[ceph.git] / ceph / src / mon / MonCap.cc

// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab
/*
 * Ceph - scalable distributed file system
 *
 * Copyright (C) 2013 Inktank
 *
 * This is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License version 2.1, as published by the Free Software
 * Foundation.  See file COPYING.
 *
 */

#include <boost/config/warning_disable.hpp>
#include <boost/spirit/include/qi_uint.hpp>
#include <boost/spirit/include/qi.hpp>
#include <boost/fusion/include/std_pair.hpp>
#include <boost/spirit/include/phoenix.hpp>
#include <boost/fusion/adapted/struct/adapt_struct.hpp>
#include <boost/fusion/include/adapt_struct.hpp>

#include "MonCap.h"
#include "include/stringify.h"
#include "common/debug.h"
#include "common/Formatter.h"

#include <algorithm>

static inline bool is_not_alnum_space(char c)
{
  return !(isalpha(c) || isdigit(c) || (c == '-') || (c == '_'));
}

static string maybe_quote_string(const std::string& str)
{
  if (find_if(str.begin(), str.end(), is_not_alnum_space) == str.end())
    return str;
  return string("\"") + str + string("\"");
}

using std::ostream;
using std::vector;

#define dout_subsys ceph_subsys_mon

ostream& operator<<(ostream& out, mon_rwxa_t p)
{ 
  if (p == MON_CAP_ANY)
    return out << "*";

  if (p & MON_CAP_R)
    out << "r";
  if (p & MON_CAP_W)
    out << "w";
  if (p & MON_CAP_X)
    out << "x";
  return out;
}

ostream& operator<<(ostream& out, const StringConstraint& c)
{
  if (c.prefix.length())
    return out << "prefix " << c.prefix;
  else
    return out << "value " << c.value;
}

ostream& operator<<(ostream& out, const MonCapGrant& m)
{
  out << "allow";
  if (m.service.length()) {
    out << " service " << maybe_quote_string(m.service);
  }
  if (m.command.length()) {
    out << " command " << maybe_quote_string(m.command);
    if (!m.command_args.empty()) {
      out << " with";
      for (map<string,StringConstraint>::const_iterator p = m.command_args.begin();
	   p != m.command_args.end();
	   ++p) {
	if (p->second.value.length())
	  out << " " << maybe_quote_string(p->first) << "=" << maybe_quote_string(p->second.value);
	else
	  out << " " << maybe_quote_string(p->first) << " prefix " << maybe_quote_string(p->second.prefix);
      }
    }
  }
  if (m.profile.length()) {
    out << " profile " << maybe_quote_string(m.profile);
  }
  if (m.allow != 0)
    out << " " << m.allow;
  return out;
}


// <magic>
//  fusion lets us easily populate structs via the qi parser.

typedef map<string,StringConstraint> kvmap;

BOOST_FUSION_ADAPT_STRUCT(MonCapGrant,
			  (std::string, service)
			  (std::string, profile)
			  (std::string, command)
			  (kvmap, command_args)
			  (mon_rwxa_t, allow))

BOOST_FUSION_ADAPT_STRUCT(StringConstraint,
			  (std::string, value)
			  (std::string, prefix))

// </magic>

void MonCapGrant::expand_profile(int daemon_type, const EntityName& name) const
{
  // only generate this list once
  if (!profile_grants.empty())
    return;

  if (profile == "read-only") {
    // grants READ-ONLY caps monitor-wide
    // 'auth' requires MON_CAP_X even for RO, which we do not grant here.
    profile_grants.push_back(mon_rwxa_t(MON_CAP_R));
    return;
  }

  if (profile == "read-write") {
    // grants READ-WRITE caps monitor-wide
    // 'auth' requires MON_CAP_X for all operations, which we do not grant.
    profile_grants.push_back(mon_rwxa_t(MON_CAP_R | MON_CAP_W));
    return;
  }

  switch (daemon_type) {
  case CEPH_ENTITY_TYPE_MON:
    expand_profile_mon(name);
    return;
  case CEPH_ENTITY_TYPE_MGR:
    expand_profile_mgr(name);
    return;
  }
}

