]>
Commit | Line | Data |
---|---|---|
7c673cae FG |
1 | // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- |
2 | // vim: ts=8 sw=2 smarttab | |
3 | /* | |
4 | * Ceph - scalable distributed file system | |
5 | * | |
6 | * Copyright (C) 2013 Inktank | |
7 | * | |
8 | * This is free software; you can redistribute it and/or | |
9 | * modify it under the terms of the GNU Lesser General Public | |
10 | * License version 2.1, as published by the Free Software | |
11 | * Foundation. See file COPYING. | |
12 | * | |
13 | */ | |
14 | ||
15 | #include <boost/config/warning_disable.hpp> | |
16 | #include <boost/spirit/include/qi_uint.hpp> | |
17 | #include <boost/spirit/include/qi.hpp> | |
18 | #include <boost/fusion/include/std_pair.hpp> | |
19 | #include <boost/spirit/include/phoenix.hpp> | |
20 | #include <boost/fusion/adapted/struct/adapt_struct.hpp> | |
21 | #include <boost/fusion/include/adapt_struct.hpp> | |
eafe8130 | 22 | #include <boost/algorithm/string/predicate.hpp> |
7c673cae FG |
23 | |
24 | #include "MonCap.h" | |
25 | #include "include/stringify.h" | |
11fdf7f2 | 26 | #include "include/ipaddr.h" |
7c673cae FG |
27 | #include "common/debug.h" |
28 | #include "common/Formatter.h" | |
29 | ||
30 | #include <algorithm> | |
11fdf7f2 | 31 | #include <regex> |
7c673cae | 32 | |
11fdf7f2 | 33 | #include "include/ceph_assert.h" |
c07f9fc5 | 34 | |
9f95a23c TL |
35 | using std::list; |
36 | using std::map; | |
37 | using std::ostream; | |
38 | using std::pair; | |
39 | using std::string; | |
40 | using std::vector; | |
41 | ||
42 | using ceph::bufferlist; | |
43 | using ceph::Formatter; | |
44 | ||
7c673cae FG |
45 | static inline bool is_not_alnum_space(char c) |
46 | { | |
47 | return !(isalpha(c) || isdigit(c) || (c == '-') || (c == '_')); | |
48 | } | |
49 | ||
9f95a23c | 50 | static std::string maybe_quote_string(const std::string& str) |
7c673cae FG |
51 | { |
52 | if (find_if(str.begin(), str.end(), is_not_alnum_space) == str.end()) | |
53 | return str; | |
54 | return string("\"") + str + string("\""); | |
55 | } | |
56 | ||
7c673cae FG |
57 | #define dout_subsys ceph_subsys_mon |
58 | ||
31f18b77 | 59 | ostream& operator<<(ostream& out, const mon_rwxa_t& p) |
7c673cae FG |
60 | { |
61 | if (p == MON_CAP_ANY) | |
62 | return out << "*"; | |
63 | ||
64 | if (p & MON_CAP_R) | |
65 | out << "r"; | |
66 | if (p & MON_CAP_W) | |
67 | out << "w"; | |
68 | if (p & MON_CAP_X) | |
69 | out << "x"; | |
70 | return out; | |
71 | } | |
72 | ||
73 | ostream& operator<<(ostream& out, const StringConstraint& c) | |
74 | { | |
c07f9fc5 FG |
75 | switch (c.match_type) { |
76 | case StringConstraint::MATCH_TYPE_EQUAL: | |
7c673cae | 77 | return out << "value " << c.value; |
c07f9fc5 FG |
78 | case StringConstraint::MATCH_TYPE_PREFIX: |
79 | return out << "prefix " << c.value; | |
80 | case StringConstraint::MATCH_TYPE_REGEX: | |
81 | return out << "regex " << c.value; | |
82 | default: | |
83 | break; | |
84 | } | |
85 | return out; | |
7c673cae FG |
86 | } |
87 | ||
88 | ostream& operator<<(ostream& out, const MonCapGrant& m) | |
89 | { | |
90 | out << "allow"; | |
91 | if (m.service.length()) { | |
92 | out << " service " << maybe_quote_string(m.service); | |
93 | } | |
94 | if (m.command.length()) { | |
95 | out << " command " << maybe_quote_string(m.command); | |
96 | if (!m.command_args.empty()) { | |
97 | out << " with"; | |
9f95a23c | 98 | for (auto p = m.command_args.begin(); |
7c673cae FG |
99 | p != m.command_args.end(); |
100 | ++p) { | |
c07f9fc5 FG |
101 | switch (p->second.match_type) { |
102 | case StringConstraint::MATCH_TYPE_EQUAL: | |
103 | out << " " << maybe_quote_string(p->first) << "=" | |
104 | << maybe_quote_string(p->second.value); | |
105 | break; | |
