]> git.proxmox.com Git - ceph.git/blob - ceph/src/mon/MonCap.h
projects / ceph.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
bump version to 12.1.1-pve1 while rebasing patches
[ceph.git] / ceph / src / mon / MonCap.h
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
3
4 #ifndef CEPH_MONCAP_H
5 #define CEPH_MONCAP_H
6
7 #include <ostream>
8 using std::ostream;
9
10 #include "include/types.h"
11 #include "common/entity_name.h"
12
13 class CephContext;
14
15 static const __u8 MON_CAP_R = (1 << 1); // read
16 static const __u8 MON_CAP_W = (1 << 2); // write
17 static const __u8 MON_CAP_X = (1 << 3); // execute
18 static const __u8 MON_CAP_ALL = MON_CAP_R | MON_CAP_W | MON_CAP_X;
19 static const __u8 MON_CAP_ANY = 0xff; // *
20
21 struct mon_rwxa_t {
22 __u8 val;
23
24 // cppcheck-suppress noExplicitConstructor
25 mon_rwxa_t(__u8 v = 0) : val(v) {}
26 mon_rwxa_t& operator=(__u8 v) {
27 val = v;
28 return *this;
29 }
30 operator __u8() const {
31 return val;
32 }
33 };
34
35 ostream& operator<<(ostream& out, const mon_rwxa_t& p);
36
37 struct StringConstraint {
38 string value;
39 string prefix;
40
41 StringConstraint() {}
42 StringConstraint(string a, string b)
43 : value(std::move(a)), prefix(std::move(b)) {}
44 };
45
46 ostream& operator<<(ostream& out, const StringConstraint& c);
47
48 struct MonCapGrant {
49 /*
50 * A grant can come in one of four forms:
51 *
52 * - a blanket allow ('allow rw', 'allow *')
53 * - this will match against any service and the read/write/exec flags
54 * in the mon code. semantics of what X means are somewhat ad hoc.
55 *
56 * - a service allow ('allow service mds rw')
57 * - this will match against a specific service and the r/w/x flags.
58 *
59 * - a profile ('allow profile osd')
60 * - this will match against specific monitor-enforced semantics of what
61 * this type of user should need to do. examples include 'osd', 'mds',
62 * 'bootstrap-osd'.
63 *
64 * - a command ('allow command foo', 'allow command bar with arg1=val1 arg2 prefix val2')
65 * this includes the command name (the prefix string), and a set
66 * of key/value pairs that constrain use of that command. if no pairs
67 * are specified, any arguments are allowed; if a pair is specified, that
68 * argument must be present and equal or match a prefix.
69 */
70 std::string service;
71 std::string profile;
72 std::string command;
73 map<std::string,StringConstraint> command_args;
74
75 mon_rwxa_t allow;
76
77 // explicit grants that a profile grant expands to; populated as
78 // needed by expand_profile() (via is_match()) and cached here.
79 mutable list<MonCapGrant> profile_grants;
80
81 void expand_profile(int daemon_type, const EntityName& name) const;
82 void expand_profile_mon(const EntityName& name) const;
83 void expand_profile_mgr(const EntityName& name) const;
84
85 MonCapGrant() : allow(0) {}
86 // cppcheck-suppress noExplicitConstructor
87 MonCapGrant(mon_rwxa_t a) : allow(a) {}
88 MonCapGrant(string s, mon_rwxa_t a) : service(std::move(s)), allow(a) {}
89 // cppcheck-suppress noExplicitConstructor
90 MonCapGrant(string c) : command(std::move(c)) {}
91 MonCapGrant(string c, string a, StringConstraint co) : command(std::move(c)) {
92 command_args[a] = co;
93 }
94
95 /**
96 * check if given request parameters match our constraints
97 *
98 * @param cct context
99 * @param name entity name
100 * @param service service (if any)
101 * @param command command (if any)
102 * @param command_args command args (if any)
103 * @return bits we allow
104 */
105 mon_rwxa_t get_allowed(CephContext *cct,
106 int daemon_type, ///< CEPH_ENTITY_TYPE_*
107 EntityName name,
108 const std::string& service,
109 const std::string& command,
110 const map<string,string>& command_args) const;
111
112 bool is_allow_all() const {
113 return
114 allow == MON_CAP_ANY &&
115 service.length() == 0 &&
116 profile.length() == 0 &&
117 command.length() == 0;
118 }
119 };
120
121 ostream& operator<<(ostream& out, const MonCapGrant& g);
122
123 struct MonCap {
124 string text;
125 std::vector<MonCapGrant> grants;
126
127 MonCap() {}
128 explicit MonCap(std::vector<MonCapGrant> g) : grants(g) {}
129
130 string get_str() const {
131 return text;
132 }
133
134 bool is_allow_all() const;
135 void set_allow_all();
136 bool parse(const std::string& str, ostream *err=NULL);
137
138 /**
139 * check if we are capable of something
140 *
141 * This method actually checks a description of a particular operation against
142 * what the capability has specified.
143 *
144 * @param daemon_type CEPH_ENTITY_TYPE_* for the service (MON or MGR)
145 * @param service service name
146 * @param command command id
147 * @param command_args
148 * @param op_may_read whether the operation may need to read
149 * @param op_may_write whether the operation may need to write
150 * @param op_may_exec whether the operation may exec
151 * @return true if the operation is allowed, false otherwise
152 */
153 bool is_capable(CephContext *cct,
154 int daemon_type,
155 EntityName name,
156 const string& service,
157 const string& command, const map<string,string>& command_args,
158 bool op_may_read, bool op_may_write, bool op_may_exec) const;
159
160 void encode(bufferlist& bl) const;
161 void decode(bufferlist::iterator& bl);
162 void dump(Formatter *f) const;
163 static void generate_test_instances(list<MonCap*>& ls);
164 };
165 WRITE_CLASS_ENCODER(MonCap)
166
167 ostream& operator<<(ostream& out, const MonCap& cap);
168
169 #endif
Ceph