void MonCapGrant::expand_profile_mgr(const EntityName& name) const
{
}

void MonCapGrant::expand_profile_mon(const EntityName& name) const
{
  if (profile == "mon") {
    profile_grants.push_back(MonCapGrant("mon", MON_CAP_ALL));
    profile_grants.push_back(MonCapGrant("log", MON_CAP_ALL));
  }
  if (profile == "osd") {
    profile_grants.push_back(MonCapGrant("osd", MON_CAP_ALL));
    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
    profile_grants.push_back(MonCapGrant("pg", MON_CAP_R | MON_CAP_W));
    profile_grants.push_back(MonCapGrant("log", MON_CAP_W));
  }
  if (profile == "mds") {
    profile_grants.push_back(MonCapGrant("mds", MON_CAP_ALL));
    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
    profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
    // This command grant is checked explicitly in MRemoveSnaps handling
    profile_grants.push_back(MonCapGrant("osd pool rmsnap"));
    profile_grants.push_back(MonCapGrant("log", MON_CAP_W));
  }
  if (profile == "mgr") {
    profile_grants.push_back(MonCapGrant("mgr", MON_CAP_ALL));
    profile_grants.push_back(MonCapGrant("log", MON_CAP_W));
    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
    profile_grants.push_back(MonCapGrant("mds", MON_CAP_R));
    profile_grants.push_back(MonCapGrant("osd", MON_CAP_R | MON_CAP_W));
    profile_grants.push_back(MonCapGrant("config-key", MON_CAP_R));
    string prefix = string("daemon-private/mgr/");
    profile_grants.push_back(MonCapGrant("config-key get", "key",
					 StringConstraint("", prefix)));
    profile_grants.push_back(MonCapGrant("config-key put", "key",
					 StringConstraint("", prefix)));
    profile_grants.push_back(MonCapGrant("config-key exists", "key",
					 StringConstraint("", prefix)));
    profile_grants.push_back(MonCapGrant("config-key delete", "key",
					 StringConstraint("", prefix)));
  }
  if (profile == "osd" || profile == "mds" || profile == "mon" ||
      profile == "mgr") {
    string prefix = string("daemon-private/") + stringify(name) + string("/");
    profile_grants.push_back(MonCapGrant("config-key get", "key", StringConstraint("", prefix)));
    profile_grants.push_back(MonCapGrant("config-key put", "key", StringConstraint("", prefix)));
    profile_grants.push_back(MonCapGrant("config-key exists", "key", StringConstraint("", prefix)));
    profile_grants.push_back(MonCapGrant("config-key delete", "key", StringConstraint("", prefix)));
  }
  if (profile == "bootstrap-osd") {
    string prefix = "dm-crypt/osd";
    profile_grants.push_back(MonCapGrant("config-key put", "key", StringConstraint("", prefix)));
    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));  // read monmap
    profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));  // read osdmap
    profile_grants.push_back(MonCapGrant("mon getmap"));
    profile_grants.push_back(MonCapGrant("osd create"));
    profile_grants.push_back(MonCapGrant("auth get-or-create"));
    profile_grants.back().command_args["entity"] = StringConstraint("", "client.");
    prefix = "allow command \"config-key get\" with key=\"dm-crypt/osd/";
    profile_grants.back().command_args["caps_mon"] = StringConstraint("", prefix);
    profile_grants.push_back(MonCapGrant("auth add"));
    profile_grants.back().command_args["entity"] = StringConstraint("", "osd.");
    profile_grants.back().command_args["caps_mon"] = StringConstraint("allow profile osd", "");
    profile_grants.back().command_args["caps_osd"] = StringConstraint("allow *", "");
  }
  if (profile == "bootstrap-mds") {
    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));  // read monmap
    profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));  // read osdmap
    profile_grants.push_back(MonCapGrant("mon getmap"));
    profile_grants.push_back(MonCapGrant("auth get-or-create"));  // FIXME: this can expose other mds keys
    profile_grants.back().command_args["entity"] = StringConstraint("", "mds.");
    profile_grants.back().command_args["caps_mon"] = StringConstraint("allow profile mds", "");
    profile_grants.back().command_args["caps_osd"] = StringConstraint("allow rwx", "");
    profile_grants.back().command_args["caps_mds"] = StringConstraint("allow", "");
  }
  if (profile == "bootstrap-mgr") {
    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));  // read monmap
    profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));  // read osdmap
    profile_grants.push_back(MonCapGrant("mon getmap"));
    profile_grants.push_back(MonCapGrant("auth get-or-create"));  // FIXME: this can expose other mgr keys
    profile_grants.back().command_args["entity"] = StringConstraint("", "mgr.");
    profile_grants.back().command_args["caps_mon"] = StringConstraint("allow profile mgr", "");
  }
  if (profile == "bootstrap-rgw") {
    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));  // read monmap
    profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));  // read osdmap
    profile_grants.push_back(MonCapGrant("mon getmap"));
    profile_grants.push_back(MonCapGrant("auth get-or-create"));  // FIXME: this can expose other mds keys
    profile_grants.back().command_args["entity"] = StringConstraint("", "client.rgw.");
    profile_grants.back().command_args["caps_mon"] = StringConstraint("allow rw", "");
    profile_grants.back().command_args["caps_osd"] = StringConstraint("allow rwx", "");
  }
  if (profile == "fs-client") {
    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
    profile_grants.push_back(MonCapGrant("mds", MON_CAP_R));
    profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
    profile_grants.push_back(MonCapGrant("pg", MON_CAP_R));
  }
  if (profile == "simple-rados-client") {
    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
    profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
    profile_grants.push_back(MonCapGrant("pg", MON_CAP_R));
  }

  if (profile == "role-definer") {
    // grants ALL caps to the auth subsystem, read-only on the
    // monitor subsystem and nothing else.
    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
    profile_grants.push_back(MonCapGrant("auth", MON_CAP_ALL));
  }
}

