]> git.proxmox.com Git - ceph.git/blame - ceph/src/mon/MonCap.h
update sources to ceph Nautilus 14.2.1
[ceph.git] / ceph / src / mon / MonCap.h
CommitLineData
7c673cae
FG
1// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2// vim: ts=8 sw=2 smarttab
3
4#ifndef CEPH_MONCAP_H
5#define CEPH_MONCAP_H
6
7#include <ostream>
8using std::ostream;
9
10#include "include/types.h"
11#include "common/entity_name.h"
12
13class CephContext;
14
15static const __u8 MON_CAP_R = (1 << 1); // read
16static const __u8 MON_CAP_W = (1 << 2); // write
17static const __u8 MON_CAP_X = (1 << 3); // execute
18static const __u8 MON_CAP_ALL = MON_CAP_R | MON_CAP_W | MON_CAP_X;
19static const __u8 MON_CAP_ANY = 0xff; // *
20
21struct mon_rwxa_t {
22 __u8 val;
23
24 // cppcheck-suppress noExplicitConstructor
25 mon_rwxa_t(__u8 v = 0) : val(v) {}
26 mon_rwxa_t& operator=(__u8 v) {
27 val = v;
28 return *this;
29 }
30 operator __u8() const {
31 return val;
32 }
33};
34
31f18b77 35ostream& operator<<(ostream& out, const mon_rwxa_t& p);
7c673cae
FG
36
37struct StringConstraint {
c07f9fc5
FG
38 enum MatchType {
39 MATCH_TYPE_NONE,
40 MATCH_TYPE_EQUAL,
41 MATCH_TYPE_PREFIX,
42 MATCH_TYPE_REGEX
43 };
44
45 MatchType match_type = MATCH_TYPE_NONE;
7c673cae 46 string value;
7c673cae
FG
47
48 StringConstraint() {}
c07f9fc5
FG
49 StringConstraint(MatchType match_type, string value)
50 : match_type(match_type), value(value) {
51 }
7c673cae
FG
52};
53
54ostream& operator<<(ostream& out, const StringConstraint& c);
55
56struct MonCapGrant {
57 /*
58 * A grant can come in one of four forms:
59 *
60 * - a blanket allow ('allow rw', 'allow *')
61 * - this will match against any service and the read/write/exec flags
62 * in the mon code. semantics of what X means are somewhat ad hoc.
63 *
64 * - a service allow ('allow service mds rw')
65 * - this will match against a specific service and the r/w/x flags.
66 *
67 * - a profile ('allow profile osd')
68 * - this will match against specific monitor-enforced semantics of what
69 * this type of user should need to do. examples include 'osd', 'mds',
70 * 'bootstrap-osd'.
71 *
72 * - a command ('allow command foo', 'allow command bar with arg1=val1 arg2 prefix val2')
73 * this includes the command name (the prefix string), and a set
74 * of key/value pairs that constrain use of that command. if no pairs
75 * are specified, any arguments are allowed; if a pair is specified, that
76 * argument must be present and equal or match a prefix.
77 */
78 std::string service;
79 std::string profile;
80 std::string command;
81 map<std::string,StringConstraint> command_args;
82
11fdf7f2
TL
83 // restrict by network
84 std::string network;
85
86 // these are filled in by parse_network(), called by MonCap::parse()
87 entity_addr_t network_parsed;
88 unsigned network_prefix = 0;
89 bool network_valid = true;
90
91 void parse_network();
92
7c673cae
FG
93 mon_rwxa_t allow;
94
95 // explicit grants that a profile grant expands to; populated as
96 // needed by expand_profile() (via is_match()) and cached here.
97 mutable list<MonCapGrant> profile_grants;
98
99 void expand_profile(int daemon_type, const EntityName& name) const;
100 void expand_profile_mon(const EntityName& name) const;
101 void expand_profile_mgr(const EntityName& name) const;
102
103 MonCapGrant() : allow(0) {}
104 // cppcheck-suppress noExplicitConstructor
105 MonCapGrant(mon_rwxa_t a) : allow(a) {}
106 MonCapGrant(string s, mon_rwxa_t a) : service(std::move(s)), allow(a) {}
107 // cppcheck-suppress noExplicitConstructor
108 MonCapGrant(string c) : command(std::move(c)) {}
109 MonCapGrant(string c, string a, StringConstraint co) : command(std::move(c)) {
110 command_args[a] = co;
111 }
112
113 /**
114 * check if given request parameters match our constraints
115 *
116 * @param cct context
117 * @param name entity name
118 * @param service service (if any)
119 * @param command command (if any)
120 * @param command_args command args (if any)
121 * @return bits we allow
122 */
123 mon_rwxa_t get_allowed(CephContext *cct,
124 int daemon_type, ///< CEPH_ENTITY_TYPE_*
125 EntityName name,
126 const std::string& service,
127 const std::string& command,
128 const map<string,string>& command_args) const;
129
130 bool is_allow_all() const {
131 return
132 allow == MON_CAP_ANY &&
133 service.length() == 0 &&
134 profile.length() == 0 &&
135 command.length() == 0;
136 }
137};
138
139ostream& operator<<(ostream& out, const MonCapGrant& g);
140
141struct MonCap {
142 string text;
143 std::vector<MonCapGrant> grants;
144
145 MonCap() {}
11fdf7f2 146 explicit MonCap(const std::vector<MonCapGrant> &g) : grants(g) {}
7c673cae
FG
147
148 string get_str() const {
149 return text;
150 }
151
152 bool is_allow_all() const;
153 void set_allow_all();
154 bool parse(const std::string& str, ostream *err=NULL);
155
156 /**
157 * check if we are capable of something
158 *
159 * This method actually checks a description of a particular operation against
160 * what the capability has specified.
161 *
162 * @param daemon_type CEPH_ENTITY_TYPE_* for the service (MON or MGR)
163 * @param service service name
164 * @param command command id
165 * @param command_args
166 * @param op_may_read whether the operation may need to read
167 * @param op_may_write whether the operation may need to write
168 * @param op_may_exec whether the operation may exec
169 * @return true if the operation is allowed, false otherwise
170 */
171 bool is_capable(CephContext *cct,
172 int daemon_type,
173 EntityName name,
174 const string& service,
175 const string& command, const map<string,string>& command_args,
11fdf7f2
TL
176 bool op_may_read, bool op_may_write, bool op_may_exec,
177 const entity_addr_t& addr) const;
7c673cae
FG
178
179 void encode(bufferlist& bl) const;
11fdf7f2 180 void decode(bufferlist::const_iterator& bl);
7c673cae
FG
181 void dump(Formatter *f) const;
182 static void generate_test_instances(list<MonCap*>& ls);
183};
184WRITE_CLASS_ENCODER(MonCap)
185
186ostream& operator<<(ostream& out, const MonCap& cap);
187
188#endif