1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
|
// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab
#ifndef CEPH_MONCAP_H
#define CEPH_MONCAP_H
#include <ostream>
#include "include/common_fwd.h"
#include "include/types.h"
#include "common/entity_name.h"
#include "mds/mdstypes.h"
static const __u8 MON_CAP_R = (1 << 1); // read
static const __u8 MON_CAP_W = (1 << 2); // write
static const __u8 MON_CAP_X = (1 << 3); // execute
static const __u8 MON_CAP_ALL = MON_CAP_R | MON_CAP_W | MON_CAP_X;
static const __u8 MON_CAP_ANY = 0xff; // *
struct mon_rwxa_t {
__u8 val;
// cppcheck-suppress noExplicitConstructor
mon_rwxa_t(__u8 v = 0) : val(v) {}
mon_rwxa_t& operator=(__u8 v) {
val = v;
return *this;
}
operator __u8() const {
return val;
}
};
std::ostream& operator<<(std::ostream& out, const mon_rwxa_t& p);
struct StringConstraint {
enum MatchType {
MATCH_TYPE_NONE,
MATCH_TYPE_EQUAL,
MATCH_TYPE_PREFIX,
MATCH_TYPE_REGEX
};
MatchType match_type = MATCH_TYPE_NONE;
std::string value;
StringConstraint() {}
StringConstraint(MatchType match_type, std::string value)
: match_type(match_type), value(value) {
}
};
std::ostream& operator<<(std::ostream& out, const StringConstraint& c);
struct MonCapGrant {
/*
* A grant can come in one of five forms:
*
* - a blanket allow ('allow rw', 'allow *')
* - this will match against any service and the read/write/exec flags
* in the mon code. semantics of what X means are somewhat ad hoc.
*
* - a service allow ('allow service mds rw')
* - this will match against a specific service and the r/w/x flags.
*
* - a profile ('allow profile osd')
* - this will match against specific monitor-enforced semantics of what
* this type of user should need to do. examples include 'osd', 'mds',
* 'bootstrap-osd'.
*
* - a command ('allow command foo', 'allow command bar with arg1=val1 arg2 prefix val2')
* this includes the command name (the prefix string), and a set
* of key/value pairs that constrain use of that command. if no pairs
* are specified, any arguments are allowed; if a pair is specified, that
* argument must be present and equal or match a prefix.
*
* - an fs name ('allow fsname foo')
* - this will restrict access to MDSMaps in the FSMap to the provided
* fs name.
*/
std::string service;
std::string profile;
std::string command;
std::map<std::string, StringConstraint> command_args;
std::string fs_name;
// restrict by network
std::string network;
// these are filled in by parse_network(), called by MonCap::parse()
entity_addr_t network_parsed;
unsigned network_prefix = 0;
bool network_valid = true;
void parse_network();
mon_rwxa_t allow;
// explicit grants that a profile grant expands to; populated as
// needed by expand_profile() (via is_match()) and cached here.
mutable std::list<MonCapGrant> profile_grants;
void expand_profile(const EntityName& name) const;
MonCapGrant() : allow(0) {}
// cppcheck-suppress noExplicitConstructor
MonCapGrant(mon_rwxa_t a) : allow(a) {}
MonCapGrant(std::string s, mon_rwxa_t a) : service(std::move(s)), allow(a) {}
// cppcheck-suppress noExplicitConstructor
MonCapGrant(std::string c) : command(std::move(c)) {}
MonCapGrant(std::string c, std::string a, StringConstraint co) : command(std::move(c)) {
command_args[a] = co;
}
MonCapGrant(mon_rwxa_t a, std::string fsname) : fs_name(fsname), allow(a) {}
/**
* check if given request parameters match our constraints
*
* @param cct context
* @param name entity name
* @param service service (if any)
* @param command command (if any)
* @param command_args command args (if any)
* @return bits we allow
*/
mon_rwxa_t get_allowed(CephContext *cct,
EntityName name,
const std::string& service,
const std::string& command,
const std::map<std::string, std::string>& command_args) const;
bool is_allow_all() const {
return
allow == MON_CAP_ANY &&
service.length() == 0 &&
profile.length() == 0 &&
command.length() == 0 &&
fs_name.empty();
}
};
std::ostream& operator<<(std::ostream& out, const MonCapGrant& g);
struct MonCap {
std::string text;
std::vector<MonCapGrant> grants;
MonCap() {}
explicit MonCap(const std::vector<MonCapGrant> &g) : grants(g) {}
std::string get_str() const {
return text;
}
bool is_allow_all() const;
void set_allow_all();
bool parse(const std::string& str, std::ostream *err=NULL);
/**
* check if we are capable of something
*
* This method actually checks a description of a particular operation against
* what the capability has specified.
*
* @param service service name
* @param command command id
* @param command_args
* @param op_may_read whether the operation may need to read
* @param op_may_write whether the operation may need to write
* @param op_may_exec whether the operation may exec
* @return true if the operation is allowed, false otherwise
*/
bool is_capable(CephContext *cct,
EntityName name,
const std::string& service,
const std::string& command,
const std::map<std::string, std::string>& command_args,
bool op_may_read, bool op_may_write, bool op_may_exec,
const entity_addr_t& addr) const;
void encode(ceph::buffer::list& bl) const;
void decode(ceph::buffer::list::const_iterator& bl);
void dump(ceph::Formatter *f) const;
static void generate_test_instances(std::list<MonCap*>& ls);
std::vector<std::string> allowed_fs_names() const {
std::vector<std::string> ret;
for (auto& g : grants) {
if (not g.fs_name.empty()) {
ret.push_back(g.fs_name);
} else {
return {};
}
}
return ret;
}
bool fs_name_capable(const EntityName& ename, std::string_view fs_name,
__u8 mask) {
for (auto& g : grants) {
if (g.is_allow_all()) {
return true;
}
if ((g.fs_name.empty() || g.fs_name == fs_name) && (mask & g.allow)) {
return true;
}
g.expand_profile(ename);
for (auto& pg : g.profile_grants) {
if ((pg.service == "fs" || pg.service == "mds") &&
(pg.fs_name.empty() || pg.fs_name == fs_name) &&
(pg.allow & mask)) {
return true;
}
}
}
return false;
}
};
WRITE_CLASS_ENCODER(MonCap)
std::ostream& operator<<(std::ostream& out, const MonCap& cap);
#endif
|