qa/workunits/mon/test_config_key_caps.sh


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201

#!/usr/bin/env bash

set -x
set -e

tmp=$(mktemp -d -p /tmp test_mon_config_key_caps.XXXXX)
entities=()

function cleanup()
{
	set +e
	set +x
	if [[ -e $tmp/keyring ]] && [[ -e $tmp/keyring.orig ]]; then
		grep '\[.*\..*\]' $tmp/keyring.orig > $tmp/entities.orig
		for e in $(grep '\[.*\..*\]' $tmp/keyring | \
			diff $tmp/entities.orig - | \
			sed -n 's/^.*\[\(.*\..*\)\]/\1/p');
		do
			ceph auth rm $e 2>&1 >& /dev/null
		done
	fi
	#rm -fr $tmp
}

trap cleanup 0 # cleanup on exit

function expect_false()
{
	set -x
	if "$@"; then return 1; else return 0; fi
}

# for cleanup purposes
ceph auth export -o $tmp/keyring.orig

k=$tmp/keyring

# setup a few keys
ceph config-key ls
ceph config-key set daemon-private/osd.123/test-foo
ceph config-key set mgr/test-foo
ceph config-key set device/test-foo
ceph config-key set test/foo

allow_aa=client.allow_aa
allow_bb=client.allow_bb
allow_cc=client.allow_cc

mgr_a=mgr.a
mgr_b=mgr.b
osd_a=osd.100
osd_b=osd.200

prefix_aa=client.prefix_aa
prefix_bb=client.prefix_bb
prefix_cc=client.prefix_cc
match_aa=client.match_aa
match_bb=client.match_bb

fail_aa=client.fail_aa
fail_bb=client.fail_bb
fail_cc=client.fail_cc
fail_dd=client.fail_dd
fail_ee=client.fail_ee
fail_ff=client.fail_ff
fail_gg=client.fail_gg
fail_writes=client.fail_writes

ceph auth get-or-create $allow_aa mon 'allow *'
ceph auth get-or-create $allow_bb mon 'allow service config-key rwx'
ceph auth get-or-create $allow_cc mon 'allow command "config-key get"'

ceph auth get-or-create $mgr_a mon 'allow profile mgr'
ceph auth get-or-create $mgr_b mon 'allow profile mgr'
ceph auth get-or-create $osd_a mon 'allow profile osd'
ceph auth get-or-create $osd_b mon 'allow profile osd'

ceph auth get-or-create $prefix_aa mon \
	"allow command \"config-key get\" with key prefix client/$prefix_aa"

cap="allow command \"config-key set\" with key prefix client/"
cap="$cap,allow command \"config-key get\" with key prefix client/$prefix_bb"
ceph auth get-or-create $prefix_bb mon "$cap"

cap="allow command \"config-key get\" with key prefix client/"
cap="$cap, allow command \"config-key set\" with key prefix client/"
cap="$cap, allow command \"config-key ls\""
ceph auth get-or-create $prefix_cc mon "$cap"

cap="allow command \"config-key get\" with key=client/$match_aa/foo"
ceph auth get-or-create $match_aa mon "$cap"
cap="allow command \"config-key get\" with key=client/$match_bb/foo"
cap="$cap,allow command \"config-key set\" with key=client/$match_bb/foo"
ceph auth get-or-create $match_bb mon "$cap"

ceph auth get-or-create $fail_aa mon 'allow rx'
ceph auth get-or-create $fail_bb mon 'allow r,allow w'
ceph auth get-or-create $fail_cc mon 'allow rw'
ceph auth get-or-create $fail_dd mon 'allow rwx'
ceph auth get-or-create $fail_ee mon 'allow profile bootstrap-rgw'
ceph auth get-or-create $fail_ff mon 'allow profile bootstrap-rbd'
# write commands will require rw; wx is not enough
ceph auth get-or-create $fail_gg mon 'allow service config-key wx'
# read commands will only require 'r'; 'rx' should be enough.
ceph auth get-or-create $fail_writes mon 'allow service config-key rx'