mon_rwxa_t MonCapGrant::get_allowed(CephContext *cct,
				    int daemon_type,
				    EntityName name,
				    const std::string& s, const std::string& c,
				    const map<string,string>& c_args) const
{
  if (profile.length()) {
    expand_profile(daemon_type, name);
    mon_rwxa_t a;
    for (list<MonCapGrant>::const_iterator p = profile_grants.begin();
	 p != profile_grants.end(); ++p)
      a = a | p->get_allowed(cct, daemon_type, name, s, c, c_args);
    return a;
  }
  if (service.length()) {
    if (service != s)
      return 0;
    return allow;
  }
  if (command.length()) {
    if (command != c)
      return 0;
    for (map<string,StringConstraint>::const_iterator p = command_args.begin(); p != command_args.end(); ++p) {
      map<string,string>::const_iterator q = c_args.find(p->first);
      // argument must be present if a constraint exists
      if (q == c_args.end())
	return 0;
      if (p->second.value.length()) {
	// match value
	if (p->second.value != q->second)
	  return 0;
      } else {
	// match prefix
	if (q->second.find(p->second.prefix) != 0)
	  return 0;
      }
    }
    return MON_CAP_ALL;
  }
  return allow;
}

ostream& operator<<(ostream&out, const MonCap& m)
{
  for (vector<MonCapGrant>::const_iterator p = m.grants.begin(); p != m.grants.end(); ++p) {
    if (p != m.grants.begin())
      out << ", ";
    out << *p;
  }
  return out;
}

bool MonCap::is_allow_all() const
{
  for (vector<MonCapGrant>::const_iterator p = grants.begin(); p != grants.end(); ++p)
    if (p->is_allow_all())
      return true;
  return false;
}

void MonCap::set_allow_all()
{
  grants.clear();
  grants.push_back(MonCapGrant(MON_CAP_ANY));
  text = "allow *";
}

bool MonCap::is_capable(CephContext *cct,
			int daemon_type,
			EntityName name,
			const string& service,
			const string& command, const map<string,string>& command_args,
			bool op_may_read, bool op_may_write, bool op_may_exec) const
{
  if (cct)
    ldout(cct, 20) << "is_capable service=" << service << " command=" << command
		   << (op_may_read ? " read":"")
		   << (op_may_write ? " write":"")
		   << (op_may_exec ? " exec":"")
		   << " on cap " << *this
		   << dendl;
  mon_rwxa_t allow = 0;
  for (vector<MonCapGrant>::const_iterator p = grants.begin();
       p != grants.end(); ++p) {
    if (cct)
      ldout(cct, 20) << " allow so far " << allow << ", doing grant " << *p << dendl;

    if (p->is_allow_all()) {
      if (cct)
	ldout(cct, 20) << " allow all" << dendl;
      return true;
    }

    // check enumerated caps
    allow = allow | p->get_allowed(cct, daemon_type, name, service, command,
				   command_args);
    if ((!op_may_read || (allow & MON_CAP_R)) &&
	(!op_may_write || (allow & MON_CAP_W)) &&
	(!op_may_exec || (allow & MON_CAP_X))) {
      if (cct)
	ldout(cct, 20) << " match" << dendl;
      return true;
    }
  }
  return false;
}

void MonCap::encode(bufferlist& bl) const
{
  ENCODE_START(4, 4, bl);   // legacy MonCaps was 3, 3
  ::encode(text, bl);
  ENCODE_FINISH(bl);
}

void MonCap::decode(bufferlist::iterator& bl)
{
  string s;
  DECODE_START(4, bl);
  ::decode(s, bl);
  DECODE_FINISH(bl);
  parse(s, NULL);
}

void MonCap::dump(Formatter *f) const
{
  f->dump_string("text", text);
}

void MonCap::generate_test_instances(list<MonCap*>& ls)
{
  ls.push_back(new MonCap);
  ls.push_back(new MonCap);
  ls.back()->parse("allow *");
  ls.push_back(new MonCap);
  ls.back()->parse("allow rwx");
  ls.push_back(new MonCap);
  ls.back()->parse("allow service foo x");
  ls.push_back(new MonCap);
  ls.back()->parse("allow command bar x");
  ls.push_back(new MonCap);
  ls.back()->parse("allow service foo r, allow command bar x");
  ls.push_back(new MonCap);
  ls.back()->parse("allow command bar with k1=v1 x");
  ls.push_back(new MonCap);
  ls.back()->parse("allow command bar with k1=v1 k2=v2 x");
}

// grammar
namespace qi = boost::spirit::qi;
namespace ascii = boost::spirit::ascii;
namespace phoenix = boost::phoenix;


template <typename Iterator>
struct MonCapParser : qi::grammar<Iterator, MonCap()>
{
  MonCapParser() : MonCapParser::base_type(moncap)
  {
    using qi::char_;
    using qi::int_;
    using qi::ulong_long;
    using qi::lexeme;
    using qi::alnum;
    using qi::_val;
    using qi::_1;
    using qi::_2;
    using qi::_3;
    using qi::eps;
    using qi::lit;

    quoted_string %=
      lexeme['"' >> +(char_ - '"') >> '"'] | 
      lexeme['\'' >> +(char_ - '\'') >> '\''];
    unquoted_word %= +char_("a-zA-Z0-9_.-");
    str %= quoted_string | unquoted_word;

    spaces = +(lit(' ') | lit('\n') | lit('\t'));

