[ceph.git] / ceph / src / mon / MonCap.cc

// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab
/*
 * Ceph - scalable distributed file system
 *
 * Copyright (C) 2013 Inktank
 *
 * This is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License version 2.1, as published by the Free Software
 * Foundation.  See file COPYING.
 *
 */

#include <boost/config/warning_disable.hpp>
#include <boost/spirit/include/qi_uint.hpp>
#include <boost/spirit/include/qi.hpp>
#include <boost/fusion/include/std_pair.hpp>
#include <boost/spirit/include/phoenix.hpp>
#include <boost/fusion/adapted/struct/adapt_struct.hpp>
#include <boost/fusion/include/adapt_struct.hpp>

#include "MonCap.h"
#include "include/stringify.h"
#include "common/debug.h"
#include "common/Formatter.h"

#include <algorithm>

static inline bool is_not_alnum_space(char c)
{
  return !(isalpha(c) || isdigit(c) || (c == '-') || (c == '_'));
}

static string maybe_quote_string(const std::string& str)
{
  if (find_if(str.begin(), str.end(), is_not_alnum_space) == str.end())
    return str;
  return string("\"") + str + string("\"");
}

using std::ostream;
using std::vector;

#define dout_subsys ceph_subsys_mon

ostream& operator<<(ostream& out, const mon_rwxa_t& p)
{ 
  if (p == MON_CAP_ANY)
    return out << "*";

  if (p & MON_CAP_R)
    out << "r";
  if (p & MON_CAP_W)
    out << "w";
  if (p & MON_CAP_X)
    out << "x";
  return out;
}

ostream& operator<<(ostream& out, const StringConstraint& c)
{
  if (c.prefix.length())
    return out << "prefix " << c.prefix;
  else
    return out << "value " << c.value;
}

ostream& operator<<(ostream& out, const MonCapGrant& m)
{
  out << "allow";
  if (m.service.length()) {
    out << " service " << maybe_quote_string(m.service);
  }
  if (m.command.length()) {
    out << " command " << maybe_quote_string(m.command);
    if (!m.command_args.empty()) {
      out << " with";
      for (map<string,StringConstraint>::const_iterator p = m.command_args.begin();
	   p != m.command_args.end();
	   ++p) {
	if (p->second.value.length())
	  out << " " << maybe_quote_string(p->first) << "=" << maybe_quote_string(p->second.value);
	else
	  out << " " << maybe_quote_string(p->first) << " prefix " << maybe_quote_string(p->second.prefix);
      }
    }
  }
  if (m.profile.length()) {
    out << " profile " << maybe_quote_string(m.profile);
  }
  if (m.allow != 0)
    out << " " << m.allow;
  return out;
}


// <magic>
//  fusion lets us easily populate structs via the qi parser.

typedef map<string,StringConstraint> kvmap;

BOOST_FUSION_ADAPT_STRUCT(MonCapGrant,
			  (std::string, service)
			  (std::string, profile)
			  (std::string, command)
			  (kvmap, command_args)
			  (mon_rwxa_t, allow))

BOOST_FUSION_ADAPT_STRUCT(StringConstraint,
			  (std::string, value)
			  (std::string, prefix))

// </magic>

void MonCapGrant::expand_profile(int daemon_type, const EntityName& name) const
{
  // only generate this list once
  if (!profile_grants.empty())
    return;

  if (profile == "read-only") {
    // grants READ-ONLY caps monitor-wide
    // 'auth' requires MON_CAP_X even for RO, which we do not grant here.
    profile_grants.push_back(mon_rwxa_t(MON_CAP_R));
    return;
  }

  if (profile == "read-write") {
    // grants READ-WRITE caps monitor-wide
    // 'auth' requires MON_CAP_X for all operations, which we do not grant.
    profile_grants.push_back(mon_rwxa_t(MON_CAP_R | MON_CAP_W));
    return;
  }

  switch (daemon_type) {
  case CEPH_ENTITY_TYPE_MON:
    expand_profile_mon(name);
    return;
  case CEPH_ENTITY_TYPE_MGR:
    expand_profile_mgr(name);
    return;
  }
}

