]> git.proxmox.com Git - ceph.git/blob - ceph/src/osd/OSDCap.cc
projects / ceph.git / blob
? search:


d5339a059367081504be031afd0b0a3b3ece567f
[ceph.git] / ceph / src / osd / OSDCap.cc
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
3 /*
4 * Ceph - scalable distributed file system
5 *
6 * Copyright (C) 2009-2011 New Dream Network
7 *
8 * This is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License version 2.1, as published by the Free Software
11 * Foundation. See file COPYING.
12 *
13 */
14
15 #include <boost/config/warning_disable.hpp>
16 #include <boost/spirit/include/qi.hpp>
17 #include <boost/spirit/include/phoenix_operator.hpp>
18 #include <boost/spirit/include/phoenix.hpp>
19 #include <boost/algorithm/string/predicate.hpp>
20
21 #include "OSDCap.h"
22 #include "common/config.h"
23 #include "common/debug.h"
24 #include "include/ipaddr.h"
25
26 using std::ostream;
27 using std::vector;
28
29 ostream& operator<<(ostream& out, const osd_rwxa_t& p)
30 {
31 if (p == OSD_CAP_ANY)
32 return out << "*";
33
34 if (p & OSD_CAP_R)
35 out << "r";
36 if (p & OSD_CAP_W)
37 out << "w";
38 if ((p & OSD_CAP_X) == OSD_CAP_X) {
39 out << "x";
40 } else {
41 if (p & OSD_CAP_CLS_R)
42 out << " class-read";
43 if (p & OSD_CAP_CLS_W)
44 out << " class-write";
45 }
46 return out;
47 }
48
49 ostream& operator<<(ostream& out, const OSDCapSpec& s)
50 {
51 if (s.allow)
52 return out << s.allow;
53 if (s.class_name.length()) {
54 out << "class '" << s.class_name << "'";
55 if (!s.method_name.empty()) {
56 out << " '" << s.method_name << "'";
57 }
58 }
59 return out;
60 }
61
62 ostream& operator<<(ostream& out, const OSDCapPoolNamespace& pns)
63 {
64 if (!pns.pool_name.empty()) {
65 out << "pool " << pns.pool_name << " ";
66 }
67 if (pns.nspace) {
68 out << "namespace ";
69 if (pns.nspace->empty()) {
70 out << "\"\"";
71 } else {
72 out << *pns.nspace;
73 }
74 out << " ";
75 }
76 return out;
77 }
78
79 ostream& operator<<(ostream &out, const OSDCapPoolTag &pt)
80 {
81 out << "app " << pt.application << " key " << pt.key << " val " << pt.value
82 << " ";
83 return out;
84 }
85
86 ostream& operator<<(ostream& out, const OSDCapMatch& m)
87 {
88 if (!m.pool_namespace.pool_name.empty() || m.pool_namespace.nspace) {
89 out << m.pool_namespace;
90 }
91
92 if (!m.pool_tag.application.empty()) {
93 out << m.pool_tag;
94 }
95
96 if (m.object_prefix.length()) {
97 out << "object_prefix " << m.object_prefix << " ";
98 }
99 return out;
100 }
101
102 ostream& operator<<(ostream& out, const OSDCapProfile& m)
103 {
104 out << "profile " << m.name;
105 out << m.pool_namespace;
106 return out;
107 }
108
109 bool OSDCapPoolNamespace::is_match(const std::string& pn,
110 const std::string& ns) const
111 {
112 if (!pool_name.empty()) {
113 if (pool_name != pn) {
114 return false;
115 }
116 }
117 if (nspace) {
118 if (!nspace->empty() && nspace->back() == '*' &&
119 boost::starts_with(ns, nspace->substr(0, nspace->length() - 1))) {
120 return true;
121 }
122
123 if (*nspace != ns) {
124 return false;
125 }
126 }
127 return true;
128 }
129
130 bool OSDCapPoolNamespace::is_match_all() const
131 {
132 if (!pool_name.empty())
133 return false;
134 if (nspace)
135 return false;
136 return true;
137 }
138
139 bool OSDCapPoolTag::is_match(const app_map_t& app_map) const
140 {
141 if (application.empty()) {
142 return true;
143 }
144 auto kv_map = app_map.find(application);
145 if (kv_map == app_map.end()) {
146 return false;
147 }
148 if (!key.compare("*") && !value.compare("*")) {
149 return true;
150 }
151 if (!key.compare("*")) {
152 for (auto it : kv_map->second) {
153 if (it.second == value) {
154 return true;
155 }
156 }
157 return false;
158 }
159 auto kv_val = kv_map->second.find(key);
160 if (kv_val == kv_map->second.end()) {
161 return false;
