#include <boost/spirit/include/phoenix.hpp>
#include <boost/fusion/adapted/struct/adapt_struct.hpp>
#include <boost/fusion/include/adapt_struct.hpp>
+#include <boost/algorithm/string/predicate.hpp>
#include "MonCap.h"
#include "include/stringify.h"
void MonCapGrant::expand_profile_mgr(const EntityName& name) const
{
+ if (profile == "crash") {
+ profile_grants.push_back(MonCapGrant("crash post"));
+ }
}
void MonCapGrant::expand_profile_mon(const EntityName& name) const
profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
profile_grants.push_back(MonCapGrant("pg", MON_CAP_R));
}
- if (profile == "rbd" || profile == "rbd-mirror") {
+ if (boost::starts_with(profile, "rbd")) {
profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
profile_grants.push_back(MonCapGrant("pg", MON_CAP_R));
StringConstraint constraint(StringConstraint::MATCH_TYPE_PREFIX,
"rbd/mirror/");
profile_grants.push_back(MonCapGrant("config-key get", "key", constraint));
- }
+ } else if (profile == "rbd-mirror-peer") {
+ StringConstraint constraint(StringConstraint::MATCH_TYPE_REGEX,
+ "rbd/mirror/[^/]+");
+ profile_grants.push_back(MonCapGrant("config-key get", "key", constraint));
+ constraint = StringConstraint(StringConstraint::MATCH_TYPE_PREFIX,
+ "rbd/mirror/peer/");
+ profile_grants.push_back(MonCapGrant("config-key set", "key", constraint));
+ }
+ else if (profile == "crash") {
+ // TODO: we could limit this to getting the monmap and mgrmap...
+ profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
+ }
if (profile == "role-definer") {
// grants ALL caps to the auth subsystem, read-only on the
// monitor subsystem and nothing else.