    // command := command[=]cmd [k1=v1 k2=v2 ...]
    str_match = '=' >> str >> qi::attr(string());
    str_prefix = spaces >> lit("prefix") >> spaces >> qi::attr(string()) >> str;
    kv_pair = str >> (str_match | str_prefix);
    kv_map %= kv_pair >> *(spaces >> kv_pair);
    command_match = -spaces >> lit("allow") >> spaces >> lit("command") >> (lit('=') | spaces)
			    >> qi::attr(string()) >> qi::attr(string())
			    >> str
			    >> -(spaces >> lit("with") >> spaces >> kv_map)
			    >> qi::attr(0);

    // service foo rwxa
    service_match %= -spaces >> lit("allow") >> spaces >> lit("service") >> (lit('=') | spaces)
			     >> str >> qi::attr(string()) >> qi::attr(string())
			     >> qi::attr(map<string,StringConstraint>())
                             >> spaces >> rwxa;

    // profile foo
    profile_match %= -spaces >> lit("allow") >> spaces >> lit("profile") >> (lit('=') | spaces)
			     >> qi::attr(string())
			     >> str
			     >> qi::attr(string())
			     >> qi::attr(map<string,StringConstraint>())
			     >> qi::attr(0);

    // rwxa
    rwxa_match %= -spaces >> lit("allow") >> spaces
			  >> qi::attr(string()) >> qi::attr(string()) >> qi::attr(string())
			  >> qi::attr(map<string,StringConstraint>())
			  >> rwxa;

    // rwxa := * | [r][w][x]
    rwxa =
      (lit("*")[_val = MON_CAP_ANY]) |
      ( eps[_val = 0] >>
	( lit('r')[_val |= MON_CAP_R] ||
	  lit('w')[_val |= MON_CAP_W] ||
	  lit('x')[_val |= MON_CAP_X]
	  )
	);

    // grant := allow ...
    grant = -spaces >> (rwxa_match | profile_match | service_match | command_match) >> -spaces;

    // moncap := grant [grant ...]
    grants %= (grant % (*lit(' ') >> (lit(';') | lit(',')) >> *lit(' ')));
    moncap = grants  [_val = phoenix::construct<MonCap>(_1)]; 

  }
  qi::rule<Iterator> spaces;
  qi::rule<Iterator, unsigned()> rwxa;
  qi::rule<Iterator, string()> quoted_string;
  qi::rule<Iterator, string()> unquoted_word;
  qi::rule<Iterator, string()> str;

  qi::rule<Iterator, StringConstraint()> str_match, str_prefix;
  qi::rule<Iterator, pair<string, StringConstraint>()> kv_pair;
  qi::rule<Iterator, map<string, StringConstraint>()> kv_map;

  qi::rule<Iterator, MonCapGrant()> rwxa_match;
  qi::rule<Iterator, MonCapGrant()> command_match;
  qi::rule<Iterator, MonCapGrant()> service_match;
  qi::rule<Iterator, MonCapGrant()> profile_match;
  qi::rule<Iterator, MonCapGrant()> grant;
  qi::rule<Iterator, std::vector<MonCapGrant>()> grants;
  qi::rule<Iterator, MonCap()> moncap;
};

bool MonCap::parse(const string& str, ostream *err)
{
  string s = str;
  string::iterator iter = s.begin();
  string::iterator end = s.end();

  MonCapParser<string::iterator> g;
  bool r = qi::parse(iter, end, g, *this);
  //MonCapGrant foo;
  //bool r = qi::phrase_parse(iter, end, g, ascii::space, foo);
  if (r && iter == end) {
    text = str;
    return true;
  }

  // Make sure no grants are kept after parsing failed!
  grants.clear();

  if (err) {
    if (iter != end)
      *err << "moncap parse failed, stopped at '" << std::string(iter, end)
	   << "' of '" << str << "'\n";
    else
      *err << "moncap parse failed, stopped at end of '" << str << "'\n";
  }