# grab keyring
ceph auth export -o $k

# keys will all the caps can do whatever
for c in $allow_aa $allow_bb $allow_cc $mgr_a $mgr_b; do
	ceph -k $k --name $c config-key get daemon-private/osd.123/test-foo
	ceph -k $k --name $c config-key get mgr/test-foo
	ceph -k $k --name $c config-key get device/test-foo
	ceph -k $k --name $c config-key get test/foo
done

for c in $osd_a $osd_b; do
	ceph -k $k --name $c config-key put daemon-private/$c/test-foo
	ceph -k $k --name $c config-key get daemon-private/$c/test-foo
	expect_false ceph -k $k --name $c config-key ls
	expect_false ceph -k $k --name $c config-key get mgr/test-foo
	expect_false ceph -k $k --name $c config-key get device/test-foo
	expect_false ceph -k $k --name $c config-key get test/foo
done

expect_false ceph -k $k --name $osd_a get daemon-private/$osd_b/test-foo
expect_false ceph -k $k --name $osd_b get daemon-private/$osd_a/test-foo

expect_false ceph -k $k --name $prefix_aa \
	config-key ls
expect_false ceph -k $k --name $prefix_aa \
	config-key get daemon-private/osd.123/test-foo
expect_false ceph -k $k --name $prefix_aa \
	config-key set test/bar
expect_false ceph -k $k --name $prefix_aa \
	config-key set client/$prefix_aa/foo

# write something so we can read, use a custom entity
ceph -k $k --name $allow_bb config-key set client/$prefix_aa/foo
ceph -k $k --name $prefix_aa config-key get client/$prefix_aa/foo
# check one writes to the other's prefix, the other is able to read
ceph -k $k --name $prefix_bb config-key set client/$prefix_aa/bar
ceph -k $k --name $prefix_aa config-key get client/$prefix_aa/bar

ceph -k $k --name $prefix_bb config-key set client/$prefix_bb/foo
ceph -k $k --name $prefix_bb config-key get client/$prefix_bb/foo

expect_false ceph -k $k --name $prefix_bb config-key get client/$prefix_aa/bar
expect_false ceph -k $k --name $prefix_bb config-key ls
expect_false ceph -k $k --name $prefix_bb \
	config-key get daemon-private/osd.123/test-foo
expect_false ceph -k $k --name $prefix_bb config-key get mgr/test-foo
expect_false ceph -k $k --name $prefix_bb config-key get device/test-foo
expect_false ceph -k $k --name $prefix_bb config-key get test/bar
expect_false ceph -k $k --name $prefix_bb config-key set test/bar

ceph -k $k --name $prefix_cc config-key set client/$match_aa/foo
ceph -k $k --name $prefix_cc config-key set client/$match_bb/foo
ceph -k $k --name $prefix_cc config-key get client/$match_aa/foo
ceph -k $k --name $prefix_cc config-key get client/$match_bb/foo
expect_false ceph -k $k --name $prefix_cc config-key set other/prefix
expect_false ceph -k $k --name $prefix_cc config-key get mgr/test-foo
ceph -k $k --name $prefix_cc config-key ls >& /dev/null

ceph -k $k --name $match_aa config-key get client/$match_aa/foo
expect_false ceph -k $k --name $match_aa config-key get client/$match_bb/foo
expect_false ceph -k $k --name $match_aa config-key set client/$match_aa/foo
ceph -k $k --name $match_bb config-key get client/$match_bb/foo
ceph -k $k --name $match_bb config-key set client/$match_bb/foo
expect_false ceph -k $k --name $match_bb config-key get client/$match_aa/foo
expect_false ceph -k $k --name $match_bb config-key set client/$match_aa/foo

keys=(daemon-private/osd.123/test-foo
	  mgr/test-foo
	  device/test-foo
	  test/foo
	  client/$prefix_aa/foo
	  client/$prefix_bb/foo
	  client/$match_aa/foo
	  client/$match_bb/foo
)
# expect these all to fail accessing config-key
for c in $fail_aa $fail_bb $fail_cc \
		 $fail_dd $fail_ee $fail_ff \
		 $fail_gg; do
	for m in get set; do
		for key in ${keys[*]} client/$prefix_aa/foo client/$prefix_bb/foo; do
			expect_false ceph -k $k --name $c config-key $m $key
		done
	done
done

# fail writes but succeed on reads
expect_false ceph -k $k --name $fail_writes config-key set client/$match_aa/foo
expect_false ceph -k $k --name $fail_writes config-key set test/foo
ceph -k $k --name $fail_writes config-key ls
ceph -k $k --name $fail_writes config-key get client/$match_aa/foo 
ceph -k $k --name $fail_writes config-key get daemon-private/osd.123/test-foo

echo "OK"