106 | case StringConstraint::MATCH_TYPE_PREFIX: | |
107 | out << " " << maybe_quote_string(p->first) << " prefix " | |
108 | << maybe_quote_string(p->second.value); | |
109 | break; | |
110 | case StringConstraint::MATCH_TYPE_REGEX: | |
111 | out << " " << maybe_quote_string(p->first) << " regex " | |
112 | << maybe_quote_string(p->second.value); | |
113 | break; | |
114 | default: | |
115 | break; | |
116 | } | |
7c673cae FG |
117 | } |
118 | } | |
119 | } | |
120 | if (m.profile.length()) { | |
121 | out << " profile " << maybe_quote_string(m.profile); | |
122 | } | |
123 | if (m.allow != 0) | |
124 | out << " " << m.allow; | |
11fdf7f2 TL |
125 | if (m.network.size()) |
126 | out << " network " << m.network; | |
7c673cae FG |
127 | return out; |
128 | } | |
129 | ||
130 | ||
131 | // <magic> | |
132 | // fusion lets us easily populate structs via the qi parser. | |
133 | ||
134 | typedef map<string,StringConstraint> kvmap; | |
135 | ||
136 | BOOST_FUSION_ADAPT_STRUCT(MonCapGrant, | |
137 | (std::string, service) | |
138 | (std::string, profile) | |
139 | (std::string, command) | |
140 | (kvmap, command_args) | |
11fdf7f2 | 141 | (mon_rwxa_t, allow) |
f67539c2 TL |
142 | (std::string, network) |
143 | (std::string, fs_name)) | |
7c673cae FG |
144 | |
145 | BOOST_FUSION_ADAPT_STRUCT(StringConstraint, | |
c07f9fc5 FG |
146 | (StringConstraint::MatchType, match_type) |
147 | (std::string, value)) | |
7c673cae FG |
148 | |
149 | // </magic> | |
150 | ||
11fdf7f2 TL |
151 | void MonCapGrant::parse_network() |
152 | { | |
153 | network_valid = ::parse_network(network.c_str(), &network_parsed, | |
154 | &network_prefix); | |
155 | } | |
156 | ||
92f5a8d4 | 157 | void MonCapGrant::expand_profile(const EntityName& name) const |
7c673cae FG |
158 | { |
159 | // only generate this list once | |
160 | if (!profile_grants.empty()) | |
161 | return; | |
162 | ||
163 | if (profile == "read-only") { | |
164 | // grants READ-ONLY caps monitor-wide | |
165 | // 'auth' requires MON_CAP_X even for RO, which we do not grant here. | |
166 | profile_grants.push_back(mon_rwxa_t(MON_CAP_R)); | |
167 | return; | |
168 | } | |
169 | ||
170 | if (profile == "read-write") { | |
171 | // grants READ-WRITE caps monitor-wide | |
172 | // 'auth' requires MON_CAP_X for all operations, which we do not grant. | |
173 | profile_grants.push_back(mon_rwxa_t(MON_CAP_R | MON_CAP_W)); | |
174 | return; | |
175 | } | |
176 | ||
7c673cae FG |
177 | if (profile == "mon") { |
178 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_ALL)); | |
179 | profile_grants.push_back(MonCapGrant("log", MON_CAP_ALL)); | |
180 | } | |
181 | if (profile == "osd") { | |
182 | profile_grants.push_back(MonCapGrant("osd", MON_CAP_ALL)); | |
183 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); | |
184 | profile_grants.push_back(MonCapGrant("pg", MON_CAP_R | MON_CAP_W)); | |
185 | profile_grants.push_back(MonCapGrant("log", MON_CAP_W)); | |
a4b75251 TL |
186 | StringConstraint constraint(StringConstraint::MATCH_TYPE_REGEX, |
187 | string("osd_mclock_max_capacity_iops_(hdd|ssd)")); | |
188 | profile_grants.push_back(MonCapGrant("config set", "name", constraint)); | |
7c673cae FG |
189 | } |
190 | if (profile == "mds") { | |
191 | profile_grants.push_back(MonCapGrant("mds", MON_CAP_ALL)); | |
192 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); | |
193 | profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); | |
194 | // This command grant is checked explicitly in MRemoveSnaps handling | |
195 | profile_grants.push_back(MonCapGrant("osd pool rmsnap")); | |
f67539c2 TL |
196 | profile_grants.push_back(MonCapGrant("osd blocklist")); |
197 | profile_grants.push_back(MonCapGrant("osd blacklist")); // for compat | |
7c673cae FG |