162 }
163 if (!value.compare("*")) {
164 return true;
165 }
166 return kv_val->second == value;
167 }
168
169 bool OSDCapPoolTag::is_match_all() const {
170 return application.empty();
171 }
172
173 bool OSDCapMatch::is_match(const string& pn, const string& ns,
174 const OSDCapPoolTag::app_map_t& app_map,
175 const string& object) const
176 {
177 if (!pool_namespace.is_match(pn, ns)) {
178 return false;
179 } else if (!pool_tag.is_match(app_map)) {
180 return false;
181 }
182
183 if (object_prefix.length()) {
184 if (object.find(object_prefix) != 0)
185 return false;
186 }
187 return true;
188 }
189
190 bool OSDCapMatch::is_match_all() const
191 {
192 if (!pool_namespace.is_match_all()) {
193 return false;
194 } else if (!pool_tag.is_match_all()) {
195 return false;
196 }
197
198 if (object_prefix.length()) {
199 return false;
200 }
201 return true;
202 }
203
204 ostream& operator<<(ostream& out, const OSDCapGrant& g)
205 {
206 out << "grant(";
207 if (g.profile.is_valid()) {
208 out << g.profile << " [";
209 for (auto it = g.profile_grants.cbegin();
210 it != g.profile_grants.cend(); ++it) {
211 if (it != g.profile_grants.cbegin()) {
212 out << ",";
213 }
214 out << *it;
215 }
216 out << "]";
217 } else {
218 out << g.match << g.spec;
219 }
220 if (g.network.size()) {
221 out << " network " << g.network;
222 }
223 out << ")";
224 return out;
225 }
226
227 void OSDCapGrant::set_network(const string& n)
228 {
229 network = n;
230 network_valid = ::parse_network(n.c_str(), &network_parsed, &network_prefix);
231 }
232
233 bool OSDCapGrant::allow_all() const
234 {
235 if (profile.is_valid()) {
236 return std::any_of(profile_grants.cbegin(), profile_grants.cend(),
237 [](const OSDCapGrant& grant) {
238 return grant.allow_all();
239 });
240 }
241
242 return (match.is_match_all() && spec.allow_all());
243 }
244
245 bool OSDCapGrant::is_capable(
246 const string& pool_name,
247 const string& ns,
248 const OSDCapPoolTag::app_map_t& application_metadata,
249 const string& object,
250 bool op_may_read,
251 bool op_may_write,
252 const std::vector<OpInfo::ClassInfo>& classes,
253 const entity_addr_t& addr,
254 std::vector<bool>* class_allowed) const
255 {
256 osd_rwxa_t allow = 0;
257
258 if (network.size() &&
259 (!network_valid ||
260 !network_contains(network_parsed,
261 network_prefix,
262 addr))) {
263 return false;
264 }
265
266 if (profile.is_valid()) {
267 return std::any_of(profile_grants.cbegin(), profile_grants.cend(),
268 [&](const OSDCapGrant& grant) {
269 return grant.is_capable(pool_name, ns,
270 application_metadata,
271 object, op_may_read,
272 op_may_write, classes, addr,
273 class_allowed);
274 });
275 } else {
276 if (match.is_match(pool_name, ns, application_metadata, object)) {
277 allow = allow | spec.allow;
278 if ((op_may_read && !(allow & OSD_CAP_R)) ||
279 (op_may_write && !(allow & OSD_CAP_W))) {
280 return false;
281 }
282 if (!classes.empty()) {
283 // check 'allow *'
284 if (spec.allow_all()) {
285 return true;
286 }
287
288 // compare this grant to each class in the operation
289 for (size_t i = 0; i < classes.size(); ++i) {
290 // check 'allow class foo [method_name]'
291 if (!spec.class_name.empty() &&
292 classes[i].class_name == spec.class_name &&
293 (spec.method_name.empty() ||
294 classes[i].method_name == spec.method_name)) {
295 (*class_allowed)[i] = true;
296 continue;
297 }
298 // check 'allow x | class-{rw}': must be on whitelist
299 if (!classes[i].whitelisted) {
300 continue;
301 }
302 if ((classes[i].read && !(allow & OSD_CAP_CLS_R)) ||
303 (classes[i].write && !(allow & OSD_CAP_CLS_W))) {
304 continue;
305 }
306 (*class_allowed)[i] = true;
307 }
308 if (!std::all_of(class_allowed->cbegin(), class_allowed->cend(),
309 [](bool v) { return v; })) {
310 return false;
311 }
312 }
313 return true;
