RepoMirrors/ceph
1
0
Fork 0
mirror of https://github.com/ceph/ceph synced 2025-02-20 17:37:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

mon: require authentication but no caps for monmap and config

Browse Source 
Signed-off-by: Sage Weil <sage@redhat.com>
This commit is contained in:
Sage Weil 2018-02-01 09:18:04 -06:00
parent 3b67d1846d
commit 6286150289
3 changed files with 18 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
qa/workunits/mon/caps.sh
View File

@ -1,5 +1,7 @@
#!/usr/bin/env bash
set -x
tmp=/tmp/cephtest-mon-caps-madness
exit_on_error=1

5
src/mon/ConfigMonitor.cc
View File

@ -648,9 +648,8 @@ void ConfigMonitor::send_config(MonSession *s)
void ConfigMonitor::check_sub(MonSession *s)
{
if (!s->is_capable(s->entity_name.get_type_str(), MON_CAP_R)) {
dout(20) << __func__ << " not capable for " << s->entity_name << " with "
<< s->caps << dendl;
if (!s->authenticated) {
dout(20) << __func__ << " not authenticated " << s->entity_name << dendl;
return;
}
auto p = s->sub_map.find("config");

19
src/mon/Monitor.cc
View File

@ -4065,6 +4065,11 @@ void Monitor::dispatch_op(MonOpRequestRef op)
case CEPH_MSG_MON_METADATA:
return handle_mon_metadata(op);
case CEPH_MSG_MON_SUBSCRIBE:
/* FIXME: check what's being subscribed, filter accordingly */
handle_subscribe(op);
return;
}
/* well, maybe the op belongs to a service... */
@ -4135,11 +4140,6 @@ void Monitor::dispatch_op(MonOpRequestRef op)
case CEPH_MSG_MON_GET_VERSION:
handle_get_version(op);
return;
case CEPH_MSG_MON_SUBSCRIBE:
/* FIXME: check what's being subscribed, filter accordingly */
handle_subscribe(op);
return;
}
if (!op->is_src_mon()) {
@ -4720,6 +4720,15 @@ void Monitor::handle_subscribe(MonOpRequestRef op)
for (map<string,ceph_mon_subscribe_item>::iterator p = m->what.begin();
p != m->what.end();
++p) {
if (p->first == "monmap" || p->first == "config") {
// these require no caps
} else if (!s->is_capable("mon", MON_CAP_R)) {
dout(5) << __func__ << " " << op->get_req()->get_source_inst()
<< " not enough caps for " << *(op->get_req()) << " -- dropping"
<< dendl;
continue;
}
// if there are any non-onetime subscriptions, we need to reply to start the resubscribe timer
if ((p->second.flags & CEPH_SUBSCRIBE_ONETIME) == 0)
reply = true;