198 | profile_grants.push_back(MonCapGrant("log", MON_CAP_W)); |
199 | } | |
200 | if (profile == "mgr") { | |
201 | profile_grants.push_back(MonCapGrant("mgr", MON_CAP_ALL)); | |
31f18b77 FG |
202 | profile_grants.push_back(MonCapGrant("log", MON_CAP_R | MON_CAP_W)); |
203 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R | MON_CAP_W)); | |
204 | profile_grants.push_back(MonCapGrant("mds", MON_CAP_R | MON_CAP_W)); | |
11fdf7f2 | 205 | profile_grants.push_back(MonCapGrant("fs", MON_CAP_R | MON_CAP_W)); |
7c673cae | 206 | profile_grants.push_back(MonCapGrant("osd", MON_CAP_R | MON_CAP_W)); |
cd265ab1 | 207 | profile_grants.push_back(MonCapGrant("auth", MON_CAP_R | MON_CAP_W | MON_CAP_X)); |
31f18b77 | 208 | profile_grants.push_back(MonCapGrant("config-key", MON_CAP_R | MON_CAP_W)); |
11fdf7f2 | 209 | profile_grants.push_back(MonCapGrant("config", MON_CAP_R | MON_CAP_W)); |
801d1391 | 210 | // cephadm orchestrator provisions new daemon keys and updates caps |
9f95a23c | 211 | profile_grants.push_back(MonCapGrant("auth get-or-create")); |
801d1391 | 212 | profile_grants.push_back(MonCapGrant("auth caps")); |
9f95a23c TL |
213 | profile_grants.push_back(MonCapGrant("auth rm")); |
214 | // tell commands (this is a bit of a kludge) | |
215 | profile_grants.push_back(MonCapGrant("smart")); | |
2a845540 TL |
216 | // allow the Telemetry module to gather heap and mempool metrics |
217 | profile_grants.push_back(MonCapGrant("heap")); | |
218 | profile_grants.push_back(MonCapGrant("dump_mempools")); | |
7c673cae FG |
219 | } |
220 | if (profile == "osd" || profile == "mds" || profile == "mon" || | |
221 | profile == "mgr") { | |
c07f9fc5 FG |
222 | StringConstraint constraint(StringConstraint::MATCH_TYPE_PREFIX, |
223 | string("daemon-private/") + stringify(name) + | |
224 | string("/")); | |
9f95a23c | 225 | std::string prefix = string("daemon-private/") + stringify(name) + string("/"); |
c07f9fc5 FG |
226 | profile_grants.push_back(MonCapGrant("config-key get", "key", constraint)); |
227 | profile_grants.push_back(MonCapGrant("config-key put", "key", constraint)); | |
228 | profile_grants.push_back(MonCapGrant("config-key set", "key", constraint)); | |
229 | profile_grants.push_back(MonCapGrant("config-key exists", "key", constraint)); | |
230 | profile_grants.push_back(MonCapGrant("config-key delete", "key", constraint)); | |
7c673cae FG |
231 | } |
232 | if (profile == "bootstrap-osd") { | |
7c673cae FG |
233 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); // read monmap |
234 | profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); // read osdmap | |
235 | profile_grants.push_back(MonCapGrant("mon getmap")); | |
c07f9fc5 | 236 | profile_grants.push_back(MonCapGrant("osd new")); |
11fdf7f2 | 237 | profile_grants.push_back(MonCapGrant("osd purge-new")); |
7c673cae FG |
238 | } |
239 | if (profile == "bootstrap-mds") { | |
240 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); // read monmap | |
241 | profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); // read osdmap | |
242 | profile_grants.push_back(MonCapGrant("mon getmap")); | |
243 | profile_grants.push_back(MonCapGrant("auth get-or-create")); // FIXME: this can expose other mds keys | |
c07f9fc5 FG |
244 | profile_grants.back().command_args["entity"] = StringConstraint( |
245 | StringConstraint::MATCH_TYPE_PREFIX, "mds."); | |
246 | profile_grants.back().command_args["caps_mon"] = StringConstraint( | |
247 | StringConstraint::MATCH_TYPE_EQUAL, "allow profile mds"); | |
248 | profile_grants.back().command_args["caps_osd"] = StringConstraint( | |
249 | StringConstraint::MATCH_TYPE_EQUAL, "allow rwx"); | |
250 | profile_grants.back().command_args["caps_mds"] = StringConstraint( | |
251 | StringConstraint::MATCH_TYPE_EQUAL, "allow"); | |