void MonCapGrant::expand_profile_mgr(const EntityName& name) const
{
}

void MonCapGrant::expand_profile_mon(const EntityName& name) const
{
  if (profile == "mon") {
    profile_grants.push_back(MonCapGrant("mon", MON_CAP_ALL));
    profile_grants.push_back(MonCapGrant("log", MON_CAP_ALL));
  }
  if (profile == "osd") {
    profile_grants.push_back(MonCapGrant("osd", MON_CAP_ALL));
    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
    profile_grants.push_back(MonCapGrant("pg", MON_CAP_R | MON_CAP_W));
    profile_grants.push_back(MonCapGrant("log", MON_CAP_W));
  }
  if (profile == "mds") {
    profile_grants.push_back(MonCapGrant("mds", MON_CAP_ALL));
    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
    profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
    // This command grant is checked explicitly in MRemoveSnaps handling
    profile_grants.push_back(MonCapGrant("osd pool rmsnap"));
    profile_grants.push_back(MonCapGrant("osd blacklist"));
    profile_grants.push_back(MonCapGrant("log", MON_CAP_W));
  }
  if (profile == "mgr") {
    profile_grants.push_back(MonCapGrant("mgr", MON_CAP_ALL));
    profile_grants.push_back(MonCapGrant("log", MON_CAP_R | MON_CAP_W));
    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R | MON_CAP_W));
    profile_grants.push_back(MonCapGrant("mds", MON_CAP_R | MON_CAP_W));
    profile_grants.push_back(MonCapGrant("osd", MON_CAP_R | MON_CAP_W));
    profile_grants.push_back(MonCapGrant("auth", MON_CAP_R | MON_CAP_X));
    profile_grants.push_back(MonCapGrant("config-key", MON_CAP_R | MON_CAP_W));
    string prefix = string("daemon-private/mgr/");
    profile_grants.push_back(MonCapGrant("config-key get", "key",
					 StringConstraint("", prefix)));
    profile_grants.push_back(MonCapGrant("config-key put", "key",
					 StringConstraint("", prefix)));
    profile_grants.push_back(MonCapGrant("config-key exists", "key",
					 StringConstraint("", prefix)));
    profile_grants.push_back(MonCapGrant("config-key delete", "key",
					 StringConstraint("", prefix)));
  }
  if (profile == "osd" || profile == "mds" || profile == "mon" ||
      profile == "mgr") {
    string prefix = string("daemon-private/") + stringify(name) + string("/");
    profile_grants.push_back(MonCapGrant("config-key get", "key", StringConstraint("", prefix)));
    profile_grants.push_back(MonCapGrant("config-key put", "key", StringConstraint("", prefix)));
    profile_grants.push_back(MonCapGrant("config-key exists", "key", StringConstraint("", prefix)));
    profile_grants.push_back(MonCapGrant("config-key delete", "key", StringConstraint("", prefix)));
  }
  if (profile == "bootstrap-osd") {
    string prefix = "dm-crypt/osd";
    profile_grants.push_back(MonCapGrant("config-key put", "key", StringConstraint("", prefix)));
    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));  // read monmap
    profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));  // read osdmap
    profile_grants.push_back(MonCapGrant("mon getmap"));
    profile_grants.push_back(MonCapGrant("osd create"));
    profile_grants.push_back(MonCapGrant("auth get-or-create"));
    profile_grants.back().command_args["entity"] = StringConstraint("", "client.");
    prefix = "allow command \"config-key get\" with key=\"dm-crypt/osd/";
    profile_grants.back().command_args["caps_mon"] = StringConstraint("", prefix);
    profile_grants.push_back(MonCapGrant("auth add"));
    profile_grants.back().command_args["entity"] = StringConstraint("", "osd.");
    profile_grants.back().command_args["caps_mon"] = StringConstraint("allow profile osd", "");
    profile_grants.back().command_args["caps_osd"] = StringConstraint("allow *", "");
  }
  if (profile == "bootstrap-mds") {
    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));  // read monmap
    profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));  // read osdmap
    profile_grants.push_back(MonCapGrant("mon getmap"));
    profile_grants.push_back(MonCapGrant("auth get-or-create"));  // FIXME: this can expose other mds keys
    profile_grants.back().command_args["entity"] = StringConstraint("", "mds.");
    profile_grants.back().command_args["caps_mon"] = StringConstraint("allow profile mds", "");
    profile_grants.back().command_args["caps_osd"] = StringConstraint("allow rwx", "");
    profile_grants.back().command_args["caps_mds"] = StringConstraint("allow", "");
  }
  if (profile == "bootstrap-mgr") {
    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));  // read monmap
    profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));  // read osdmap
    profile_grants.push_back(MonCapGrant("mon getmap"));
    profile_grants.push_back(MonCapGrant("auth get-or-create"));  // FIXME: this can expose other mgr keys
    profile_grants.back().command_args["entity"] = StringConstraint("", "mgr.");
    profile_grants.back().command_args["caps_mon"] = StringConstraint("allow profile mgr", "");
  }
  if (profile == "bootstrap-rgw") {
    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));  // read monmap
    profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));  // read osdmap
    profile_grants.push_back(MonCapGrant("mon getmap"));
    profile_grants.push_back(MonCapGrant("auth get-or-create"));  // FIXME: this can expose other mds keys
    profile_grants.back().command_args["entity"] = StringConstraint("", "client.rgw.");
    profile_grants.back().command_args["caps_mon"] = StringConstraint("allow rw", "");
    profile_grants.back().command_args["caps_osd"] = StringConstraint("allow rwx", "");
  }
  if (profile == "fs-client") {
    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
    profile_grants.push_back(MonCapGrant("mds", MON_CAP_R));
    profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
    profile_grants.push_back(MonCapGrant("pg", MON_CAP_R));
  }
  if (profile == "simple-rados-client") {
    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
    profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
    profile_grants.push_back(MonCapGrant("pg", MON_CAP_R));
  }

  if (profile == "role-definer") {
    // grants ALL caps to the auth subsystem, read-only on the
    // monitor subsystem and nothing else.
    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
    profile_grants.push_back(MonCapGrant("auth", MON_CAP_ALL));
  }
}