  return false; 
}
Commit	Line	Data
7c673cae FG	1	// -- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t --
	2	// vim: ts=8 sw=2 smarttab
	3	/*
	4	* Ceph - scalable distributed file system
	5	*
	6	* Copyright (C) 2013 Inktank
	7	*
	8	* This is free software; you can redistribute it and/or
	9	* modify it under the terms of the GNU Lesser General Public
	10	* License version 2.1, as published by the Free Software
	11	* Foundation. See file COPYING.
	12	*
	13	*/
	14
	15	#include <boost/config/warning_disable.hpp>
	16	#include <boost/spirit/include/qi_uint.hpp>
	17	#include <boost/spirit/include/qi.hpp>
	18	#include <boost/fusion/include/std_pair.hpp>
	19	#include <boost/spirit/include/phoenix.hpp>
	20	#include <boost/fusion/adapted/struct/adapt_struct.hpp>
	21	#include <boost/fusion/include/adapt_struct.hpp>
	22
	23	#include "MonCap.h"
	24	#include "include/stringify.h"
	25	#include "common/debug.h"
	26	#include "common/Formatter.h"
	27
	28	#include <algorithm>
	29
	30	static inline bool is_not_alnum_space(char c)
	31	{
	32	return !(isalpha(c) \|\| isdigit(c) \|\| (c == '-') \|\| (c == '_'));
	33	}
	34
	35	static string maybe_quote_string(const std::string& str)
	36	{
	37	if (find_if(str.begin(), str.end(), is_not_alnum_space) == str.end())
	38	return str;
	39	return string("\"") + str + string("\"");
	40	}
	41
	42	using std::ostream;
	43	using std::vector;
	44
	45	#define dout_subsys ceph_subsys_mon
	46
	47	ostream& operator<<(ostream& out, mon_rwxa_t p)
	48	{
	49	if (p == MON_CAP_ANY)
	50	return out << "*";
	51
	52	if (p & MON_CAP_R)
	53	out << "r";
	54	if (p & MON_CAP_W)
	55	out << "w";
	56	if (p & MON_CAP_X)
	57	out << "x";
	58	return out;
	59	}
	60
	61	ostream& operator<<(ostream& out, const StringConstraint& c)
	62	{
	63	if (c.prefix.length())
	64	return out << "prefix " << c.prefix;
65	else
66	return out << "value " << c.value;
67	}
68
69	ostream& operator<<(ostream& out, const MonCapGrant& m)
70	{
71	out << "allow";
72	if (m.service.length()) {
73	out << " service " << maybe_quote_string(m.service);
74	}
75	if (m.command.length()) {
76	out << " command " << maybe_quote_string(m.command);
77	if (!m.command_args.empty()) {
78	out << " with";
79	for (map<string,StringConstraint>::const_iterator p = m.command_args.begin();
80	p != m.command_args.end();
81	++p) {
82	if (p->second.value.length())
83	out << " " << maybe_quote_string(p->first) << "=" << maybe_quote_string(p->second.value);
84	else
85	out << " " << maybe_quote_string(p->first) << " prefix " << maybe_quote_string(p->second.prefix);
86	}
87	}
88	}
89	if (m.profile.length()) {
90	out << " profile " << maybe_quote_string(m.profile);
91	}
92	if (m.allow != 0)
93	out << " " << m.allow;
94	return out;
95	}
96
97
98	// <magic>
99	// fusion lets us easily populate structs via the qi parser.
100
101	typedef map<string,StringConstraint> kvmap;
102
103	BOOST_FUSION_ADAPT_STRUCT(MonCapGrant,
104	(std::string, service)
105	(std::string, profile)
106	(std::string, command)
107	(kvmap, command_args)
108	(mon_rwxa_t, allow))
109
110	BOOST_FUSION_ADAPT_STRUCT(StringConstraint,
111	(std::string, value)
112	(std::string, prefix))
113
114	// </magic>
115
116	void MonCapGrant::expand_profile(int daemon_type, const EntityName& name) const
117	{
118	// only generate this list once
119	if (!profile_grants.empty())
120	return;
121
122	if (profile == "read-only") {
123	// grants READ-ONLY caps monitor-wide
124	// 'auth' requires MON_CAP_X even for RO, which we do not grant here.
125	profile_grants.push_back(mon_rwxa_t(MON_CAP_R));
126	return;
127	}
128
129	if (profile == "read-write") {
130	// grants READ-WRITE caps monitor-wide
131	// 'auth' requires MON_CAP_X for all operations, which we do not grant.
132	profile_grants.push_back(mon_rwxa_t(MON_CAP_R \| MON_CAP_W));
133	return;
134	}
135
136	switch (daemon_type) {
137	case CEPH_ENTITY_TYPE_MON:
138	expand_profile_mon(name);
139	return;
140	case CEPH_ENTITY_TYPE_MGR:
141	expand_profile_mgr(name);
142	return;
143	}
144	}
145
146	void MonCapGrant::expand_profile_mgr(const EntityName& name) const
147	{
148	}
149
150	void MonCapGrant::expand_profile_mon(const EntityName& name) const
151	{
152	if (profile == "mon") {
153	profile_grants.push_back(MonCapGrant("mon", MON_CAP_ALL));
154	profile_grants.push_back(MonCapGrant("log", MON_CAP_ALL));
155	}
156	if (profile == "osd") {
157	profile_grants.push_back(MonCapGrant("osd", MON_CAP_ALL));
158	profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
159	profile_grants.push_back(MonCapGrant("pg", MON_CAP_R \| MON_CAP_W));
160	profile_grants.push_back(MonCapGrant("log", MON_CAP_W));
