ceph/src/osd/OSDCap.h

   1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
   2 // vim: ts=8 sw=2 smarttab
   3 /*
   4  * Ceph - scalable distributed file system
   5  *
   6  * Copyright (C) 2004-2006 Sage Weil <sage@newdream.net>
   7  *
   8  * This is free software; you can redistribute it and/or
   9  * modify it under the terms of the GNU Lesser General Public
  10  * License version 2.1, as published by the Free Software
  11  * Foundation.  See file COPYING.
  12  *
  13  * OSDCaps: Hold the capabilities associated with a single authenticated
  14  * user key. These are specified by text strings of the form
  15  * "allow r" (which allows reading anything on the OSD)
  16  * "allow rwx auid foo" (which allows full access to listed auids)
  17  *  "allow rwx pool foo" (which allows full access to listed pools)
  18  * "allow *" (which allows full access to EVERYTHING)
  19  *
  20  * The full grammar is documented in the parser in OSDCap.cc.
  21  *
  22  * The OSD assumes that anyone with * caps is an admin and has full
  23  * message permissions. This means that only the monitor and the OSDs
  24  * should get *
  25  */
  26
  27 #ifndef CEPH_OSDCAP_H
  28 #define CEPH_OSDCAP_H
  29
  30 #include <ostream>
  31 using std::ostream;
  32
  33 #include "include/types.h"
  34 #include "OpRequest.h"
  35
  36 static const __u8 OSD_CAP_R     = (1 << 1);      // read
  37 static const __u8 OSD_CAP_W     = (1 << 2);      // write
  38 static const __u8 OSD_CAP_CLS_R = (1 << 3);      // class read
  39 static const __u8 OSD_CAP_CLS_W = (1 << 4);      // class write
  40 static const __u8 OSD_CAP_X     = (OSD_CAP_CLS_R | OSD_CAP_CLS_W); // execute
  41 static const __u8 OSD_CAP_ANY   = 0xff;          // *
  42
  43 struct osd_rwxa_t {
  44   __u8 val;
  45
  46   // cppcheck-suppress noExplicitConstructor
  47   osd_rwxa_t(__u8 v = 0) : val(v) {}
  48   osd_rwxa_t& operator=(__u8 v) {
  49     val = v;
  50     return *this;
  51   }
  52   operator __u8() const {
  53     return val;
  54   }
  55 };
  56
  57 ostream& operator<<(ostream& out, osd_rwxa_t p);
  58
  59 struct OSDCapSpec {
  60   osd_rwxa_t allow;
  61   std::string class_name;
  62   std::string class_allow;
  63
  64   OSDCapSpec() : allow(0) {}
  65   explicit OSDCapSpec(osd_rwxa_t v) : allow(v) {}
  66   explicit OSDCapSpec(std::string n) : allow(0), class_name(std::move(n)) {}
  67   OSDCapSpec(std::string n, std::string a) :
  68     allow(0), class_name(std::move(n)), class_allow(std::move(a)) {}
  69
  70   bool allow_all() const {
  71     return allow == OSD_CAP_ANY;
  72   }
  73 };
  74
  75 ostream& operator<<(ostream& out, const OSDCapSpec& s);
  76
  77
  78 struct OSDCapMatch {
  79   // auid and pool_name/nspace are mutually exclusive
  80   int64_t auid;
  81   std::string pool_name;
  82   bool is_nspace;      // true if nspace is defined; false if not constrained.
  83   std::string nspace;
  84
  85   std::string object_prefix;
  86
  87   OSDCapMatch() : auid(CEPH_AUTH_UID_DEFAULT), is_nspace(false) {}
  88   OSDCapMatch(std::string pl, std::string pre) :
  89         auid(CEPH_AUTH_UID_DEFAULT), pool_name(pl), is_nspace(false), object_prefix(pre) {}
  90   OSDCapMatch(std::string pl, std::string ns, std::string pre) :
  91         auid(CEPH_AUTH_UID_DEFAULT), pool_name(pl), is_nspace(true), nspace(ns), object_prefix(pre) {}
  92   OSDCapMatch(uint64_t auid, std::string pre) : auid(auid), is_nspace(false), object_prefix(pre) {}
  93
  94   /**
  95    * check if given request parameters match our constraints
  96    *
  97    * @param pool_name pool name
  98    * @param nspace_name namespace name
  99    * @param pool_auid pool's auid
 100    * @param object object name
 101    * @return true if we match, false otherwise
 102    */
 103   bool is_match(const std::string& pool_name, const std::string& nspace_name, int64_t pool_auid, const std::string& object) const;
 104   bool is_match_all() const;
 105 };
 106
 107 ostream& operator<<(ostream& out, const OSDCapMatch& m);
 108
 109
 110 struct OSDCapGrant {
 111   OSDCapMatch match;
 112   OSDCapSpec spec;
 113
 114   OSDCapGrant() {}
 115   OSDCapGrant(OSDCapMatch m, OSDCapSpec s) : match(m), spec(s) {}
 116 };
 117
 118 ostream& operator<<(ostream& out, const OSDCapGrant& g);
 119
 120
 121 struct OSDCap {
 122   std::vector<OSDCapGrant> grants;
 123
 124   OSDCap() {}
 125   explicit OSDCap(std::vector<OSDCapGrant> g) : grants(std::move(g)) {}
 126
 127   bool allow_all() const;
 128   void set_allow_all();
 129   bool parse(const std::string& str, ostream *err=NULL);
 130
 131   /**
 132    * check if we are capable of something
 133    *
 134    * This method actually checks a description of a particular operation against
 135    * what the capability has specified.  Currently that is just rwx with matches
 136    * against pool, pool auid, and object name prefix.
 137    *
 138    * @param pool_name name of the pool we are accessing
 139    * @param ns name of the namespace we are accessing
 140    * @param pool_auid owner of the pool we are accessing
 141    * @param object name of the object we are accessing
 142    * @param op_may_read whether the operation may need to read
 143    * @param op_may_write whether the operation may need to write
 144    * @param classes (class-name, rd, wr, whitelisted-flag) tuples
 145    * @return true if the operation is allowed, false otherwise
 146    */
 147   bool is_capable(const string& pool_name, const string& ns, int64_t pool_auid,
 148                   const string& object, bool op_may_read, bool op_may_write,
 149                   const std::vector<OpRequest::ClassInfo>& classes) const;
 150 };
 151
 152 static inline ostream& operator<<(ostream& out, const OSDCap& cap)
 153 {
 154   return out << "osdcap" << cap.grants;
 155 }
 156
 157 #endif