mon_rwxa_t MonCapGrant::get_allowed(CephContext *cct,
				    int daemon_type,
				    EntityName name,
				    const std::string& s, const std::string& c,
				    const map<string,string>& c_args) const
{
  if (profile.length()) {
    expand_profile(daemon_type, name);
    mon_rwxa_t a;
    for (list<MonCapGrant>::const_iterator p = profile_grants.begin();
	 p != profile_grants.end(); ++p)
      a = a | p->get_allowed(cct, daemon_type, name, s, c, c_args);
    return a;
  }
  if (service.length()) {
    if (service != s)
      return 0;
    return allow;
  }
  if (command.length()) {
    if (command != c)
      return 0;
    for (map<string,StringConstraint>::const_iterator p = command_args.begin(); p != command_args.end(); ++p) {
      map<string,string>::const_iterator q = c_args.find(p->first);
      // argument must be present if a constraint exists
      if (q == c_args.end())
	return 0;
      if (p->second.value.length()) {
	// match value
	if (p->second.value != q->second)
	  return 0;
      } else {
	// match prefix
	if (q->second.find(p->second.prefix) != 0)
	  return 0;
      }
    }
    return MON_CAP_ALL;
  }
  return allow;
}

ostream& operator<<(ostream&out, const MonCap& m)
{
  for (vector<MonCapGrant>::const_iterator p = m.grants.begin(); p != m.grants.end(); ++p) {
    if (p != m.grants.begin())
      out << ", ";
    out << *p;
  }
  return out;
}

bool MonCap::is_allow_all() const
{
  for (vector<MonCapGrant>::const_iterator p = grants.begin(); p != grants.end(); ++p)
    if (p->is_allow_all())
      return true;
  return false;
}

void MonCap::set_allow_all()
{
  grants.clear();
  grants.push_back(MonCapGrant(MON_CAP_ANY));
  text = "allow *";
}

bool MonCap::is_capable(CephContext *cct,
			int daemon_type,
			EntityName name,
			const string& service,
			const string& command, const map<string,string>& command_args,
			bool op_may_read, bool op_may_write, bool op_may_exec) const
{
  if (cct)
    ldout(cct, 20) << "is_capable service=" << service << " command=" << command
		   << (op_may_read ? " read":"")
		   << (op_may_write ? " write":"")
		   << (op_may_exec ? " exec":"")
		   << " on cap " << *this
		   << dendl;
  mon_rwxa_t allow = 0;
  for (vector<MonCapGrant>::const_iterator p = grants.begin();
       p != grants.end(); ++p) {
    if (cct)
      ldout(cct, 20) << " allow so far " << allow << ", doing grant " << *p << dendl;

    if (p->is_allow_all()) {
      if (cct)
	ldout(cct, 20) << " allow all" << dendl;
      return true;
    }

    // check enumerated caps
    allow = allow | p->get_allowed(cct, daemon_type, name, service, command,
				   command_args);
    if ((!op_may_read || (allow & MON_CAP_R)) &&
	(!op_may_write || (allow & MON_CAP_W)) &&
	(!op_may_exec || (allow & MON_CAP_X))) {
      if (cct)
	ldout(cct, 20) << " match" << dendl;
      return true;
    }
  }
  return false;
}

void MonCap::encode(bufferlist& bl) const
{
  ENCODE_START(4, 4, bl);   // legacy MonCaps was 3, 3
  ::encode(text, bl);
  ENCODE_FINISH(bl);
}

void MonCap::decode(bufferlist::iterator& bl)
{
  string s;
  DECODE_START(4, bl);
  ::decode(s, bl);
  DECODE_FINISH(bl);
  parse(s, NULL);
}

void MonCap::dump(Formatter *f) const
{
  f->dump_string("text", text);
}

void MonCap::generate_test_instances(list<MonCap*>& ls)
{
  ls.push_back(new MonCap);
  ls.push_back(new MonCap);
  ls.back()->parse("allow *");
  ls.push_back(new MonCap);
  ls.back()->parse("allow rwx");
  ls.push_back(new MonCap);
  ls.back()->parse("allow service foo x");
  ls.push_back(new MonCap);
  ls.back()->parse("allow command bar x");
  ls.push_back(new MonCap);
  ls.back()->parse("allow service foo r, allow command bar x");
  ls.push_back(new MonCap);
  ls.back()->parse("allow command bar with k1=v1 x");
  ls.push_back(new MonCap);
  ls.back()->parse("allow command bar with k1=v1 k2=v2 x");
}

// grammar
namespace qi = boost::spirit::qi;
namespace ascii = boost::spirit::ascii;
namespace phoenix = boost::phoenix;


template <typename Iterator>
struct MonCapParser : qi::grammar<Iterator, MonCap()>
{
  MonCapParser() : MonCapParser::base_type(moncap)
  {
    using qi::char_;
    using qi::int_;
    using qi::ulong_long;
    using qi::lexeme;
    using qi::alnum;
    using qi::_val;
    using qi::_1;
    using qi::_2;
    using qi::_3;
    using qi::eps;
    using qi::lit;

    quoted_string %=
      lexeme['"' >> +(char_ - '"') >> '"'] | 
      lexeme['\'' >> +(char_ - '\'') >> '\''];
    unquoted_word %= +char_("a-zA-Z0-9_.-");
    str %= quoted_string | unquoted_word;

    spaces = +(lit(' ') | lit('\n') | lit('\t'));