314 }
315 }
316 return false;
317 }
318
319 void OSDCapGrant::expand_profile()
320 {
321 if (profile.name == "read-only") {
322 // grants READ-ONLY caps to the OSD
323 profile_grants.emplace_back(OSDCapMatch(profile.pool_namespace),
324 OSDCapSpec(osd_rwxa_t(OSD_CAP_R)));
325 return;
326 }
327 if (profile.name == "read-write") {
328 // grants READ-WRITE caps to the OSD
329 profile_grants.emplace_back(OSDCapMatch(profile.pool_namespace),
330 OSDCapSpec(osd_rwxa_t(OSD_CAP_R | OSD_CAP_W)));
331 }
332
333 if (profile.name == "rbd") {
334 // RBD read-write grant
335 profile_grants.emplace_back(OSDCapMatch(string(), "rbd_info"),
336 OSDCapSpec(osd_rwxa_t(OSD_CAP_R)));
337 profile_grants.emplace_back(OSDCapMatch(string(), "rbd_children"),
338 OSDCapSpec(osd_rwxa_t(OSD_CAP_CLS_R)));
339 profile_grants.emplace_back(OSDCapMatch(string(), "rbd_mirroring"),
340 OSDCapSpec(osd_rwxa_t(OSD_CAP_CLS_R)));
341 profile_grants.emplace_back(OSDCapMatch(profile.pool_namespace.pool_name),
342 OSDCapSpec("rbd", "metadata_list"));
343 profile_grants.emplace_back(OSDCapMatch(profile.pool_namespace),
344 OSDCapSpec(osd_rwxa_t(OSD_CAP_R |
345 OSD_CAP_W |
346 OSD_CAP_X)));
347 }
348 if (profile.name == "rbd-read-only") {
349 // RBD read-only grant
350 profile_grants.emplace_back(OSDCapMatch(profile.pool_namespace),
351 OSDCapSpec(osd_rwxa_t(OSD_CAP_R |
352 OSD_CAP_CLS_R)));
353 profile_grants.emplace_back(OSDCapMatch(profile.pool_namespace,
354 "rbd_header."),
355 OSDCapSpec("rbd", "child_attach"));
356 profile_grants.emplace_back(OSDCapMatch(profile.pool_namespace,
357 "rbd_header."),
358 OSDCapSpec("rbd", "child_detach"));
359 }
360 }
361
362 bool OSDCap::allow_all() const
363 {
364 for (auto &grant : grants) {
365 if (grant.allow_all()) {
366 return true;
367 }
368 }
369 return false;
370 }
371
372 void OSDCap::set_allow_all()
373 {
374 grants.clear();
375 grants.push_back(OSDCapGrant(OSDCapMatch(), OSDCapSpec(OSD_CAP_ANY)));
376 }
377
378 bool OSDCap::is_capable(const string& pool_name, const string& ns,
379 const OSDCapPoolTag::app_map_t& application_metadata,
380 const string& object,
381 bool op_may_read, bool op_may_write,
382 const std::vector<OpInfo::ClassInfo>& classes,
383 const entity_addr_t& addr) const
384 {
385 std::vector<bool> class_allowed(classes.size(), false);
386 for (auto &grant : grants) {
387 if (grant.is_capable(pool_name, ns, application_metadata,
388 object, op_may_read, op_may_write, classes, addr,
389 &class_allowed)) {
390 return true;
391 }
392 }
393 return false;
394 }
395
396
397 // grammar
398 namespace qi = boost::spirit::qi;
399 namespace ascii = boost::spirit::ascii;
400 namespace phoenix = boost::phoenix;
401
402 template <typename Iterator>
403 struct OSDCapParser : qi::grammar<Iterator, OSDCap()>
404 {
405 OSDCapParser() : OSDCapParser::base_type(osdcap)
406 {
407 using qi::char_;
408 using qi::int_;
409 using qi::lexeme;
410 using qi::alnum;
411 using qi::_val;
412 using qi::_1;
413 using qi::_2;
414 using qi::_3;
415 using qi::eps;
416 using qi::lit;
417
418 quoted_string %=
419 lexeme['"' >> +(char_ - '"') >> '"'] |
420 lexeme['\'' >> +(char_ - '\'') >> '\''];
421 equoted_string %=
422 lexeme['"' >> *(char_ - '"') >> '"'] |
423 lexeme['\'' >> *(char_ - '\'') >> '\''];
424 unquoted_word %= +char_("a-zA-Z0-9_./-");
425 str %= quoted_string | unquoted_word;
426 estr %= equoted_string | unquoted_word;
427 network_str %= +char_("/.:a-fA-F0-9][");
428
429 spaces = +ascii::space;
430
431 wildcard = (lit('*') | lit("all")) [_val = "*"];
432
433 pool_name %= -(spaces >> lit("pool") >> (lit('=') | spaces) >> str);
434 nspace %= (spaces >> lit("namespace")
435 >> (lit('=') | spaces)
436 >> estr >> -char_('*'));
437
438 // match := [pool[=]<poolname> [namespace[=]<namespace>]] [object_prefix <prefix>]