7c673cae FG |
252 | } |
253 | if (profile == "bootstrap-mgr") { | |
254 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); // read monmap | |
255 | profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); // read osdmap | |
256 | profile_grants.push_back(MonCapGrant("mon getmap")); | |
257 | profile_grants.push_back(MonCapGrant("auth get-or-create")); // FIXME: this can expose other mgr keys | |
c07f9fc5 FG |
258 | profile_grants.back().command_args["entity"] = StringConstraint( |
259 | StringConstraint::MATCH_TYPE_PREFIX, "mgr."); | |
260 | profile_grants.back().command_args["caps_mon"] = StringConstraint( | |
261 | StringConstraint::MATCH_TYPE_EQUAL, "allow profile mgr"); | |
7c673cae FG |
262 | } |
263 | if (profile == "bootstrap-rgw") { | |
264 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); // read monmap | |
265 | profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); // read osdmap | |
266 | profile_grants.push_back(MonCapGrant("mon getmap")); | |
267 | profile_grants.push_back(MonCapGrant("auth get-or-create")); // FIXME: this can expose other mds keys | |
c07f9fc5 FG |
268 | profile_grants.back().command_args["entity"] = StringConstraint( |
269 | StringConstraint::MATCH_TYPE_PREFIX, "client.rgw."); | |
270 | profile_grants.back().command_args["caps_mon"] = StringConstraint( | |
271 | StringConstraint::MATCH_TYPE_EQUAL, "allow rw"); | |
272 | profile_grants.back().command_args["caps_osd"] = StringConstraint( | |
273 | StringConstraint::MATCH_TYPE_EQUAL, "allow rwx"); | |
7c673cae | 274 | } |
11fdf7f2 | 275 | if (profile == "bootstrap-rbd" || profile == "bootstrap-rbd-mirror") { |
d2e6a577 | 276 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); // read monmap |
11fdf7f2 | 277 | profile_grants.push_back(MonCapGrant("auth get-or-create")); // FIXME: this can expose other rbd keys |
d2e6a577 FG |
278 | profile_grants.back().command_args["entity"] = StringConstraint( |
279 | StringConstraint::MATCH_TYPE_PREFIX, "client."); | |
280 | profile_grants.back().command_args["caps_mon"] = StringConstraint( | |
11fdf7f2 TL |
281 | StringConstraint::MATCH_TYPE_EQUAL, |
282 | (profile == "bootstrap-rbd-mirror" ? "profile rbd-mirror" : | |
283 | "profile rbd")); | |
d2e6a577 FG |
284 | profile_grants.back().command_args["caps_osd"] = StringConstraint( |
285 | StringConstraint::MATCH_TYPE_REGEX, | |
286 | "^([ ,]*profile(=|[ ]+)['\"]?rbd[^ ,'\"]*['\"]?([ ]+pool(=|[ ]+)['\"]?[^,'\"]+['\"]?)?)+$"); | |
287 | } | |
7c673cae FG |
288 | if (profile == "fs-client") { |
289 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); | |
290 | profile_grants.push_back(MonCapGrant("mds", MON_CAP_R)); | |
291 | profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); | |
292 | profile_grants.push_back(MonCapGrant("pg", MON_CAP_R)); | |
293 | } | |
294 | if (profile == "simple-rados-client") { | |
295 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); | |
296 | profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); | |
297 | profile_grants.push_back(MonCapGrant("pg", MON_CAP_R)); | |
298 | } | |
f67539c2 TL |
299 | if (profile == "simple-rados-client-with-blocklist") { |
300 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); | |
301 | profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); | |
302 | profile_grants.push_back(MonCapGrant("pg", MON_CAP_R)); | |
303 | profile_grants.push_back(MonCapGrant("osd blocklist")); | |
304 | profile_grants.back().command_args["blocklistop"] = StringConstraint( | |
305 | StringConstraint::MATCH_TYPE_EQUAL, "add"); | |
306 | profile_grants.back().command_args["addr"] = StringConstraint( | |
307 | StringConstraint::MATCH_TYPE_REGEX, "^[^/]+/[0-9]+$"); | |
308 | ||
309 | } | |
