[ceph.git] / ceph / src / mon / MonCap.h

// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab

#ifndef CEPH_MONCAP_H
#define CEPH_MONCAP_H

#include <ostream>
using std::ostream;

#include "include/types.h"
#include "common/entity_name.h"

class CephContext;

static const __u8 MON_CAP_R     = (1 << 1);      // read
static const __u8 MON_CAP_W     = (1 << 2);      // write
static const __u8 MON_CAP_X     = (1 << 3);      // execute
static const __u8 MON_CAP_ALL   = MON_CAP_R | MON_CAP_W | MON_CAP_X;
static const __u8 MON_CAP_ANY   = 0xff;          // *

struct mon_rwxa_t {
  __u8 val;

  // cppcheck-suppress noExplicitConstructor
  mon_rwxa_t(__u8 v = 0) : val(v) {}
  mon_rwxa_t& operator=(__u8 v) {
    val = v;
    return *this;
  }
  operator __u8() const {
    return val;
  }
};

ostream& operator<<(ostream& out, const mon_rwxa_t& p);

struct StringConstraint {
  enum MatchType {
    MATCH_TYPE_NONE,
    MATCH_TYPE_EQUAL,
    MATCH_TYPE_PREFIX,
    MATCH_TYPE_REGEX
  };

  MatchType match_type = MATCH_TYPE_NONE;
  string value;

  StringConstraint() {}
  StringConstraint(MatchType match_type, string value)
    : match_type(match_type), value(value) {
  }
};

ostream& operator<<(ostream& out, const StringConstraint& c);

struct MonCapGrant {
  /*
   * A grant can come in one of four forms:
   *
   *  - a blanket allow ('allow rw', 'allow *')
   *    - this will match against any service and the read/write/exec flags
   *      in the mon code.  semantics of what X means are somewhat ad hoc.
   *
   *  - a service allow ('allow service mds rw')
   *    - this will match against a specific service and the r/w/x flags.
   *
   *  - a profile ('allow profile osd')
   *    - this will match against specific monitor-enforced semantics of what
   *      this type of user should need to do.  examples include 'osd', 'mds',
   *      'bootstrap-osd'.
   *
   *  - a command ('allow command foo', 'allow command bar with arg1=val1 arg2 prefix val2')
   *      this includes the command name (the prefix string), and a set
   *      of key/value pairs that constrain use of that command.  if no pairs
   *      are specified, any arguments are allowed; if a pair is specified, that
   *      argument must be present and equal or match a prefix.
   */
  std::string service;
  std::string profile;
  std::string command;
  map<std::string,StringConstraint> command_args;

  // restrict by network
  std::string network;

  // these are filled in by parse_network(), called by MonCap::parse()
  entity_addr_t network_parsed;
  unsigned network_prefix = 0;
  bool network_valid = true;

  void parse_network();

  mon_rwxa_t allow;

  // explicit grants that a profile grant expands to; populated as
  // needed by expand_profile() (via is_match()) and cached here.
  mutable list<MonCapGrant> profile_grants;

  void expand_profile(int daemon_type, const EntityName& name) const;
  void expand_profile_mon(const EntityName& name) const;
  void expand_profile_mgr(const EntityName& name) const;

  MonCapGrant() : allow(0) {}
  // cppcheck-suppress noExplicitConstructor
  MonCapGrant(mon_rwxa_t a) : allow(a) {}
  MonCapGrant(string s, mon_rwxa_t a) : service(std::move(s)), allow(a) {}
  // cppcheck-suppress noExplicitConstructor  
  MonCapGrant(string c) : command(std::move(c)) {}
  MonCapGrant(string c, string a, StringConstraint co) : command(std::move(c)) {
    command_args[a] = co;
  }

  /**
   * check if given request parameters match our constraints
   *
   * @param cct context
   * @param name entity name
   * @param service service (if any)
   * @param command command (if any)
   * @param command_args command args (if any)
   * @return bits we allow
   */
  mon_rwxa_t get_allowed(CephContext *cct,
			 int daemon_type, ///< CEPH_ENTITY_TYPE_*
			 EntityName name,
			 const std::string& service,
			 const std::string& command,
			 const map<string,string>& command_args) const;

  bool is_allow_all() const {
    return
      allow == MON_CAP_ANY &&
      service.length() == 0 &&
      profile.length() == 0 &&
      command.length() == 0;
  }
};

ostream& operator<<(ostream& out, const MonCapGrant& g);

struct MonCap {
  string text;
  std::vector<MonCapGrant> grants;

