(std::string, command)
(kvmap, command_args)
(mon_rwxa_t, allow)
- (std::string, network))
+ (std::string, network)
+ (std::string, fs_name))
BOOST_FUSION_ADAPT_STRUCT(StringConstraint,
(StringConstraint::MatchType, match_type)
profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
profile_grants.push_back(MonCapGrant("pg", MON_CAP_R | MON_CAP_W));
profile_grants.push_back(MonCapGrant("log", MON_CAP_W));
+ StringConstraint constraint(StringConstraint::MATCH_TYPE_REGEX,
+ string("osd_mclock_max_capacity_iops_(hdd|ssd)"));
+ profile_grants.push_back(MonCapGrant("config set", "name", constraint));
}
if (profile == "mds") {
profile_grants.push_back(MonCapGrant("mds", MON_CAP_ALL));
profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
// This command grant is checked explicitly in MRemoveSnaps handling
profile_grants.push_back(MonCapGrant("osd pool rmsnap"));
- profile_grants.push_back(MonCapGrant("osd blacklist"));
+ profile_grants.push_back(MonCapGrant("osd blocklist"));
+ profile_grants.push_back(MonCapGrant("osd blacklist")); // for compat
profile_grants.push_back(MonCapGrant("log", MON_CAP_W));
}
if (profile == "mgr") {
profile_grants.push_back(MonCapGrant("mds", MON_CAP_R | MON_CAP_W));
profile_grants.push_back(MonCapGrant("fs", MON_CAP_R | MON_CAP_W));
profile_grants.push_back(MonCapGrant("osd", MON_CAP_R | MON_CAP_W));
- profile_grants.push_back(MonCapGrant("auth", MON_CAP_R | MON_CAP_X));
+ profile_grants.push_back(MonCapGrant("auth", MON_CAP_R | MON_CAP_W | MON_CAP_X));
profile_grants.push_back(MonCapGrant("config-key", MON_CAP_R | MON_CAP_W));
profile_grants.push_back(MonCapGrant("config", MON_CAP_R | MON_CAP_W));
// cephadm orchestrator provisions new daemon keys and updates caps
profile_grants.push_back(MonCapGrant("auth rm"));
// tell commands (this is a bit of a kludge)
profile_grants.push_back(MonCapGrant("smart"));
+ // allow the Telemetry module to gather heap and mempool metrics
+ profile_grants.push_back(MonCapGrant("heap"));
+ profile_grants.push_back(MonCapGrant("dump_mempools"));
}
if (profile == "osd" || profile == "mds" || profile == "mon" ||
profile == "mgr") {
profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
profile_grants.push_back(MonCapGrant("pg", MON_CAP_R));
}
+ if (profile == "simple-rados-client-with-blocklist") {
+ profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
+ profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
+ profile_grants.push_back(MonCapGrant("pg", MON_CAP_R));
+ profile_grants.push_back(MonCapGrant("osd blocklist"));
+ profile_grants.back().command_args["blocklistop"] = StringConstraint(
+ StringConstraint::MATCH_TYPE_EQUAL, "add");
+ profile_grants.back().command_args["addr"] = StringConstraint(
+ StringConstraint::MATCH_TYPE_REGEX, "^[^/]+/[0-9]+$");
+
+ }
if (boost::starts_with(profile, "rbd")) {
profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
profile_grants.push_back(MonCapGrant("pg", MON_CAP_R));
- // exclusive lock dead-client blacklisting (IP+nonce required)
+ // exclusive lock dead-client blocklisting (IP+nonce required)
+ profile_grants.push_back(MonCapGrant("osd blocklist"));
+ profile_grants.back().command_args["blocklistop"] = StringConstraint(
+ StringConstraint::MATCH_TYPE_EQUAL, "add");
+ profile_grants.back().command_args["addr"] = StringConstraint(
+ StringConstraint::MATCH_TYPE_REGEX, "^[^/]+/[0-9]+$");
+
+ // for compat,
profile_grants.push_back(MonCapGrant("osd blacklist"));
profile_grants.back().command_args["blacklistop"] = StringConstraint(
StringConstraint::MATCH_TYPE_EQUAL, "add");
// TODO: we could limit this to getting the monmap and mgrmap...
profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
}
+ if (profile == "cephfs-mirror") {
+ profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
+ profile_grants.push_back(MonCapGrant("mds", MON_CAP_R));
+ profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
+ profile_grants.push_back(MonCapGrant("pg", MON_CAP_R));
+ StringConstraint constraint(StringConstraint::MATCH_TYPE_PREFIX,
+ "cephfs/mirror/peer/");
+ profile_grants.push_back(MonCapGrant("config-key get", "key", constraint));
+
+ }
if (profile == "role-definer") {
// grants ALL caps to the auth subsystem, read-only on the
// monitor subsystem and nothing else.
unquoted_word %= +char_("a-zA-Z0-9_./-");
str %= quoted_string | unquoted_word;
network_str %= +char_("/.:a-fA-F0-9][");
+ fs_name_str %= +char_("a-zA-Z0-9_.-");
spaces = +(lit(' ') | lit('\n') | lit('\t'));
>> qi::attr(string()) >> qi::attr(string()) >> qi::attr(string())
>> qi::attr(map<string,StringConstraint>())
>> rwxa
- >> -(spaces >> lit("network") >> spaces >> network_str);
+ >> -(spaces >> lit("network") >> spaces >> network_str)
+ >> -(spaces >> lit("fsname") >> (lit('=') | spaces) >> fs_name_str);
// rwxa := * | [r][w][x]
rwxa =
qi::rule<Iterator, string()> quoted_string;
qi::rule<Iterator, string()> unquoted_word;
qi::rule<Iterator, string()> str, network_str;
+ qi::rule<Iterator, string()> fs_name_str;
qi::rule<Iterator, StringConstraint()> str_match, str_prefix, str_regex;
qi::rule<Iterator, pair<string, StringConstraint>()> kv_pair;