    // command := command[=]cmd [k1=v1 k2=v2 ...]
    str_match = '=' >> str >> qi::attr(string());
    str_prefix = spaces >> lit("prefix") >> spaces >> qi::attr(string()) >> str;
    kv_pair = str >> (str_match | str_prefix);
    kv_map %= kv_pair >> *(spaces >> kv_pair);
    command_match = -spaces >> lit("allow") >> spaces >> lit("command") >> (lit('=') | spaces)
			    >> qi::attr(string()) >> qi::attr(string())
			    >> str
			    >> -(spaces >> lit("with") >> spaces >> kv_map)
			    >> qi::attr(0);

    // service foo rwxa
    service_match %= -spaces >> lit("allow") >> spaces >> lit("service") >> (lit('=') | spaces)
			     >> str >> qi::attr(string()) >> qi::attr(string())
			     >> qi::attr(map<string,StringConstraint>())
                             >> spaces >> rwxa;

    // profile foo
    profile_match %= -spaces >> lit("allow") >> spaces >> lit("profile") >> (lit('=') | spaces)
			     >> qi::attr(string())
			     >> str
			     >> qi::attr(string())
			     >> qi::attr(map<string,StringConstraint>())
			     >> qi::attr(0);

    // rwxa
    rwxa_match %= -spaces >> lit("allow") >> spaces
			  >> qi::attr(string()) >> qi::attr(string()) >> qi::attr(string())
			  >> qi::attr(map<string,StringConstraint>())
			  >> rwxa;

    // rwxa := * | [r][w][x]
    rwxa =
      (lit("*")[_val = MON_CAP_ANY]) |
      ( eps[_val = 0] >>
	( lit('r')[_val |= MON_CAP_R] ||
	  lit('w')[_val |= MON_CAP_W] ||
	  lit('x')[_val |= MON_CAP_X]
	  )
	);

    // grant := allow ...
    grant = -spaces >> (rwxa_match | profile_match | service_match | command_match) >> -spaces;

    // moncap := grant [grant ...]
    grants %= (grant % (*lit(' ') >> (lit(';') | lit(',')) >> *lit(' ')));
    moncap = grants  [_val = phoenix::construct<MonCap>(_1)]; 

  }
  qi::rule<Iterator> spaces;
  qi::rule<Iterator, unsigned()> rwxa;
  qi::rule<Iterator, string()> quoted_string;
  qi::rule<Iterator, string()> unquoted_word;
  qi::rule<Iterator, string()> str;

  qi::rule<Iterator, StringConstraint()> str_match, str_prefix;
  qi::rule<Iterator, pair<string, StringConstraint>()> kv_pair;
  qi::rule<Iterator, map<string, StringConstraint>()> kv_map;

  qi::rule<Iterator, MonCapGrant()> rwxa_match;
  qi::rule<Iterator, MonCapGrant()> command_match;
  qi::rule<Iterator, MonCapGrant()> service_match;
  qi::rule<Iterator, MonCapGrant()> profile_match;
  qi::rule<Iterator, MonCapGrant()> grant;
  qi::rule<Iterator, std::vector<MonCapGrant>()> grants;
  qi::rule<Iterator, MonCap()> moncap;
};

bool MonCap::parse(const string& str, ostream *err)
{
  string s = str;
  string::iterator iter = s.begin();
  string::iterator end = s.end();

  MonCapParser<string::iterator> g;
  bool r = qi::parse(iter, end, g, *this);
  //MonCapGrant foo;
  //bool r = qi::phrase_parse(iter, end, g, ascii::space, foo);
  if (r && iter == end) {
    text = str;
    return true;
  }

  // Make sure no grants are kept after parsing failed!
  grants.clear();

  if (err) {
    if (iter != end)
      *err << "moncap parse failed, stopped at '" << std::string(iter, end)
	   << "' of '" << str << "'\n";
    else
      *err << "moncap parse failed, stopped at end of '" << str << "'\n";
  }