eafe8130 | 310 | if (boost::starts_with(profile, "rbd")) { |
c07f9fc5 FG |
311 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); |
312 | profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); | |
313 | profile_grants.push_back(MonCapGrant("pg", MON_CAP_R)); | |
314 | ||
f67539c2 TL |
315 | // exclusive lock dead-client blocklisting (IP+nonce required) |
316 | profile_grants.push_back(MonCapGrant("osd blocklist")); | |
317 | profile_grants.back().command_args["blocklistop"] = StringConstraint( | |
318 | StringConstraint::MATCH_TYPE_EQUAL, "add"); | |
319 | profile_grants.back().command_args["addr"] = StringConstraint( | |
320 | StringConstraint::MATCH_TYPE_REGEX, "^[^/]+/[0-9]+$"); | |
321 | ||
322 | // for compat, | |
c07f9fc5 FG |
323 | profile_grants.push_back(MonCapGrant("osd blacklist")); |
324 | profile_grants.back().command_args["blacklistop"] = StringConstraint( | |
325 | StringConstraint::MATCH_TYPE_EQUAL, "add"); | |
326 | profile_grants.back().command_args["addr"] = StringConstraint( | |
d2e6a577 | 327 | StringConstraint::MATCH_TYPE_REGEX, "^[^/]+/[0-9]+$"); |
11fdf7f2 TL |
328 | |
329 | } | |
330 | if (profile == "rbd-mirror") { | |
331 | StringConstraint constraint(StringConstraint::MATCH_TYPE_PREFIX, | |
332 | "rbd/mirror/"); | |
333 | profile_grants.push_back(MonCapGrant("config-key get", "key", constraint)); | |
eafe8130 TL |
334 | } else if (profile == "rbd-mirror-peer") { |
335 | StringConstraint constraint(StringConstraint::MATCH_TYPE_REGEX, | |
336 | "rbd/mirror/[^/]+"); | |
337 | profile_grants.push_back(MonCapGrant("config-key get", "key", constraint)); | |
7c673cae | 338 | |
eafe8130 TL |
339 | constraint = StringConstraint(StringConstraint::MATCH_TYPE_PREFIX, |
340 | "rbd/mirror/peer/"); | |
341 | profile_grants.push_back(MonCapGrant("config-key set", "key", constraint)); | |
342 | } | |
343 | else if (profile == "crash") { | |
344 | // TODO: we could limit this to getting the monmap and mgrmap... | |
345 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); | |
346 | } | |
f67539c2 TL |
347 | if (profile == "cephfs-mirror") { |
348 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); | |
349 | profile_grants.push_back(MonCapGrant("mds", MON_CAP_R)); | |
350 | profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); | |
351 | profile_grants.push_back(MonCapGrant("pg", MON_CAP_R)); | |
352 | StringConstraint constraint(StringConstraint::MATCH_TYPE_PREFIX, | |
353 | "cephfs/mirror/peer/"); | |
354 | profile_grants.push_back(MonCapGrant("config-key get", "key", constraint)); | |
355 | ||
356 | } | |
7c673cae FG |
357 | if (profile == "role-definer") { |
358 | // grants ALL caps to the auth subsystem, read-only on the | |
359 | // monitor subsystem and nothing else. | |
360 | profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); | |
361 | profile_grants.push_back(MonCapGrant("auth", MON_CAP_ALL)); | |
362 | } | |
363 | } | |
364 | ||
365 | mon_rwxa_t MonCapGrant::get_allowed(CephContext *cct, | |
7c673cae FG |
366 | EntityName name, |
367 | const std::string& s, const std::string& c, | |
368 | const map<string,string>& c_args) const | |
369 | { | |
370 | if (profile.length()) { | |
92f5a8d4 | 371 | expand_profile(name); |
7c673cae | 372 | mon_rwxa_t a; |
9f95a23c | 373 | for (auto p = profile_grants.begin(); |
7c673cae | 374 | p != profile_grants.end(); ++p) |
92f5a8d4 | 375 | a = a | p->get_allowed(cct, name, s, c, c_args); |
7c673cae FG |
376 | return a; |
377 | } | |
378 | if (service.length()) { | |
379 | if (service != s) | |
380 | return 0; | |
381 | return allow; | |
382 | } | |
383 | if (command.length()) { | |
384 | if (command != c) | |
385 | return 0; | |
386 | for (map<string,StringConstraint>::const_iterator p = command_args.begin(); p != command_args.end(); ++p) { | |