439 object_prefix %= -(spaces >> lit("object_prefix") >> spaces >> str);
440 pooltag %= (spaces >> lit("tag")
441 >> spaces >> str // application
442 >> spaces >> (wildcard | str) // key
443 >> -spaces >> lit('=') >> -spaces >> (wildcard | str)); // value
444
445 match = (
446 pooltag [_val = phoenix::construct<OSDCapMatch>(_1)] |
447 (nspace >> pooltag) [_val = phoenix::construct<OSDCapMatch>(_1, _2)] |
448 (pool_name >> nspace >> object_prefix) [_val = phoenix::construct<OSDCapMatch>(_1, _2, _3)] |
449 (pool_name >> object_prefix) [_val = phoenix::construct<OSDCapMatch>(_1, _2)]
450 );
451
452 // rwxa := * | [r][w][x] [class-read] [class-write]
453 rwxa =
454 (spaces >> wildcard[_val = OSD_CAP_ANY]) |
455 ( eps[_val = 0] >>
456 (
457 spaces >>
458 ( lit('r')[_val |= OSD_CAP_R] ||
459 lit('w')[_val |= OSD_CAP_W] ||
460 lit('x')[_val |= OSD_CAP_X] )) ||
461 ( (spaces >> lit("class-read")[_val |= OSD_CAP_CLS_R]) ||
462 (spaces >> lit("class-write")[_val |= OSD_CAP_CLS_W]) ));
463
464 // capspec := * | rwx | class <name> [<method name>]
465 class_name %= (spaces >> lit("class") >> spaces >> str);
466 method_name %= -(spaces >> str);
467 capspec = (
468 (rwxa) [_val = phoenix::construct<OSDCapSpec>(_1)] |
469 (class_name >> method_name) [_val = phoenix::construct<OSDCapSpec>(_1, _2)]);
470
471 // profile := profile <name> [pool[=]<pool> [namespace[=]<namespace>]]
472 profile_name %= (lit("profile") >> (lit('=') | spaces) >> str);
473 profile = (
474 (profile_name >> pool_name >> nspace) [_val = phoenix::construct<OSDCapProfile>(_1, _2, _3)] |
475 (profile_name >> pool_name) [_val = phoenix::construct<OSDCapProfile>(_1, _2)]);
476
477 // grant := allow match capspec
478 grant = (*ascii::blank >>
479 ((lit("allow") >> capspec >> match >>
480 -(spaces >> lit("network") >> spaces >> network_str))
481 [_val = phoenix::construct<OSDCapGrant>(_2, _1, _3)] |
482 (lit("allow") >> match >> capspec >>
483 -(spaces >> lit("network") >> spaces >> network_str))
484 [_val = phoenix::construct<OSDCapGrant>(_1, _2, _3)] |
485 (profile >> -(spaces >> lit("network") >> spaces >> network_str))
486 [_val = phoenix::construct<OSDCapGrant>(_1, _2)]
487 ) >> *ascii::blank);
488 // osdcap := grant [grant ...]
489 grants %= (grant % (lit(';') | lit(',')));
490 osdcap = grants [_val = phoenix::construct<OSDCap>(_1)];
491 }
492 qi::rule<Iterator> spaces;
493 qi::rule<Iterator, unsigned()> rwxa;
494 qi::rule<Iterator, string()> quoted_string, equoted_string;
495 qi::rule<Iterator, string()> unquoted_word;
496 qi::rule<Iterator, string()> str, estr, network_str;
497 qi::rule<Iterator, string()> wildcard;
498 qi::rule<Iterator, string()> class_name;
499 qi::rule<Iterator, string()> method_name;
500 qi::rule<Iterator, OSDCapSpec()> capspec;
501 qi::rule<Iterator, string()> pool_name;
502 qi::rule<Iterator, string()> nspace;
503 qi::rule<Iterator, string()> object_prefix;
504 qi::rule<Iterator, OSDCapPoolTag()> pooltag;
505 qi::rule<Iterator, OSDCapMatch()> match;
506 qi::rule<Iterator, string()> profile_name;
507 qi::rule<Iterator, OSDCapProfile()> profile;
508 qi::rule<Iterator, OSDCapGrant()> grant;
509 qi::rule<Iterator, std::vector<OSDCapGrant>()> grants;
510 qi::rule<Iterator, OSDCap()> osdcap;
511 };
512
513 bool OSDCap::parse(const string& str, ostream *err)
514 {
515 OSDCapParser<string::const_iterator> g;
516 string::const_iterator iter = str.begin();
517 string::const_iterator end = str.end();
518
519 bool r = qi::phrase_parse(iter, end, g, ascii::space, *this);
520 if (r && iter == end)
521 return true;
522
523 // Make sure no grants are kept after parsing failed!
524 grants.clear();
525
526 if (err)
527 *err << "osd capability parse failed, stopped at '" << std::string(iter, end)
528 << "' of '" << str << "'";
529
530 return false;
531 }
Ceph