1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
4 * Ceph - scalable distributed file system
6 * Copyright (C) 2014 Red Hat
8 * This is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License version 2.1, as published by the Free Software
11 * Foundation. See file COPYING.
16 #ifndef MDS_AUTH_CAPS_H
17 #define MDS_AUTH_CAPS_H
21 #include <string_view>
24 #include "include/types.h"
25 #include "common/debug.h"
27 // unix-style capabilities
31 MAY_EXECUTE
= (1 << 2),
34 MAY_SET_VXATTR
= (1 << 6),
35 MAY_SNAPSHOT
= (1 << 7),
42 static const unsigned ALL
= (1 << 0);
43 static const unsigned READ
= (1 << 1);
44 static const unsigned WRITE
= (1 << 2);
45 // if the capability permits setting vxattrs (layout, quota, etc)
46 static const unsigned SET_VXATTR
= (1 << 3);
47 // if the capability permits mksnap/rmsnap
48 static const unsigned SNAPSHOT
= (1 << 4);
50 static const unsigned RW
= (READ
|WRITE
);
51 static const unsigned RWP
= (READ
|WRITE
|SET_VXATTR
);
52 static const unsigned RWS
= (READ
|WRITE
|SNAPSHOT
);
53 static const unsigned RWPS
= (READ
|WRITE
|SET_VXATTR
|SNAPSHOT
);
55 MDSCapSpec() = default;
56 MDSCapSpec(unsigned _caps
) : caps(_caps
) {
61 bool allow_all() const {
64 bool allow_read() const {
67 bool allow_write() const {
68 return (caps
& WRITE
);
71 bool allows(bool r
, bool w
) const {
74 if (r
&& !allow_read())
76 if (w
&& !allow_write())
81 bool allow_snapshot() const {
82 return (caps
& SNAPSHOT
);
84 bool allow_set_vxattr() const {
85 return (caps
& SET_VXATTR
);
91 // conditions before we are allowed to do it
93 static const int64_t MDS_AUTH_UID_ANY
= -1;
95 int64_t uid
; // Require UID to be equal to this, if !=MDS_AUTH_UID_ANY
96 std::vector
<gid_t
> gids
; // Use these GIDs
97 std::string path
; // Require path to be child of this (may be "" or "/" for any)
99 MDSCapMatch() : uid(MDS_AUTH_UID_ANY
) {}
100 MDSCapMatch(int64_t uid_
, std::vector
<gid_t
>& gids_
) : uid(uid_
), gids(gids_
) {}
101 explicit MDSCapMatch(const std::string
&path_
)
102 : uid(MDS_AUTH_UID_ANY
), path(path_
) {
105 MDSCapMatch(const std::string
& path_
, int64_t uid_
, std::vector
<gid_t
>& gids_
)
106 : uid(uid_
), gids(gids_
), path(path_
) {
110 void normalize_path();
112 bool is_match_all() const
114 return uid
== MDS_AUTH_UID_ANY
&& path
== "";
117 // check whether this grant matches against a given file and caller uid:gid
118 bool match(std::string_view target_path
,
119 const int caller_uid
,
120 const int caller_gid
,
121 const vector
<uint64_t> *caller_gid_list
) const;
124 * Check whether this path *might* be accessible (actual permission
125 * depends on the stronger check in match()).
127 * @param target_path filesystem path without leading '/'
129 bool match_path(std::string_view target_path
) const;
138 entity_addr_t network_parsed
;
139 unsigned network_prefix
= 0;
140 bool network_valid
= true;
142 MDSCapGrant(const MDSCapSpec
&spec_
, const MDSCapMatch
&match_
,
143 boost::optional
<std::string
> n
)
144 : spec(spec_
), match(match_
) {
152 void parse_network();
157 CephContext
*cct
= nullptr;
158 std::vector
<MDSCapGrant
> grants
;
161 MDSAuthCaps() = default;
162 explicit MDSAuthCaps(CephContext
*cct_
) : cct(cct_
) {}
164 // this ctor is used by spirit/phoenix; doesn't need cct.
165 explicit MDSAuthCaps(const std::vector
<MDSCapGrant
>& grants_
) : grants(grants_
) {}
171 void set_allow_all();
172 bool parse(CephContext
*cct
, std::string_view str
, std::ostream
*err
);
174 bool allow_all() const;
175 bool is_capable(std::string_view inode_path
,
176 uid_t inode_uid
, gid_t inode_gid
, unsigned inode_mode
,
177 uid_t uid
, gid_t gid
, const vector
<uint64_t> *caller_gid_list
,
178 unsigned mask
, uid_t new_uid
, gid_t new_gid
,
179 const entity_addr_t
& addr
) const;
180 bool path_capable(std::string_view inode_path
) const;
182 friend std::ostream
&operator<<(std::ostream
&out
, const MDSAuthCaps
&cap
);
186 std::ostream
&operator<<(std::ostream
&out
, const MDSCapMatch
&match
);
187 std::ostream
&operator<<(std::ostream
&out
, const MDSCapSpec
&spec
);
188 std::ostream
&operator<<(std::ostream
&out
, const MDSCapGrant
&grant
);
189 std::ostream
&operator<<(std::ostream
&out
, const MDSAuthCaps
&cap
);
191 #endif // MDS_AUTH_CAPS_H