]>
git.proxmox.com Git - ceph.git/blob - ceph/src/mon/MonCap.h
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
10 #include "include/types.h"
11 #include "common/entity_name.h"
15 static const __u8 MON_CAP_R
= (1 << 1); // read
16 static const __u8 MON_CAP_W
= (1 << 2); // write
17 static const __u8 MON_CAP_X
= (1 << 3); // execute
18 static const __u8 MON_CAP_ALL
= MON_CAP_R
| MON_CAP_W
| MON_CAP_X
;
19 static const __u8 MON_CAP_ANY
= 0xff; // *
24 // cppcheck-suppress noExplicitConstructor
25 mon_rwxa_t(__u8 v
= 0) : val(v
) {}
26 mon_rwxa_t
& operator=(__u8 v
) {
30 operator __u8() const {
35 ostream
& operator<<(ostream
& out
, const mon_rwxa_t
& p
);
37 struct StringConstraint
{
42 StringConstraint(string a
, string b
)
43 : value(std::move(a
)), prefix(std::move(b
)) {}
46 ostream
& operator<<(ostream
& out
, const StringConstraint
& c
);
50 * A grant can come in one of four forms:
52 * - a blanket allow ('allow rw', 'allow *')
53 * - this will match against any service and the read/write/exec flags
54 * in the mon code. semantics of what X means are somewhat ad hoc.
56 * - a service allow ('allow service mds rw')
57 * - this will match against a specific service and the r/w/x flags.
59 * - a profile ('allow profile osd')
60 * - this will match against specific monitor-enforced semantics of what
61 * this type of user should need to do. examples include 'osd', 'mds',
64 * - a command ('allow command foo', 'allow command bar with arg1=val1 arg2 prefix val2')
65 * this includes the command name (the prefix string), and a set
66 * of key/value pairs that constrain use of that command. if no pairs
67 * are specified, any arguments are allowed; if a pair is specified, that
68 * argument must be present and equal or match a prefix.
73 map
<std::string
,StringConstraint
> command_args
;
77 // explicit grants that a profile grant expands to; populated as
78 // needed by expand_profile() (via is_match()) and cached here.
79 mutable list
<MonCapGrant
> profile_grants
;
81 void expand_profile(int daemon_type
, const EntityName
& name
) const;
82 void expand_profile_mon(const EntityName
& name
) const;
83 void expand_profile_mgr(const EntityName
& name
) const;
85 MonCapGrant() : allow(0) {}
86 // cppcheck-suppress noExplicitConstructor
87 MonCapGrant(mon_rwxa_t a
) : allow(a
) {}
88 MonCapGrant(string s
, mon_rwxa_t a
) : service(std::move(s
)), allow(a
) {}
89 // cppcheck-suppress noExplicitConstructor
90 MonCapGrant(string c
) : command(std::move(c
)) {}
91 MonCapGrant(string c
, string a
, StringConstraint co
) : command(std::move(c
)) {
96 * check if given request parameters match our constraints
99 * @param name entity name
100 * @param service service (if any)
101 * @param command command (if any)
102 * @param command_args command args (if any)
103 * @return bits we allow
105 mon_rwxa_t
get_allowed(CephContext
*cct
,
106 int daemon_type
, ///< CEPH_ENTITY_TYPE_*
108 const std::string
& service
,
109 const std::string
& command
,
110 const map
<string
,string
>& command_args
) const;
112 bool is_allow_all() const {
114 allow
== MON_CAP_ANY
&&
115 service
.length() == 0 &&
116 profile
.length() == 0 &&
117 command
.length() == 0;
121 ostream
& operator<<(ostream
& out
, const MonCapGrant
& g
);
125 std::vector
<MonCapGrant
> grants
;
128 explicit MonCap(std::vector
<MonCapGrant
> g
) : grants(g
) {}
130 string
get_str() const {
134 bool is_allow_all() const;
135 void set_allow_all();
136 bool parse(const std::string
& str
, ostream
*err
=NULL
);
139 * check if we are capable of something
141 * This method actually checks a description of a particular operation against
142 * what the capability has specified.
144 * @param daemon_type CEPH_ENTITY_TYPE_* for the service (MON or MGR)
145 * @param service service name
146 * @param command command id
147 * @param command_args
148 * @param op_may_read whether the operation may need to read
149 * @param op_may_write whether the operation may need to write
150 * @param op_may_exec whether the operation may exec
151 * @return true if the operation is allowed, false otherwise
153 bool is_capable(CephContext
*cct
,
156 const string
& service
,
157 const string
& command
, const map
<string
,string
>& command_args
,
158 bool op_may_read
, bool op_may_write
, bool op_may_exec
) const;
160 void encode(bufferlist
& bl
) const;
161 void decode(bufferlist::iterator
& bl
);
162 void dump(Formatter
*f
) const;
163 static void generate_test_instances(list
<MonCap
*>& ls
);
165 WRITE_CLASS_ENCODER(MonCap
)
167 ostream
& operator<<(ostream
& out
, const MonCap
& cap
);