Arguments;
std::string service;
std::string module;
std::string profile;
std::string command;
Arguments arguments;
// restrict by network
std::string network;
// these are filled in by parse_network(), called by MgrCap::parse()
entity_addr_t network_parsed;
unsigned network_prefix = 0;
bool network_valid = true;
void parse_network();
mgr_rwxa_t allow;
// explicit grants that a profile grant expands to; populated as
// needed by expand_profile() (via is_match()) and cached here.
mutable std::list<MgrCapGrant> profile_grants;
void expand_profile(std::ostream *err=nullptr) const;
MgrCapGrant() : allow(0) {}
MgrCapGrant(std::string&& service,
std::string&& module,
std::string&& profile,
std::string&& command,
Arguments&& arguments,
mgr_rwxa_t allow)
: service(std::move(service)), module(std::move(module)),
profile(std::move(profile)), command(std::move(command)),
arguments(std::move(arguments)), allow(allow) {
}
bool validate_arguments(
const std::map<std::string, std::string>& arguments) const;
/**
* check if given request parameters match our constraints
*
* @param cct context
* @param name entity name
* @param service service (if any)
* @param module module (if any)
* @param command command (if any)
* @param arguments profile/module/command args (if any)
* @return bits we allow
*/
mgr_rwxa_t get_allowed(
CephContext *cct,
EntityName name,
const std::string& service,
const std::string& module,
const std::string& command,
const std::map<std::string, std::string>& arguments) const;
bool is_allow_all() const {
return (allow == MGR_CAP_ANY &&
service.empty() &&
module.empty() &&
profile.empty() &&
command.empty());
}
};
std::ostream& operator<<(std::ostream& out, const MgrCapGrant& g);
struct MgrCap {
std::string text;
std::vector<MgrCapGrant> grants;
MgrCap() {}
explicit MgrCap(const std::vector<MgrCapGrant> &g) : grants(g) {}
std::string get_str() const {
return text;
}
bool is_allow_all() const;
void set_allow_all();
bool parse(const std::string& str, std::ostream *err=NULL);
/**
* check if we are capable of something
*
* This method actually checks a description of a particular operation against
* what the capability has specified.
*
* @param service service name
* @param module module name
* @param command command id
* @param arguments
* @param op_may_read whether the operation may need to read
* @param op_may_write whether the operation may need to write
* @param op_may_exec whether the operation may exec
* @return true if the operation is allowed, false otherwise
*/
bool is_capable(CephContext *cct,
EntityName name,
const std::string& service,
const std::string& module,
const std::string& command,
const std::map<std::string, std::string>& arguments,
bool op_may_read, bool op_may_write, bool op_may_exec,
const entity_addr_t& addr) const;
void encode(ceph::buffer::list& bl) const;
void decode(ceph::buffer::list::const_iterator& bl);
void dump(ceph::Formatter *f) const;
static void generate_test_instances(std::list<MgrCap*>& ls);
};
WRITE_CLASS_ENCODER(MgrCap)
std::ostream& operator<<(std::ostream& out, const MgrCap& cap);
#endif // CEPH_MGRCAP_H
|