  return false; 
}
Commit	Line	Data
7c673cae FG	1	// -- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t --
	2	// vim: ts=8 sw=2 smarttab
	3	/*
	4	* Ceph - scalable distributed file system
	5	*
	6	* Copyright (C) 2013 Inktank
	7	*
	8	* This is free software; you can redistribute it and/or
	9	* modify it under the terms of the GNU Lesser General Public
	10	* License version 2.1, as published by the Free Software
	11	* Foundation. See file COPYING.
	12	*
	13	*/
	14
	15	#include <boost/config/warning_disable.hpp>
	16	#include <boost/spirit/include/qi_uint.hpp>
	17	#include <boost/spirit/include/qi.hpp>
	18	#include <boost/fusion/include/std_pair.hpp>
	19	#include <boost/spirit/include/phoenix.hpp>
	20	#include <boost/fusion/adapted/struct/adapt_struct.hpp>
	21	#include <boost/fusion/include/adapt_struct.hpp>
	22
	23	#include "MonCap.h"
	24	#include "include/stringify.h"
	25	#include "common/debug.h"
	26	#include "common/Formatter.h"
	27
	28	#include <algorithm>
	29
	30	static inline bool is_not_alnum_space(char c)
	31	{
	32	return !(isalpha(c) \|\| isdigit(c) \|\| (c == '-') \|\| (c == '_'));
	33	}
	34
	35	static string maybe_quote_string(const std::string& str)
	36	{
	37	if (find_if(str.begin(), str.end(), is_not_alnum_space) == str.end())
	38	return str;
	39	return string("\"") + str + string("\"");
	40	}
	41
	42	using std::ostream;
	43	using std::vector;
	44
	45	#define dout_subsys ceph_subsys_mon
	46
31f18b77	47	ostream& operator<<(ostream& out, const mon_rwxa_t& p)
7c673cae FG	48	{
	49	if (p == MON_CAP_ANY)
	50	return out << "*";
	51
	52	if (p & MON_CAP_R)
	53	out << "r";
	54	if (p & MON_CAP_W)
	55	out << "w";
	56	if (p & MON_CAP_X)
	57	out << "x";
	58	return out;
	59	}
	60
	61	ostream& operator<<(ostream& out, const StringConstraint& c)
	62	{
	63	if (c.prefix.length())
	64	return out << "prefix " << c.prefix;
	65	else
	66	return out << "value " << c.value;
	67	}
	68
	69	ostream& operator<<(ostream& out, const MonCapGrant& m)
	70	{
	71	out << "allow";
	72	if (m.service.length()) {
	73	out << " service " << maybe_quote_string(m.service);
	74	}
	75	if (m.command.length()) {
	76	out << " command " << maybe_quote_string(m.command);
	77	if (!m.command_args.empty()) {
	78	out << " with";
	79	for (map<string,StringConstraint>::const_iterator p = m.command_args.begin();
	80	p != m.command_args.end();
	81	++p) {
	82	if (p->second.value.length())
	83	out << " " << maybe_quote_string(p->first) << "=" << maybe_quote_string(p->second.value);
	84	else
	85	out << " " << maybe_quote_string(p->first) << " prefix " << maybe_quote_string(p->second.prefix);
	86	}
	87	}
	88	}
	89	if (m.profile.length()) {
	90	out << " profile " << maybe_quote_string(m.profile);
	91	}
	92	if (m.allow != 0)
	93	out << " " << m.allow;
	94	return out;
	95	}
	96
	97
	98	// <magic>
	99	// fusion lets us easily populate structs via the qi parser.
	100
	101	typedef map<string,StringConstraint> kvmap;
	102
	103	BOOST_FUSION_ADAPT_STRUCT(MonCapGrant,
	104	(std::string, service)
	105	(std::string, profile)
	106	(std::string, command)
	107	(kvmap, command_args)
	108	(mon_rwxa_t, allow))
	109
	110	BOOST_FUSION_ADAPT_STRUCT(StringConstraint,
	111	(std::string, value)
112	(std::string, prefix))
113
114	// </magic>
115
116	void MonCapGrant::expand_profile(int daemon_type, const EntityName& name) const
117	{
118	// only generate this list once
119	if (!profile_grants.empty())
120	return;
121
122	if (profile == "read-only") {
123	// grants READ-ONLY caps monitor-wide
124	// 'auth' requires MON_CAP_X even for RO, which we do not grant here.
125	profile_grants.push_back(mon_rwxa_t(MON_CAP_R));
126	return;
127	}
128
129	if (profile == "read-write") {
130	// grants READ-WRITE caps monitor-wide
131	// 'auth' requires MON_CAP_X for all operations, which we do not grant.
132	profile_grants.push_back(mon_rwxa_t(MON_CAP_R \| MON_CAP_W));
133	return;
134	}
135
136	switch (daemon_type) {
137	case CEPH_ENTITY_TYPE_MON:
138	expand_profile_mon(name);
139	return;
140	case CEPH_ENTITY_TYPE_MGR:
141	expand_profile_mgr(name);
142	return;
143	}
144	}
145
146	void MonCapGrant::expand_profile_mgr(const EntityName& name) const
147	{
148	}
149
150	void MonCapGrant::expand_profile_mon(const EntityName& name) const
151	{
152	if (profile == "mon") {
153	profile_grants.push_back(MonCapGrant("mon", MON_CAP_ALL));
154	profile_grants.push_back(MonCapGrant("log", MON_CAP_ALL));
155	}
156	if (profile == "osd") {
157	profile_grants.push_back(MonCapGrant("osd", MON_CAP_ALL));
158	profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
159	profile_grants.push_back(MonCapGrant("pg", MON_CAP_R \| MON_CAP_W));
160	profile_grants.push_back(MonCapGrant("log", MON_CAP_W));
161	}
162	if (profile == "mds") {