161	}
162	if (profile == "mds") {
163	profile_grants.push_back(MonCapGrant("mds", MON_CAP_ALL));
164	profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
165	profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
166	// This command grant is checked explicitly in MRemoveSnaps handling
167	profile_grants.push_back(MonCapGrant("osd pool rmsnap"));
168	profile_grants.push_back(MonCapGrant("log", MON_CAP_W));
169	}
170	if (profile == "mgr") {
171	profile_grants.push_back(MonCapGrant("mgr", MON_CAP_ALL));
172	profile_grants.push_back(MonCapGrant("log", MON_CAP_W));
173	profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
174	profile_grants.push_back(MonCapGrant("mds", MON_CAP_R));
175	profile_grants.push_back(MonCapGrant("osd", MON_CAP_R \| MON_CAP_W));
176	profile_grants.push_back(MonCapGrant("config-key", MON_CAP_R));
177	string prefix = string("daemon-private/mgr/");
178	profile_grants.push_back(MonCapGrant("config-key get", "key",
179	StringConstraint("", prefix)));
180	profile_grants.push_back(MonCapGrant("config-key put", "key",
181	StringConstraint("", prefix)));
182	profile_grants.push_back(MonCapGrant("config-key exists", "key",
183	StringConstraint("", prefix)));
184	profile_grants.push_back(MonCapGrant("config-key delete", "key",
185	StringConstraint("", prefix)));
186	}
187	if (profile == "osd" \|\| profile == "mds" \|\| profile == "mon" \|\|
188	profile == "mgr") {
189	string prefix = string("daemon-private/") + stringify(name) + string("/");
190	profile_grants.push_back(MonCapGrant("config-key get", "key", StringConstraint("", prefix)));
191	profile_grants.push_back(MonCapGrant("config-key put", "key", StringConstraint("", prefix)));
192	profile_grants.push_back(MonCapGrant("config-key exists", "key", StringConstraint("", prefix)));
193	profile_grants.push_back(MonCapGrant("config-key delete", "key", StringConstraint("", prefix)));
194	}
195	if (profile == "bootstrap-osd") {
196	string prefix = "dm-crypt/osd";
197	profile_grants.push_back(MonCapGrant("config-key put", "key", StringConstraint("", prefix)));
198	profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); // read monmap
199	profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); // read osdmap
200	profile_grants.push_back(MonCapGrant("mon getmap"));
201	profile_grants.push_back(MonCapGrant("osd create"));
202	profile_grants.push_back(MonCapGrant("auth get-or-create"));
203	profile_grants.back().command_args["entity"] = StringConstraint("", "client.");
204	prefix = "allow command \"config-key get\" with key=\"dm-crypt/osd/";
205	profile_grants.back().command_args["caps_mon"] = StringConstraint("", prefix);
206	profile_grants.push_back(MonCapGrant("auth add"));
207	profile_grants.back().command_args["entity"] = StringConstraint("", "osd.");
208	profile_grants.back().command_args["caps_mon"] = StringConstraint("allow profile osd", "");
209	profile_grants.back().command_args["caps_osd"] = StringConstraint("allow *", "");
210	}
211	if (profile == "bootstrap-mds") {
212	profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); // read monmap
213	profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); // read osdmap
214	profile_grants.push_back(MonCapGrant("mon getmap"));
215	profile_grants.push_back(MonCapGrant("auth get-or-create")); // FIXME: this can expose other mds keys
216	profile_grants.back().command_args["entity"] = StringConstraint("", "mds.");
217	profile_grants.back().command_args["caps_mon"] = StringConstraint("allow profile mds", "");
218	profile_grants.back().command_args["caps_osd"] = StringConstraint("allow rwx", "");
219	profile_grants.back().command_args["caps_mds"] = StringConstraint("allow", "");
220	}
221	if (profile == "bootstrap-mgr") {
222	profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); // read monmap
223	profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); // read osdmap
224	profile_grants.push_back(MonCapGrant("mon getmap"));
225	profile_grants.push_back(MonCapGrant("auth get-or-create")); // FIXME: this can expose other mgr keys
226	profile_grants.back().command_args["entity"] = StringConstraint("", "mgr.");
227	profile_grants.back().command_args["caps_mon"] = StringConstraint("allow profile mgr", "");
228	}
229	if (profile == "bootstrap-rgw") {
230	profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); // read monmap
231	profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); // read osdmap
232	profile_grants.push_back(MonCapGrant("mon getmap"));
233	profile_grants.push_back(MonCapGrant("auth get-or-create")); // FIXME: this can expose other mds keys
