]>
git.proxmox.com Git - ceph.git/blob - ceph/src/osd/OSDCap.h
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
4 * Ceph - scalable distributed file system
6 * Copyright (C) 2004-2006 Sage Weil <sage@newdream.net>
8 * This is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License version 2.1, as published by the Free Software
11 * Foundation. See file COPYING.
13 * OSDCaps: Hold the capabilities associated with a single authenticated
14 * user key. These are specified by text strings of the form
15 * "allow r" (which allows reading anything on the OSD)
16 * "allow rwx auid foo" (which allows full access to listed auids)
17 * "allow rwx pool foo" (which allows full access to listed pools)
18 * "allow *" (which allows full access to EVERYTHING)
20 * The full grammar is documented in the parser in OSDCap.cc.
22 * The OSD assumes that anyone with * caps is an admin and has full
23 * message permissions. This means that only the monitor and the OSDs
33 #include "include/types.h"
34 #include "OpRequest.h"
36 static const __u8 OSD_CAP_R
= (1 << 1); // read
37 static const __u8 OSD_CAP_W
= (1 << 2); // write
38 static const __u8 OSD_CAP_CLS_R
= (1 << 3); // class read
39 static const __u8 OSD_CAP_CLS_W
= (1 << 4); // class write
40 static const __u8 OSD_CAP_X
= (OSD_CAP_CLS_R
| OSD_CAP_CLS_W
); // execute
41 static const __u8 OSD_CAP_ANY
= 0xff; // *
46 // cppcheck-suppress noExplicitConstructor
47 osd_rwxa_t(__u8 v
= 0) : val(v
) {}
48 osd_rwxa_t
& operator=(__u8 v
) {
52 operator __u8() const {
57 ostream
& operator<<(ostream
& out
, const osd_rwxa_t
& p
);
61 std::string class_name
;
62 std::string class_allow
;
64 OSDCapSpec() : allow(0) {}
65 explicit OSDCapSpec(osd_rwxa_t v
) : allow(v
) {}
66 explicit OSDCapSpec(std::string n
) : allow(0), class_name(std::move(n
)) {}
67 OSDCapSpec(std::string n
, std::string a
) :
68 allow(0), class_name(std::move(n
)), class_allow(std::move(a
)) {}
70 bool allow_all() const {
71 return allow
== OSD_CAP_ANY
;
75 ostream
& operator<<(ostream
& out
, const OSDCapSpec
& s
);
79 // auid and pool_name/nspace are mutually exclusive
81 std::string pool_name
;
82 bool is_nspace
; // true if nspace is defined; false if not constrained.
85 std::string object_prefix
;
87 OSDCapMatch() : auid(CEPH_AUTH_UID_DEFAULT
), is_nspace(false) {}
88 OSDCapMatch(std::string pl
, std::string pre
) :
89 auid(CEPH_AUTH_UID_DEFAULT
), pool_name(pl
), is_nspace(false), object_prefix(pre
) {}
90 OSDCapMatch(std::string pl
, std::string ns
, std::string pre
) :
91 auid(CEPH_AUTH_UID_DEFAULT
), pool_name(pl
), is_nspace(true), nspace(ns
), object_prefix(pre
) {}
92 OSDCapMatch(uint64_t auid
, std::string pre
) : auid(auid
), is_nspace(false), object_prefix(pre
) {}
95 * check if given request parameters match our constraints
97 * @param pool_name pool name
98 * @param nspace_name namespace name
99 * @param pool_auid pool's auid
100 * @param object object name
101 * @return true if we match, false otherwise
103 bool is_match(const std::string
& pool_name
, const std::string
& nspace_name
, int64_t pool_auid
, const std::string
& object
) const;
104 bool is_match_all() const;
107 ostream
& operator<<(ostream
& out
, const OSDCapMatch
& m
);
115 OSDCapGrant(OSDCapMatch m
, OSDCapSpec s
) : match(m
), spec(s
) {}
118 ostream
& operator<<(ostream
& out
, const OSDCapGrant
& g
);
122 std::vector
<OSDCapGrant
> grants
;
125 explicit OSDCap(std::vector
<OSDCapGrant
> g
) : grants(std::move(g
)) {}
127 bool allow_all() const;
128 void set_allow_all();
129 bool parse(const std::string
& str
, ostream
*err
=NULL
);
132 * check if we are capable of something
134 * This method actually checks a description of a particular operation against
135 * what the capability has specified. Currently that is just rwx with matches
136 * against pool, pool auid, and object name prefix.
138 * @param pool_name name of the pool we are accessing
139 * @param ns name of the namespace we are accessing
140 * @param pool_auid owner of the pool we are accessing
141 * @param object name of the object we are accessing
142 * @param op_may_read whether the operation may need to read
143 * @param op_may_write whether the operation may need to write
144 * @param classes (class-name, rd, wr, whitelisted-flag) tuples
145 * @return true if the operation is allowed, false otherwise
147 bool is_capable(const string
& pool_name
, const string
& ns
, int64_t pool_auid
,
148 const string
& object
, bool op_may_read
, bool op_may_write
,
149 const std::vector
<OpRequest::ClassInfo
>& classes
) const;
152 static inline ostream
& operator<<(ostream
& out
, const OSDCap
& cap
)
154 return out
<< "osdcap" << cap
.grants
;