163	profile_grants.push_back(MonCapGrant("mds", MON_CAP_ALL));
164	profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
165	profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
166	// This command grant is checked explicitly in MRemoveSnaps handling
167	profile_grants.push_back(MonCapGrant("osd pool rmsnap"));
31f18b77	168	profile_grants.push_back(MonCapGrant("osd blacklist"));
7c673cae FG	169	profile_grants.push_back(MonCapGrant("log", MON_CAP_W));
	170	}
	171	if (profile == "mgr") {
	172	profile_grants.push_back(MonCapGrant("mgr", MON_CAP_ALL));
31f18b77 FG	173	profile_grants.push_back(MonCapGrant("log", MON_CAP_R \| MON_CAP_W));
	174	profile_grants.push_back(MonCapGrant("mon", MON_CAP_R \| MON_CAP_W));
	175	profile_grants.push_back(MonCapGrant("mds", MON_CAP_R \| MON_CAP_W));
7c673cae	176	profile_grants.push_back(MonCapGrant("osd", MON_CAP_R \| MON_CAP_W));
31f18b77 FG	177	profile_grants.push_back(MonCapGrant("auth", MON_CAP_R \| MON_CAP_X));
31f18b77 FG	178	profile_grants.push_back(MonCapGrant("config-key", MON_CAP_R \| MON_CAP_W));
7c673cae FG	179	string prefix = string("daemon-private/mgr/");
	180	profile_grants.push_back(MonCapGrant("config-key get", "key",
	181	StringConstraint("", prefix)));
	182	profile_grants.push_back(MonCapGrant("config-key put", "key",
	183	StringConstraint("", prefix)));
	184	profile_grants.push_back(MonCapGrant("config-key exists", "key",
	185	StringConstraint("", prefix)));
	186	profile_grants.push_back(MonCapGrant("config-key delete", "key",
	187	StringConstraint("", prefix)));
	188	}
	189	if (profile == "osd" \|\| profile == "mds" \|\| profile == "mon" \|\|
	190	profile == "mgr") {
	191	string prefix = string("daemon-private/") + stringify(name) + string("/");
	192	profile_grants.push_back(MonCapGrant("config-key get", "key", StringConstraint("", prefix)));
	193	profile_grants.push_back(MonCapGrant("config-key put", "key", StringConstraint("", prefix)));
	194	profile_grants.push_back(MonCapGrant("config-key exists", "key", StringConstraint("", prefix)));
	195	profile_grants.push_back(MonCapGrant("config-key delete", "key", StringConstraint("", prefix)));
	196	}
	197	if (profile == "bootstrap-osd") {
	198	string prefix = "dm-crypt/osd";
	199	profile_grants.push_back(MonCapGrant("config-key put", "key", StringConstraint("", prefix)));
	200	profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); // read monmap
	201	profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); // read osdmap
	202	profile_grants.push_back(MonCapGrant("mon getmap"));
	203	profile_grants.push_back(MonCapGrant("osd create"));
	204	profile_grants.push_back(MonCapGrant("auth get-or-create"));
	205	profile_grants.back().command_args["entity"] = StringConstraint("", "client.");
	206	prefix = "allow command \"config-key get\" with key=\"dm-crypt/osd/";
	207	profile_grants.back().command_args["caps_mon"] = StringConstraint("", prefix);
	208	profile_grants.push_back(MonCapGrant("auth add"));
	209	profile_grants.back().command_args["entity"] = StringConstraint("", "osd.");
	210	profile_grants.back().command_args["caps_mon"] = StringConstraint("allow profile osd", "");
	211	profile_grants.back().command_args["caps_osd"] = StringConstraint("allow *", "");
	212	}
	213	if (profile == "bootstrap-mds") {
	214	profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); // read monmap
	215	profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); // read osdmap
	216	profile_grants.push_back(MonCapGrant("mon getmap"));
	217	profile_grants.push_back(MonCapGrant("auth get-or-create")); // FIXME: this can expose other mds keys
	218	profile_grants.back().command_args["entity"] = StringConstraint("", "mds.");
	219	profile_grants.back().command_args["caps_mon"] = StringConstraint("allow profile mds", "");
	220	profile_grants.back().command_args["caps_osd"] = StringConstraint("allow rwx", "");
	221	profile_grants.back().command_args["caps_mds"] = StringConstraint("allow", "");
	222	}
	223	if (profile == "bootstrap-mgr") {
	224	profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); // read monmap
	225	profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); // read osdmap
	226	profile_grants.push_back(MonCapGrant("mon getmap"));
	227	profile_grants.push_back(MonCapGrant("auth get-or-create")); // FIXME: this can expose other mgr keys
	228	profile_grants.back().command_args["entity"] = StringConstraint("", "mgr.");
	229	profile_grants.back().command_args["caps_mon"] = StringConstraint("allow profile mgr", "");
	230	}
	231	if (profile == "bootstrap-rgw") {
	232	profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); // read monmap
	233	profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); // read osdmap
