]>
Commit | Line | Data |
---|---|---|
7c673cae FG |
1 | // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- |
2 | // vim: ts=8 sw=2 smarttab | |
3 | ||
4 | #ifndef CEPH_MONCAP_H | |
5 | #define CEPH_MONCAP_H | |
6 | ||
7 | #include <ostream> | |
8 | using std::ostream; | |
9 | ||
10 | #include "include/types.h" | |
11 | #include "common/entity_name.h" | |
12 | ||
13 | class CephContext; | |
14 | ||
15 | static const __u8 MON_CAP_R = (1 << 1); // read | |
16 | static const __u8 MON_CAP_W = (1 << 2); // write | |
17 | static const __u8 MON_CAP_X = (1 << 3); // execute | |
18 | static const __u8 MON_CAP_ALL = MON_CAP_R | MON_CAP_W | MON_CAP_X; | |
19 | static const __u8 MON_CAP_ANY = 0xff; // * | |
20 | ||
21 | struct mon_rwxa_t { | |
22 | __u8 val; | |
23 | ||
24 | // cppcheck-suppress noExplicitConstructor | |
25 | mon_rwxa_t(__u8 v = 0) : val(v) {} | |
26 | mon_rwxa_t& operator=(__u8 v) { | |
27 | val = v; | |
28 | return *this; | |
29 | } | |
30 | operator __u8() const { | |
31 | return val; | |
32 | } | |
33 | }; | |
34 | ||
31f18b77 | 35 | ostream& operator<<(ostream& out, const mon_rwxa_t& p); |
7c673cae FG |
36 | |
37 | struct StringConstraint { | |
c07f9fc5 FG |
38 | enum MatchType { |
39 | MATCH_TYPE_NONE, | |
40 | MATCH_TYPE_EQUAL, | |
41 | MATCH_TYPE_PREFIX, | |
42 | MATCH_TYPE_REGEX | |
43 | }; | |
44 | ||
45 | MatchType match_type = MATCH_TYPE_NONE; | |
7c673cae | 46 | string value; |
7c673cae FG |
47 | |
48 | StringConstraint() {} | |
c07f9fc5 FG |
49 | StringConstraint(MatchType match_type, string value) |
50 | : match_type(match_type), value(value) { | |
51 | } | |
7c673cae FG |
52 | }; |
53 | ||
54 | ostream& operator<<(ostream& out, const StringConstraint& c); | |
55 | ||
56 | struct MonCapGrant { | |
57 | /* | |
58 | * A grant can come in one of four forms: | |
59 | * | |
60 | * - a blanket allow ('allow rw', 'allow *') | |
61 | * - this will match against any service and the read/write/exec flags | |
62 | * in the mon code. semantics of what X means are somewhat ad hoc. | |
63 | * | |
64 | * - a service allow ('allow service mds rw') | |
65 | * - this will match against a specific service and the r/w/x flags. | |
66 | * | |
67 | * - a profile ('allow profile osd') | |
68 | * - this will match against specific monitor-enforced semantics of what | |
69 | * this type of user should need to do. examples include 'osd', 'mds', | |
70 | * 'bootstrap-osd'. | |
71 | * | |
72 | * - a command ('allow command foo', 'allow command bar with arg1=val1 arg2 prefix val2') | |
73 | * this includes the command name (the prefix string), and a set | |
74 | * of key/value pairs that constrain use of that command. if no pairs | |
75 | * are specified, any arguments are allowed; if a pair is specified, that | |
76 | * argument must be present and equal or match a prefix. | |
77 | */ | |
78 | std::string service; | |
79 | std::string profile; | |
80 | std::string command; | |
81 | map<std::string,StringConstraint> command_args; | |
82 | ||
11fdf7f2 TL |
83 | // restrict by network |
84 | std::string network; | |
85 | ||
86 | // these are filled in by parse_network(), called by MonCap::parse() | |
87 | entity_addr_t network_parsed; | |
88 | unsigned network_prefix = 0; | |
89 | bool network_valid = true; | |
90 | ||
91 | void parse_network(); | |
92 | ||
7c673cae FG |
93 | mon_rwxa_t allow; |
94 | ||
95 | // explicit grants that a profile grant expands to; populated as | |
96 | // needed by expand_profile() (via is_match()) and cached here. | |