  MonCap() {}
  explicit MonCap(const std::vector<MonCapGrant> &g) : grants(g) {}

  string get_str() const {
    return text;
  }

  bool is_allow_all() const;
  void set_allow_all();
  bool parse(const std::string& str, ostream *err=NULL);

  /**
   * check if we are capable of something
   *
   * This method actually checks a description of a particular operation against
   * what the capability has specified.
   *
   * @param daemon_type CEPH_ENTITY_TYPE_* for the service (MON or MGR)
   * @param service service name
   * @param command command id
   * @param command_args
   * @param op_may_read whether the operation may need to read
   * @param op_may_write whether the operation may need to write
   * @param op_may_exec whether the operation may exec
   * @return true if the operation is allowed, false otherwise
   */
  bool is_capable(CephContext *cct,
		  int daemon_type,
		  EntityName name,
		  const string& service,
		  const string& command, const map<string,string>& command_args,
		  bool op_may_read, bool op_may_write, bool op_may_exec,
		  const entity_addr_t& addr) const;

  void encode(bufferlist& bl) const;
  void decode(bufferlist::const_iterator& bl);
  void dump(Formatter *f) const;
  static void generate_test_instances(list<MonCap*>& ls);
};
WRITE_CLASS_ENCODER(MonCap)

ostream& operator<<(ostream& out, const MonCap& cap);