387 | map<string,string>::const_iterator q = c_args.find(p->first); | |
388 | // argument must be present if a constraint exists | |
389 | if (q == c_args.end()) | |
390 | return 0; | |
c07f9fc5 FG |
391 | switch (p->second.match_type) { |
392 | case StringConstraint::MATCH_TYPE_EQUAL: | |
7c673cae FG |
393 | if (p->second.value != q->second) |
394 | return 0; | |
c07f9fc5 FG |
395 | break; |
396 | case StringConstraint::MATCH_TYPE_PREFIX: | |
397 | if (q->second.find(p->second.value) != 0) | |
7c673cae | 398 | return 0; |
c07f9fc5 FG |
399 | break; |
400 | case StringConstraint::MATCH_TYPE_REGEX: | |
11fdf7f2 TL |
401 | try { |
402 | std::regex pattern( | |
403 | p->second.value, std::regex::extended); | |
404 | if (!std::regex_match(q->second, pattern)) | |
c07f9fc5 | 405 | return 0; |
11fdf7f2 TL |
406 | } catch(const std::regex_error&) { |
407 | return 0; | |
408 | } | |
c07f9fc5 FG |
409 | break; |
410 | default: | |
411 | break; | |
7c673cae FG |
412 | } |
413 | } | |
414 | return MON_CAP_ALL; | |
415 | } | |
f64942e4 AA |
416 | // we don't allow config-key service to be accessed with blanket caps other |
417 | // than '*' (i.e., 'any'), and that should have been checked by the caller | |
418 | // via 'is_allow_all()'. | |
419 | if (s == "config-key") { | |
420 | return 0; | |
421 | } | |
7c673cae FG |
422 | return allow; |
423 | } | |
424 | ||
425 | ostream& operator<<(ostream&out, const MonCap& m) | |
426 | { | |
427 | for (vector<MonCapGrant>::const_iterator p = m.grants.begin(); p != m.grants.end(); ++p) { | |
428 | if (p != m.grants.begin()) | |
429 | out << ", "; | |
430 | out << *p; | |
431 | } | |
432 | return out; | |
433 | } | |
434 | ||
435 | bool MonCap::is_allow_all() const | |
436 | { | |
437 | for (vector<MonCapGrant>::const_iterator p = grants.begin(); p != grants.end(); ++p) | |
438 | if (p->is_allow_all()) | |
439 | return true; | |
440 | return false; | |
441 | } | |
442 | ||
443 | void MonCap::set_allow_all() | |
444 | { | |
445 | grants.clear(); | |
446 | grants.push_back(MonCapGrant(MON_CAP_ANY)); | |
447 | text = "allow *"; | |
448 | } | |
449 | ||
11fdf7f2 TL |
450 | bool MonCap::is_capable( |
451 | CephContext *cct, | |
11fdf7f2 TL |
452 | EntityName name, |
453 | const string& service, | |
454 | const string& command, const map<string,string>& command_args, | |
455 | bool op_may_read, bool op_may_write, bool op_may_exec, | |
456 | const entity_addr_t& addr) const | |
7c673cae FG |
457 | { |
458 | if (cct) | |
459 | ldout(cct, 20) << "is_capable service=" << service << " command=" << command | |
460 | << (op_may_read ? " read":"") | |
461 | << (op_may_write ? " write":"") | |
462 | << (op_may_exec ? " exec":"") | |
11fdf7f2 | 463 | << " addr " << addr |
7c673cae FG |
464 | << " on cap " << *this |
465 | << dendl; | |
11fdf7f2 | 466 | |
7c673cae FG |
467 | mon_rwxa_t allow = 0; |
468 | for (vector<MonCapGrant>::const_iterator p = grants.begin(); | |
469 | p != grants.end(); ++p) { | |
470 | if (cct) | |
11fdf7f2 TL |
471 | ldout(cct, 20) << " allow so far " << allow << ", doing grant " << *p |
472 | << dendl; | |
473 | ||
474 | if (p->network.size() && | |
475 | (!p->network_valid || | |
476 | !network_contains(p->network_parsed, | |
477 | p->network_prefix, | |
478 | addr))) { | |
479 | continue; | |
480 | } | |
7c673cae FG |
481 | |
482 | if (p->is_allow_all()) { | |
483 | if (cct) | |
484 | ldout(cct, 20) << " allow all" << dendl; | |
485 | return true; | |
486 | } | |
487 | ||
488 | // check enumerated caps | |
92f5a8d4 | 489 | allow = allow | p->get_allowed(cct, name, service, command, command_args); |
7c673cae FG |
490 | if ((!op_may_read || (allow & MON_CAP_R)) && |
491 | (!op_may_write || (allow & MON_CAP_W)) && | |