234	profile_grants.back().command_args["entity"] = StringConstraint("", "client.rgw.");
235	profile_grants.back().command_args["caps_mon"] = StringConstraint("allow rw", "");
236	profile_grants.back().command_args["caps_osd"] = StringConstraint("allow rwx", "");
237	}
238	if (profile == "fs-client") {
239	profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
240	profile_grants.push_back(MonCapGrant("mds", MON_CAP_R));
241	profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
242	profile_grants.push_back(MonCapGrant("pg", MON_CAP_R));
243	}
244	if (profile == "simple-rados-client") {
245	profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
246	profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
247	profile_grants.push_back(MonCapGrant("pg", MON_CAP_R));
248	}
249
250	if (profile == "role-definer") {
251	// grants ALL caps to the auth subsystem, read-only on the
252	// monitor subsystem and nothing else.
253	profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
254	profile_grants.push_back(MonCapGrant("auth", MON_CAP_ALL));
255	}
256	}
257
258	mon_rwxa_t MonCapGrant::get_allowed(CephContext *cct,
259	int daemon_type,
260	EntityName name,
261	const std::string& s, const std::string& c,
262	const map<string,string>& c_args) const
263	{
264	if (profile.length()) {
265	expand_profile(daemon_type, name);
266	mon_rwxa_t a;
267	for (list<MonCapGrant>::const_iterator p = profile_grants.begin();
268	p != profile_grants.end(); ++p)
269	a = a \| p->get_allowed(cct, daemon_type, name, s, c, c_args);
270	return a;
271	}
272	if (service.length()) {
273	if (service != s)
274	return 0;
275	return allow;
276	}
277	if (command.length()) {
278	if (command != c)
279	return 0;
280	for (map<string,StringConstraint>::const_iterator p = command_args.begin(); p != command_args.end(); ++p) {
281	map<string,string>::const_iterator q = c_args.find(p->first);
282	// argument must be present if a constraint exists
283	if (q == c_args.end())
284	return 0;
285	if (p->second.value.length()) {
286	// match value
287	if (p->second.value != q->second)
288	return 0;
289	} else {
290	// match prefix
291	if (q->second.find(p->second.prefix) != 0)
292	return 0;
293	}
294	}
295	return MON_CAP_ALL;
296	}
297	return allow;
298	}
299
300	ostream& operator<<(ostream&out, const MonCap& m)
301	{
302	for (vector<MonCapGrant>::const_iterator p = m.grants.begin(); p != m.grants.end(); ++p) {
303	if (p != m.grants.begin())
304	out << ", ";
305	out << *p;
306	}
307	return out;
308	}
309
310	bool MonCap::is_allow_all() const
311	{
312	for (vector<MonCapGrant>::const_iterator p = grants.begin(); p != grants.end(); ++p)
313	if (p->is_allow_all())
314	return true;
315	return false;
316	}
317
318	void MonCap::set_allow_all()
319	{
320	grants.clear();
321	grants.push_back(MonCapGrant(MON_CAP_ANY));
322	text = "allow *";
323	}
324
325	bool MonCap::is_capable(CephContext *cct,
326	int daemon_type,
327	EntityName name,
328	const string& service,
329	const string& command, const map<string,string>& command_args,
330	bool op_may_read, bool op_may_write, bool op_may_exec) const
331	{
332	if (cct)
333	ldout(cct, 20) << "is_capable service=" << service << " command=" << command
334	<< (op_may_read ? " read":"")
335	<< (op_may_write ? " write":"")
336	<< (op_may_exec ? " exec":"")
337	<< " on cap " << *this
338	<< dendl;
339	mon_rwxa_t allow = 0;
340	for (vector<MonCapGrant>::const_iterator p = grants.begin();
341	p != grants.end(); ++p) {
342	if (cct)
343	ldout(cct, 20) << " allow so far " << allow << ", doing grant " << *p << dendl;
344
345	if (p->is_allow_all()) {
346	if (cct)
347	ldout(cct, 20) << " allow all" << dendl;
348	return true;
349	}
350
351	// check enumerated caps
352	allow = allow \| p->get_allowed(cct, daemon_type, name, service, command,
353	command_args);
354	if ((!op_may_read \|\| (allow & MON_CAP_R)) &&
355	(!op_may_write \|\| (allow & MON_CAP_W)) &&
356	(!op_may_exec \|\| (allow & MON_CAP_X))) {
357	if (cct)
358	ldout(cct, 20) << " match" << dendl;
359	return true;
360	}
361	}
362	return false;
363	}
364
365	void MonCap::encode(bufferlist& bl) const
366	{
367	ENCODE_START(4, 4, bl); // legacy MonCaps was 3, 3
368	::encode(text, bl);
369	ENCODE_FINISH(bl);
370	}
371
372	void MonCap::decode(bufferlist::iterator& bl)
373	{
374	string s;
375	DECODE_START(4, bl);
376	::decode(s, bl);
377	DECODE_FINISH(bl);
378	parse(s, NULL);
379	}
380
381	void MonCap::dump(Formatter *f) const
382	{
383	f->dump_string("text", text);
384	}
385
386	void MonCap::generate_test_instances(list<MonCap*>& ls)
387	{
388	ls.push_back(new MonCap);
389	ls.push_back(new MonCap);