	234	profile_grants.push_back(MonCapGrant("mon getmap"));
	235	profile_grants.push_back(MonCapGrant("auth get-or-create")); // FIXME: this can expose other mds keys
	236	profile_grants.back().command_args["entity"] = StringConstraint("", "client.rgw.");
	237	profile_grants.back().command_args["caps_mon"] = StringConstraint("allow rw", "");
	238	profile_grants.back().command_args["caps_osd"] = StringConstraint("allow rwx", "");
	239	}
	240	if (profile == "fs-client") {
	241	profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
	242	profile_grants.push_back(MonCapGrant("mds", MON_CAP_R));
243	profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
244	profile_grants.push_back(MonCapGrant("pg", MON_CAP_R));
245	}
246	if (profile == "simple-rados-client") {
247	profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
248	profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
249	profile_grants.push_back(MonCapGrant("pg", MON_CAP_R));
250	}
251
252	if (profile == "role-definer") {
253	// grants ALL caps to the auth subsystem, read-only on the
254	// monitor subsystem and nothing else.
255	profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
256	profile_grants.push_back(MonCapGrant("auth", MON_CAP_ALL));
257	}
258	}
259
260	mon_rwxa_t MonCapGrant::get_allowed(CephContext *cct,
261	int daemon_type,
262	EntityName name,
263	const std::string& s, const std::string& c,
264	const map<string,string>& c_args) const
265	{
266	if (profile.length()) {
267	expand_profile(daemon_type, name);
268	mon_rwxa_t a;
269	for (list<MonCapGrant>::const_iterator p = profile_grants.begin();
270	p != profile_grants.end(); ++p)
271	a = a \| p->get_allowed(cct, daemon_type, name, s, c, c_args);
272	return a;
273	}
274	if (service.length()) {
275	if (service != s)
276	return 0;
277	return allow;
278	}
279	if (command.length()) {
280	if (command != c)
281	return 0;
282	for (map<string,StringConstraint>::const_iterator p = command_args.begin(); p != command_args.end(); ++p) {
283	map<string,string>::const_iterator q = c_args.find(p->first);
284	// argument must be present if a constraint exists
285	if (q == c_args.end())
286	return 0;
287	if (p->second.value.length()) {
288	// match value
289	if (p->second.value != q->second)
290	return 0;
291	} else {
292	// match prefix
293	if (q->second.find(p->second.prefix) != 0)
294	return 0;
295	}
296	}
297	return MON_CAP_ALL;
298	}
299	return allow;
300	}
301
302	ostream& operator<<(ostream&out, const MonCap& m)
303	{
304	for (vector<MonCapGrant>::const_iterator p = m.grants.begin(); p != m.grants.end(); ++p) {
305	if (p != m.grants.begin())
306	out << ", ";
307	out << *p;
308	}
309	return out;
310	}
311
312	bool MonCap::is_allow_all() const
313	{
314	for (vector<MonCapGrant>::const_iterator p = grants.begin(); p != grants.end(); ++p)
315	if (p->is_allow_all())
316	return true;
317	return false;
318	}
319
320	void MonCap::set_allow_all()
321	{
322	grants.clear();
323	grants.push_back(MonCapGrant(MON_CAP_ANY));
324	text = "allow *";
325	}
326
327	bool MonCap::is_capable(CephContext *cct,
328	int daemon_type,
329	EntityName name,
330	const string& service,
331	const string& command, const map<string,string>& command_args,
332	bool op_may_read, bool op_may_write, bool op_may_exec) const
333	{
334	if (cct)
335	ldout(cct, 20) << "is_capable service=" << service << " command=" << command
336	<< (op_may_read ? " read":"")
337	<< (op_may_write ? " write":"")
338	<< (op_may_exec ? " exec":"")
339	<< " on cap " << *this
340	<< dendl;
341	mon_rwxa_t allow = 0;
342	for (vector<MonCapGrant>::const_iterator p = grants.begin();
343	p != grants.end(); ++p) {
344	if (cct)
345	ldout(cct, 20) << " allow so far " << allow << ", doing grant " << *p << dendl;
346
347	if (p->is_allow_all()) {
348	if (cct)
349	ldout(cct, 20) << " allow all" << dendl;
350	return true;
351	}
352
353	// check enumerated caps
354	allow = allow \| p->get_allowed(cct, daemon_type, name, service, command,
355	command_args);
356	if ((!op_may_read \|\| (allow & MON_CAP_R)) &&
357	(!op_may_write \|\| (allow & MON_CAP_W)) &&
358	(!op_may_exec \|\| (allow & MON_CAP_X))) {
359	if (cct)
360	ldout(cct, 20) << " match" << dendl;
361	return true;
362	}
363	}
364	return false;
365	}
366
367	void MonCap::encode(bufferlist& bl) const
368	{
369	ENCODE_START(4, 4, bl); // legacy MonCaps was 3, 3
370	::encode(text, bl);
371	ENCODE_FINISH(bl);
372	}
373
374	void MonCap::decode(bufferlist::iterator& bl)
375	{
376	string s;
377	DECODE_START(4, bl);
378	::decode(s, bl);
379	DECODE_FINISH(bl);
380	parse(s, NULL);
381	}
382
383	void MonCap::dump(Formatter *f) const
384	{
385	f->dump_string("text", text);
386	}
387