97 | mutable list<MonCapGrant> profile_grants; | |
98 | ||
99 | void expand_profile(int daemon_type, const EntityName& name) const; | |
100 | void expand_profile_mon(const EntityName& name) const; | |
101 | void expand_profile_mgr(const EntityName& name) const; | |
102 | ||
103 | MonCapGrant() : allow(0) {} | |
104 | // cppcheck-suppress noExplicitConstructor | |
105 | MonCapGrant(mon_rwxa_t a) : allow(a) {} | |
106 | MonCapGrant(string s, mon_rwxa_t a) : service(std::move(s)), allow(a) {} | |
107 | // cppcheck-suppress noExplicitConstructor | |
108 | MonCapGrant(string c) : command(std::move(c)) {} | |
109 | MonCapGrant(string c, string a, StringConstraint co) : command(std::move(c)) { | |
110 | command_args[a] = co; | |
111 | } | |
112 | ||
113 | /** | |
114 | * check if given request parameters match our constraints | |
115 | * | |
116 | * @param cct context | |
117 | * @param name entity name | |
118 | * @param service service (if any) | |
119 | * @param command command (if any) | |
120 | * @param command_args command args (if any) | |
121 | * @return bits we allow | |
122 | */ | |
123 | mon_rwxa_t get_allowed(CephContext *cct, | |
124 | int daemon_type, ///< CEPH_ENTITY_TYPE_* | |
125 | EntityName name, | |
126 | const std::string& service, | |
127 | const std::string& command, | |
128 | const map<string,string>& command_args) const; | |
129 | ||
130 | bool is_allow_all() const { | |
131 | return | |
132 | allow == MON_CAP_ANY && | |
133 | service.length() == 0 && | |
134 | profile.length() == 0 && | |
135 | command.length() == 0; | |
136 | } | |
137 | }; | |
138 | ||
139 | ostream& operator<<(ostream& out, const MonCapGrant& g); | |
140 | ||
141 | struct MonCap { | |
142 | string text; | |
143 | std::vector<MonCapGrant> grants; | |
144 | ||
145 | MonCap() {} | |
11fdf7f2 | 146 | explicit MonCap(const std::vector<MonCapGrant> &g) : grants(g) {} |
7c673cae FG |
147 | |
148 | string get_str() const { | |
149 | return text; | |
150 | } | |
151 | ||
152 | bool is_allow_all() const; | |
153 | void set_allow_all(); | |
154 | bool parse(const std::string& str, ostream *err=NULL); | |
155 | ||
156 | /** | |
157 | * check if we are capable of something | |
158 | * | |
159 | * This method actually checks a description of a particular operation against | |
160 | * what the capability has specified. | |
161 | * | |
162 | * @param daemon_type CEPH_ENTITY_TYPE_* for the service (MON or MGR) | |
163 | * @param service service name | |
164 | * @param command command id | |
165 | * @param command_args | |
166 | * @param op_may_read whether the operation may need to read | |
167 | * @param op_may_write whether the operation may need to write | |
168 | * @param op_may_exec whether the operation may exec | |
169 | * @return true if the operation is allowed, false otherwise | |
170 | */ | |
171 | bool is_capable(CephContext *cct, | |
172 | int daemon_type, | |
173 | EntityName name, | |
174 | const string& service, | |
175 | const string& command, const map<string,string>& command_args, | |
11fdf7f2 TL |
176 | bool op_may_read, bool op_may_write, bool op_may_exec, |
177 | const entity_addr_t& addr) const; | |
7c673cae FG |
178 | |
179 | void encode(bufferlist& bl) const; | |
11fdf7f2 | 180 | void decode(bufferlist::const_iterator& bl); |
7c673cae FG |
181 | void dump(Formatter *f) const; |
182 | static void generate_test_instances(list<MonCap*>& ls); | |
183 | }; | |
184 | WRITE_CLASS_ENCODER(MonCap) | |
185 | ||
186 | ostream& operator<<(ostream& out, const MonCap& cap); | |
187 | ||
188 | #endif |