492 | (!op_may_exec || (allow & MON_CAP_X))) { | |
493 | if (cct) | |
494 | ldout(cct, 20) << " match" << dendl; | |
495 | return true; | |
496 | } | |
497 | } | |
498 | return false; | |
499 | } | |
500 | ||
501 | void MonCap::encode(bufferlist& bl) const | |
502 | { | |
503 | ENCODE_START(4, 4, bl); // legacy MonCaps was 3, 3 | |
11fdf7f2 | 504 | encode(text, bl); |
7c673cae FG |
505 | ENCODE_FINISH(bl); |
506 | } | |
507 | ||
11fdf7f2 | 508 | void MonCap::decode(bufferlist::const_iterator& bl) |
7c673cae | 509 | { |
9f95a23c | 510 | std::string s; |
7c673cae | 511 | DECODE_START(4, bl); |
11fdf7f2 | 512 | decode(s, bl); |
7c673cae FG |
513 | DECODE_FINISH(bl); |
514 | parse(s, NULL); | |
515 | } | |
516 | ||
517 | void MonCap::dump(Formatter *f) const | |
518 | { | |
519 | f->dump_string("text", text); | |
520 | } | |
521 | ||
522 | void MonCap::generate_test_instances(list<MonCap*>& ls) | |
523 | { | |
524 | ls.push_back(new MonCap); | |
525 | ls.push_back(new MonCap); | |
526 | ls.back()->parse("allow *"); | |
527 | ls.push_back(new MonCap); | |
528 | ls.back()->parse("allow rwx"); | |
529 | ls.push_back(new MonCap); | |
530 | ls.back()->parse("allow service foo x"); | |
531 | ls.push_back(new MonCap); | |
532 | ls.back()->parse("allow command bar x"); | |
533 | ls.push_back(new MonCap); | |
534 | ls.back()->parse("allow service foo r, allow command bar x"); | |
535 | ls.push_back(new MonCap); | |
536 | ls.back()->parse("allow command bar with k1=v1 x"); | |
537 | ls.push_back(new MonCap); | |
538 | ls.back()->parse("allow command bar with k1=v1 k2=v2 x"); | |
539 | } | |
540 | ||
541 | // grammar | |
542 | namespace qi = boost::spirit::qi; | |
543 | namespace ascii = boost::spirit::ascii; | |
544 | namespace phoenix = boost::phoenix; | |
545 | ||
546 | ||
547 | template <typename Iterator> | |
548 | struct MonCapParser : qi::grammar<Iterator, MonCap()> | |
549 | { | |
550 | MonCapParser() : MonCapParser::base_type(moncap) | |
551 | { | |
552 | using qi::char_; | |
553 | using qi::int_; | |
554 | using qi::ulong_long; | |
555 | using qi::lexeme; | |
556 | using qi::alnum; | |
557 | using qi::_val; | |
558 | using qi::_1; | |
559 | using qi::_2; | |
560 | using qi::_3; | |
561 | using qi::eps; | |
562 | using qi::lit; | |
563 | ||
564 | quoted_string %= | |
565 | lexeme['"' >> +(char_ - '"') >> '"'] | | |
566 | lexeme['\'' >> +(char_ - '\'') >> '\'']; | |
f64942e4 | 567 | unquoted_word %= +char_("a-zA-Z0-9_./-"); |
7c673cae | 568 | str %= quoted_string | unquoted_word; |
11fdf7f2 | 569 | network_str %= +char_("/.:a-fA-F0-9]["); |
f67539c2 | 570 | fs_name_str %= +char_("a-zA-Z0-9_.-"); |
7c673cae FG |
571 | |
572 | spaces = +(lit(' ') | lit('\n') | lit('\t')); | |
573 | ||
574 | // command := command[=]cmd [k1=v1 k2=v2 ...] | |
c07f9fc5 FG |
575 | str_match = '=' >> qi::attr(StringConstraint::MATCH_TYPE_EQUAL) >> str; |
576 | str_prefix = spaces >> lit("prefix") >> spaces >> | |
577 | qi::attr(StringConstraint::MATCH_TYPE_PREFIX) >> str; | |
578 | str_regex = spaces >> lit("regex") >> spaces >> | |
579 | qi::attr(StringConstraint::MATCH_TYPE_REGEX) >> str; | |
580 | kv_pair = str >> (str_match | str_prefix | str_regex); | |
7c673cae FG |
581 | kv_map %= kv_pair >> *(spaces >> kv_pair); |
582 | command_match = -spaces >> lit("allow") >> spaces >> lit("command") >> (lit('=') | spaces) | |
583 | >> qi::attr(string()) >> qi::attr(string()) | |
584 | >> str | |
585 | >> -(spaces >> lit("with") >> spaces >> kv_map) | |
11fdf7f2 TL |
586 | >> qi::attr(0) |
587 | >> -(spaces >> lit("network") >> spaces >> network_str); | |
7c673cae FG |
588 | |
589 | // service foo rwxa | |
590 | service_match %= -spaces >> lit("allow") >> spaces >> lit("service") >> (lit('=') | spaces) | |