#endif
Commit	Line	Data
7c673cae FG	1	// -- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t --
	2	// vim: ts=8 sw=2 smarttab
	3
	4	#ifndef CEPH_MONCAP_H
	5	#define CEPH_MONCAP_H
	6
	7	#include <ostream>
	8	using std::ostream;
	9
	10	#include "include/types.h"
	11	#include "common/entity_name.h"
	12
	13	class CephContext;
	14
	15	static const __u8 MON_CAP_R = (1 << 1); // read
	16	static const __u8 MON_CAP_W = (1 << 2); // write
	17	static const __u8 MON_CAP_X = (1 << 3); // execute
	18	static const __u8 MON_CAP_ALL = MON_CAP_R \| MON_CAP_W \| MON_CAP_X;
	19	static const __u8 MON_CAP_ANY = 0xff; // *
	20
	21	struct mon_rwxa_t {
	22	__u8 val;
	23
	24	// cppcheck-suppress noExplicitConstructor
	25	mon_rwxa_t(__u8 v = 0) : val(v) {}
	26	mon_rwxa_t& operator=(__u8 v) {
	27	val = v;
	28	return *this;
	29	}
	30	operator __u8() const {
	31	return val;
	32	}
	33	};
	34
31f18b77	35	ostream& operator<<(ostream& out, const mon_rwxa_t& p);
7c673cae FG	36
7c673cae FG	37	struct StringConstraint {
c07f9fc5 FG	38	enum MatchType {
	39	MATCH_TYPE_NONE,
	40	MATCH_TYPE_EQUAL,
	41	MATCH_TYPE_PREFIX,
	42	MATCH_TYPE_REGEX
	43	};
	44
	45	MatchType match_type = MATCH_TYPE_NONE;
7c673cae	46	string value;
7c673cae FG	47
7c673cae FG	48	StringConstraint() {}
c07f9fc5 FG	49	StringConstraint(MatchType match_type, string value)
	50	: match_type(match_type), value(value) {
	51	}
7c673cae FG	52	};
	53
	54	ostream& operator<<(ostream& out, const StringConstraint& c);
	55
	56	struct MonCapGrant {
	57	/*
	58	* A grant can come in one of four forms:
	59	*
	60	* - a blanket allow ('allow rw', 'allow *')
	61	* - this will match against any service and the read/write/exec flags
	62	* in the mon code. semantics of what X means are somewhat ad hoc.
	63	*
	64	* - a service allow ('allow service mds rw')
	65	* - this will match against a specific service and the r/w/x flags.
	66	*
	67	* - a profile ('allow profile osd')
	68	* - this will match against specific monitor-enforced semantics of what
	69	* this type of user should need to do. examples include 'osd', 'mds',
	70	* 'bootstrap-osd'.
	71	*
	72	* - a command ('allow command foo', 'allow command bar with arg1=val1 arg2 prefix val2')
	73	* this includes the command name (the prefix string), and a set
	74	* of key/value pairs that constrain use of that command. if no pairs
	75	* are specified, any arguments are allowed; if a pair is specified, that
	76	* argument must be present and equal or match a prefix.
	77	*/
	78	std::string service;
	79	std::string profile;
	80	std::string command;
	81	map<std::string,StringConstraint> command_args;
	82
11fdf7f2 TL	83	// restrict by network
	84	std::string network;
	85
	86	// these are filled in by parse_network(), called by MonCap::parse()
	87	entity_addr_t network_parsed;
	88	unsigned network_prefix = 0;
	89	bool network_valid = true;
	90
	91	void parse_network();
	92
7c673cae FG	93	mon_rwxa_t allow;
	94
	95	// explicit grants that a profile grant expands to; populated as
	96	// needed by expand_profile() (via is_match()) and cached here.
	97	mutable list<MonCapGrant> profile_grants;
	98
	99	void expand_profile(int daemon_type, const EntityName& name) const;
	100	void expand_profile_mon(const EntityName& name) const;
	101	void expand_profile_mgr(const EntityName& name) const;
	102
	103	MonCapGrant() : allow(0) {}
	104	// cppcheck-suppress noExplicitConstructor
	105	MonCapGrant(mon_rwxa_t a) : allow(a) {}
	106	MonCapGrant(string s, mon_rwxa_t a) : service(std::move(s)), allow(a) {}
	107	// cppcheck-suppress noExplicitConstructor
	108	MonCapGrant(string c) : command(std::move(c)) {}
	109	MonCapGrant(string c, string a, StringConstraint co) : command(std::move(c)) {
	110	command_args[a] = co;
	111	}
	112
	113	/**
	114	* check if given request parameters match our constraints
	115	*
	116	* @param cct context
	117	* @param name entity name
	118	* @param service service (if any)
	119	* @param command command (if any)
	120	* @param command_args command args (if any)
	121	* @return bits we allow
	122	*/
	123	mon_rwxa_t get_allowed(CephContext *cct,
	124	int daemon_type, ///< CEPH_ENTITY_TYPE_*
	125	EntityName name,
	126	const std::string& service,
	127	const std::string& command,
	128	const map<string,string>& command_args) const;
	129
	130	bool is_allow_all() const {
	131	return
	132	allow == MON_CAP_ANY &&
	133	service.length() == 0 &&
	134	profile.length() == 0 &&
	135	command.length() == 0;
	136	}
	137	};
	138
	139	ostream& operator<<(ostream& out, const MonCapGrant& g);
	140
	141	struct MonCap {
	142	string text;
	143	std::vector<MonCapGrant> grants;
	144
	145	MonCap() {}
11fdf7f2	146	explicit MonCap(const std::vector<MonCapGrant> &g) : grants(g) {}
7c673cae FG	147
	148	string get_str() const {
	149	return text;
	150	}
	151
	152	bool is_allow_all() const;
	153	void set_allow_all();
	154	bool parse(const std::string& str, ostream *err=NULL);
	155
	156	/**
	157	* check if we are capable of something
	158	*
	159	* This method actually checks a description of a particular operation against
	160	* what the capability has specified.
	161	*
	162	* @param daemon_type CEPH_ENTITY_TYPE_* for the service (MON or MGR)
	163	* @param service service name
	164	* @param command command id
	165	* @param command_args
	166	* @param op_may_read whether the operation may need to read
	167	* @param op_may_write whether the operation may need to write
	168	* @param op_may_exec whether the operation may exec
	169	* @return true if the operation is allowed, false otherwise
	170	*/
	171	bool is_capable(CephContext *cct,
	172	int daemon_type,
	173	EntityName name,
	174	const string& service,
	175	const string& command, const map<string,string>& command_args,
11fdf7f2 TL	176	bool op_may_read, bool op_may_write, bool op_may_exec,
11fdf7f2 TL	177	const entity_addr_t& addr) const;
7c673cae FG	178
7c673cae FG	179	void encode(bufferlist& bl) const;
11fdf7f2	180	void decode(bufferlist::const_iterator& bl);
7c673cae FG	181	void dump(Formatter *f) const;
	182	static void generate_test_instances(list<MonCap*>& ls);
	183	};
	184	WRITE_CLASS_ENCODER(MonCap)
	185
	186	ostream& operator<<(ostream& out, const MonCap& cap);
	187
	188	#endif