388	void MonCap::generate_test_instances(list<MonCap*>& ls)
389	{
390	ls.push_back(new MonCap);
391	ls.push_back(new MonCap);
392	ls.back()->parse("allow *");
393	ls.push_back(new MonCap);
394	ls.back()->parse("allow rwx");
395	ls.push_back(new MonCap);
396	ls.back()->parse("allow service foo x");
397	ls.push_back(new MonCap);
398	ls.back()->parse("allow command bar x");
399	ls.push_back(new MonCap);
400	ls.back()->parse("allow service foo r, allow command bar x");
401	ls.push_back(new MonCap);
402	ls.back()->parse("allow command bar with k1=v1 x");
403	ls.push_back(new MonCap);
404	ls.back()->parse("allow command bar with k1=v1 k2=v2 x");
405	}
406
407	// grammar
408	namespace qi = boost::spirit::qi;
409	namespace ascii = boost::spirit::ascii;
410	namespace phoenix = boost::phoenix;
411
412
413	template <typename Iterator>
414	struct MonCapParser : qi::grammar<Iterator, MonCap()>
415	{
416	MonCapParser() : MonCapParser::base_type(moncap)
417	{
418	using qi::char_;
419	using qi::int_;
420	using qi::ulong_long;
421	using qi::lexeme;
422	using qi::alnum;
423	using qi::_val;
424	using qi::_1;
425	using qi::_2;
426	using qi::_3;
427	using qi::eps;
428	using qi::lit;
429
430	quoted_string %=
431	lexeme['"' >> +(char_ - '"') >> '"'] \|
432	lexeme['\'' >> +(char_ - '\'') >> '\''];
433	unquoted_word %= +char_("a-zA-Z0-9_.-");
434	str %= quoted_string \| unquoted_word;
435
436	spaces = +(lit(' ') \| lit('\n') \| lit('\t'));
437
438	// command := command[=]cmd [k1=v1 k2=v2 ...]
439	str_match = '=' >> str >> qi::attr(string());
440	str_prefix = spaces >> lit("prefix") >> spaces >> qi::attr(string()) >> str;
441	kv_pair = str >> (str_match \| str_prefix);
442	kv_map %= kv_pair >> *(spaces >> kv_pair);
443	command_match = -spaces >> lit("allow") >> spaces >> lit("command") >> (lit('=') \| spaces)
444	>> qi::attr(string()) >> qi::attr(string())
445	>> str
446	>> -(spaces >> lit("with") >> spaces >> kv_map)
447	>> qi::attr(0);
448
449	// service foo rwxa
450	service_match %= -spaces >> lit("allow") >> spaces >> lit("service") >> (lit('=') \| spaces)
451	>> str >> qi::attr(string()) >> qi::attr(string())
452	>> qi::attr(map<string,StringConstraint>())
453	>> spaces >> rwxa;
454
455	// profile foo
456	profile_match %= -spaces >> lit("allow") >> spaces >> lit("profile") >> (lit('=') \| spaces)
457	>> qi::attr(string())
458	>> str
459	>> qi::attr(string())
460	>> qi::attr(map<string,StringConstraint>())
461	>> qi::attr(0);
462
463	// rwxa
464	rwxa_match %= -spaces >> lit("allow") >> spaces
465	>> qi::attr(string()) >> qi::attr(string()) >> qi::attr(string())
466	>> qi::attr(map<string,StringConstraint>())
467	>> rwxa;
468
469	// rwxa := * \| [r][w][x]
470	rwxa =
471	(lit("*")[_val = MON_CAP_ANY]) \|
472	( eps[_val = 0] >>
473	( lit('r')[_val \|= MON_CAP_R] \|\|
474	lit('w')[_val \|= MON_CAP_W] \|\|
475	lit('x')[_val \|= MON_CAP_X]
476	)
477	);
478
479	// grant := allow ...
480	grant = -spaces >> (rwxa_match \| profile_match \| service_match \| command_match) >> -spaces;
481
482	// moncap := grant [grant ...]
483	grants %= (grant % (lit(' ') >> (lit(';') \| lit(',')) >> lit(' ')));
484	moncap = grants [_val = phoenix::construct<MonCap>(_1)];
485
486	}
487	qi::rule<Iterator> spaces;
488	qi::rule<Iterator, unsigned()> rwxa;
489	qi::rule<Iterator, string()> quoted_string;
490	qi::rule<Iterator, string()> unquoted_word;
491	qi::rule<Iterator, string()> str;
492
493	qi::rule<Iterator, StringConstraint()> str_match, str_prefix;
494	qi::rule<Iterator, pair<string, StringConstraint>()> kv_pair;
495	qi::rule<Iterator, map<string, StringConstraint>()> kv_map;
496
497	qi::rule<Iterator, MonCapGrant()> rwxa_match;
498	qi::rule<Iterator, MonCapGrant()> command_match;
499	qi::rule<Iterator, MonCapGrant()> service_match;
500	qi::rule<Iterator, MonCapGrant()> profile_match;
501	qi::rule<Iterator, MonCapGrant()> grant;
502	qi::rule<Iterator, std::vector<MonCapGrant>()> grants;
503	qi::rule<Iterator, MonCap()> moncap;
504	};
505
506	bool MonCap::parse(const string& str, ostream *err)
507	{
508	string s = str;
509	string::iterator iter = s.begin();
510	string::iterator end = s.end();
511
512	MonCapParser<string::iterator> g;
513	bool r = qi::parse(iter, end, g, *this);
514	//MonCapGrant foo;
515	//bool r = qi::phrase_parse(iter, end, g, ascii::space, foo);
516	if (r && iter == end) {
517	text = str;
518	return true;
519	}
520
521	// Make sure no grants are kept after parsing failed!
522	grants.clear();
523
524	if (err) {
525	if (iter != end)
526	*err << "moncap parse failed, stopped at '" << std::string(iter, end)
527	<< "' of '" << str << "'\n";
528	else
529	*err << "moncap parse failed, stopped at end of '" << str << "'\n";
530	}
531
532	return false;
533	}
534