From 108f486afe772dff771137a13b33887e5bc2a55e Mon Sep 17 00:00:00 2001 From: Patrick Donnelly Date: Sat, 13 Mar 2021 09:41:34 -0800 Subject: [PATCH] mon: define simple-rados-client-with-blocklist profile A mon profile that grants the ability for rados clients to blocklist others (similar to rbd). Signed-off-by: Patrick Donnelly --- doc/rados/operations/user-management.rst | 7 +++++++ src/mon/MonCap.cc | 11 +++++++++++ 2 files changed, 18 insertions(+) diff --git a/doc/rados/operations/user-management.rst b/doc/rados/operations/user-management.rst index 2ea49a88c53..4e487a18f9a 100644 --- a/doc/rados/operations/user-management.rst +++ b/doc/rados/operations/user-management.rst @@ -295,6 +295,13 @@ The following entries describe valid capability profiles: :Description: Gives a user read-only permissions for monitor, OSD, and PG data. Intended for use by direct librados client applications. +``profile simple-rados-client-with-blocklist`` (Monitor only) + +:Description: Gives a user read-only permissions for monitor, OSD, and PG data. + Intended for use by direct librados client applications. Also + includes permission to add blocklist entries to build HA + applications. + ``profile fs-client`` (Monitor only) :Description: Gives a user read-only permissions for monitor, OSD, PG, and MDS diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc index d6055283271..f96deacd8e5 100644 --- a/src/mon/MonCap.cc +++ b/src/mon/MonCap.cc @@ -290,6 +290,17 @@ void MonCapGrant::expand_profile(const EntityName& name) const profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); profile_grants.push_back(MonCapGrant("pg", MON_CAP_R)); } + if (profile == "simple-rados-client-with-blocklist") { + profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); + profile_grants.push_back(MonCapGrant("osd", MON_CAP_R)); + profile_grants.push_back(MonCapGrant("pg", MON_CAP_R)); + profile_grants.push_back(MonCapGrant("osd blocklist")); + profile_grants.back().command_args["blocklistop"] = StringConstraint( + StringConstraint::MATCH_TYPE_EQUAL, "add"); + profile_grants.back().command_args["addr"] = StringConstraint( + StringConstraint::MATCH_TYPE_REGEX, "^[^/]+/[0-9]+$"); + + } if (boost::starts_with(profile, "rbd")) { profile_grants.push_back(MonCapGrant("mon", MON_CAP_R)); profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));