591 | >> str >> qi::attr(string()) >> qi::attr(string()) | |
592 | >> qi::attr(map<string,StringConstraint>()) | |
11fdf7f2 TL |
593 | >> spaces >> rwxa |
594 | >> -(spaces >> lit("network") >> spaces >> network_str); | |
7c673cae FG |
595 | |
596 | // profile foo | |
c07f9fc5 FG |
597 | profile_match %= -spaces >> -(lit("allow") >> spaces) |
598 | >> lit("profile") >> (lit('=') | spaces) | |
7c673cae FG |
599 | >> qi::attr(string()) |
600 | >> str | |
601 | >> qi::attr(string()) | |
602 | >> qi::attr(map<string,StringConstraint>()) | |
11fdf7f2 TL |
603 | >> qi::attr(0) |
604 | >> -(spaces >> lit("network") >> spaces >> network_str); | |
7c673cae FG |
605 | |
606 | // rwxa | |
607 | rwxa_match %= -spaces >> lit("allow") >> spaces | |
608 | >> qi::attr(string()) >> qi::attr(string()) >> qi::attr(string()) | |
609 | >> qi::attr(map<string,StringConstraint>()) | |
11fdf7f2 | 610 | >> rwxa |
f67539c2 TL |
611 | >> -(spaces >> lit("network") >> spaces >> network_str) |
612 | >> -(spaces >> lit("fsname") >> (lit('=') | spaces) >> fs_name_str); | |
7c673cae FG |
613 | |
614 | // rwxa := * | [r][w][x] | |
615 | rwxa = | |
616 | (lit("*")[_val = MON_CAP_ANY]) | | |
11fdf7f2 | 617 | (lit("all")[_val = MON_CAP_ANY]) | |
7c673cae FG |
618 | ( eps[_val = 0] >> |
619 | ( lit('r')[_val |= MON_CAP_R] || | |
620 | lit('w')[_val |= MON_CAP_W] || | |
621 | lit('x')[_val |= MON_CAP_X] | |
622 | ) | |
623 | ); | |
624 | ||
625 | // grant := allow ... | |
626 | grant = -spaces >> (rwxa_match | profile_match | service_match | command_match) >> -spaces; | |
627 | ||
628 | // moncap := grant [grant ...] | |
629 | grants %= (grant % (*lit(' ') >> (lit(';') | lit(',')) >> *lit(' '))); | |
630 | moncap = grants [_val = phoenix::construct<MonCap>(_1)]; | |
631 | ||
632 | } | |
633 | qi::rule<Iterator> spaces; | |
634 | qi::rule<Iterator, unsigned()> rwxa; | |
635 | qi::rule<Iterator, string()> quoted_string; | |
636 | qi::rule<Iterator, string()> unquoted_word; | |
11fdf7f2 | 637 | qi::rule<Iterator, string()> str, network_str; |
f67539c2 | 638 | qi::rule<Iterator, string()> fs_name_str; |
7c673cae | 639 | |
c07f9fc5 | 640 | qi::rule<Iterator, StringConstraint()> str_match, str_prefix, str_regex; |
7c673cae FG |
641 | qi::rule<Iterator, pair<string, StringConstraint>()> kv_pair; |
642 | qi::rule<Iterator, map<string, StringConstraint>()> kv_map; | |
643 | ||
644 | qi::rule<Iterator, MonCapGrant()> rwxa_match; | |
645 | qi::rule<Iterator, MonCapGrant()> command_match; | |
646 | qi::rule<Iterator, MonCapGrant()> service_match; | |
647 | qi::rule<Iterator, MonCapGrant()> profile_match; | |
648 | qi::rule<Iterator, MonCapGrant()> grant; | |
649 | qi::rule<Iterator, std::vector<MonCapGrant>()> grants; | |
650 | qi::rule<Iterator, MonCap()> moncap; | |
651 | }; | |
652 | ||
653 | bool MonCap::parse(const string& str, ostream *err) | |
654 | { | |
11fdf7f2 TL |
655 | auto iter = str.begin(); |
656 | auto end = str.end(); | |
657 | ||
658 | MonCapParser<string::const_iterator> exp; | |
659 | bool r = qi::parse(iter, end, exp, *this); | |
7c673cae FG |
660 | if (r && iter == end) { |
661 | text = str; | |
11fdf7f2 TL |
662 | for (auto& g : grants) { |
663 | g.parse_network(); | |
664 | } | |
7c673cae FG |
665 | return true; |
666 | } | |
667 | ||
668 | // Make sure no grants are kept after parsing failed! | |
669 | grants.clear(); | |
670 | ||
671 | if (err) { | |
672 | if (iter != end) | |
11fdf7f2 TL |
673 | *err << "mon capability parse failed, stopped at '" |
674 | << std::string(iter, end) | |
675 | << "' of '" << str << "'"; | |
7c673cae | 676 | else |
11fdf7f2 | 677 | *err << "mon capability parse failed, stopped at end of '" << str << "'"; |
7c673cae FG |
678 | } |
679 | ||
680 | return false; | |
681 | } | |
682 |