390	ls.back()->parse("allow *");
391	ls.push_back(new MonCap);
392	ls.back()->parse("allow rwx");
393	ls.push_back(new MonCap);
394	ls.back()->parse("allow service foo x");
395	ls.push_back(new MonCap);
396	ls.back()->parse("allow command bar x");
397	ls.push_back(new MonCap);
398	ls.back()->parse("allow service foo r, allow command bar x");
399	ls.push_back(new MonCap);
400	ls.back()->parse("allow command bar with k1=v1 x");
401	ls.push_back(new MonCap);
402	ls.back()->parse("allow command bar with k1=v1 k2=v2 x");
403	}
404
405	// grammar
406	namespace qi = boost::spirit::qi;
407	namespace ascii = boost::spirit::ascii;
408	namespace phoenix = boost::phoenix;
409
410
411	template <typename Iterator>
412	struct MonCapParser : qi::grammar<Iterator, MonCap()>
413	{
414	MonCapParser() : MonCapParser::base_type(moncap)
415	{
416	using qi::char_;
417	using qi::int_;
418	using qi::ulong_long;
419	using qi::lexeme;
420	using qi::alnum;
421	using qi::_val;
422	using qi::_1;
423	using qi::_2;
424	using qi::_3;
425	using qi::eps;
426	using qi::lit;
427
428	quoted_string %=
429	lexeme['"' >> +(char_ - '"') >> '"'] \|
430	lexeme['\'' >> +(char_ - '\'') >> '\''];
431	unquoted_word %= +char_("a-zA-Z0-9_.-");
432	str %= quoted_string \| unquoted_word;
433
434	spaces = +(lit(' ') \| lit('\n') \| lit('\t'));
435
436	// command := command[=]cmd [k1=v1 k2=v2 ...]
437	str_match = '=' >> str >> qi::attr(string());
438	str_prefix = spaces >> lit("prefix") >> spaces >> qi::attr(string()) >> str;
439	kv_pair = str >> (str_match \| str_prefix);
440	kv_map %= kv_pair >> *(spaces >> kv_pair);
441	command_match = -spaces >> lit("allow") >> spaces >> lit("command") >> (lit('=') \| spaces)
442	>> qi::attr(string()) >> qi::attr(string())
443	>> str
444	>> -(spaces >> lit("with") >> spaces >> kv_map)
445	>> qi::attr(0);
446
447	// service foo rwxa
448	service_match %= -spaces >> lit("allow") >> spaces >> lit("service") >> (lit('=') \| spaces)
449	>> str >> qi::attr(string()) >> qi::attr(string())
450	>> qi::attr(map<string,StringConstraint>())
451	>> spaces >> rwxa;
452
453	// profile foo
454	profile_match %= -spaces >> lit("allow") >> spaces >> lit("profile") >> (lit('=') \| spaces)
455	>> qi::attr(string())
456	>> str
457	>> qi::attr(string())
458	>> qi::attr(map<string,StringConstraint>())
459	>> qi::attr(0);
460
461	// rwxa
462	rwxa_match %= -spaces >> lit("allow") >> spaces
463	>> qi::attr(string()) >> qi::attr(string()) >> qi::attr(string())
464	>> qi::attr(map<string,StringConstraint>())
465	>> rwxa;
466
467	// rwxa := * \| [r][w][x]
468	rwxa =
469	(lit("*")[_val = MON_CAP_ANY]) \|
470	( eps[_val = 0] >>
471	( lit('r')[_val \|= MON_CAP_R] \|\|
472	lit('w')[_val \|= MON_CAP_W] \|\|
473	lit('x')[_val \|= MON_CAP_X]
474	)
475	);
476
477	// grant := allow ...
478	grant = -spaces >> (rwxa_match \| profile_match \| service_match \| command_match) >> -spaces;
479
480	// moncap := grant [grant ...]
481	grants %= (grant % (lit(' ') >> (lit(';') \| lit(',')) >> lit(' ')));
482	moncap = grants [_val = phoenix::construct<MonCap>(_1)];
483
484	}
485	qi::rule<Iterator> spaces;
486	qi::rule<Iterator, unsigned()> rwxa;
487	qi::rule<Iterator, string()> quoted_string;
488	qi::rule<Iterator, string()> unquoted_word;
489	qi::rule<Iterator, string()> str;
490
491	qi::rule<Iterator, StringConstraint()> str_match, str_prefix;
492	qi::rule<Iterator, pair<string, StringConstraint>()> kv_pair;
493	qi::rule<Iterator, map<string, StringConstraint>()> kv_map;
494
495	qi::rule<Iterator, MonCapGrant()> rwxa_match;
496	qi::rule<Iterator, MonCapGrant()> command_match;
497	qi::rule<Iterator, MonCapGrant()> service_match;
498	qi::rule<Iterator, MonCapGrant()> profile_match;
499	qi::rule<Iterator, MonCapGrant()> grant;
500	qi::rule<Iterator, std::vector<MonCapGrant>()> grants;
501	qi::rule<Iterator, MonCap()> moncap;
502	};
503
504	bool MonCap::parse(const string& str, ostream *err)
505	{
506	string s = str;
507	string::iterator iter = s.begin();
508	string::iterator end = s.end();
509
510	MonCapParser<string::iterator> g;
511	bool r = qi::parse(iter, end, g, *this);
512	//MonCapGrant foo;
513	//bool r = qi::phrase_parse(iter, end, g, ascii::space, foo);
514	if (r && iter == end) {
515	text = str;
516	return true;
517	}
518
519	// Make sure no grants are kept after parsing failed!
520	grants.clear();
521
522	if (err) {
523	if (iter != end)
524	*err << "moncap parse failed, stopped at '" << std::string(iter, end)
525	<< "' of '" << str << "'\n";
526	else
527	*err << "moncap parse failed, stopped at end of '" << str << "'\n";
528	}
529
530	return false;
531	}
532