From 62861502896b82df983f5d6fcffa25817c359ac0 Mon Sep 17 00:00:00 2001
From: Sage Weil <sage@redhat.com>
Date: Thu, 1 Feb 2018 09:18:04 -0600
Subject: [PATCH] mon: require authentication but no caps for monmap and config

Signed-off-by: Sage Weil <sage@redhat.com>
---
 qa/workunits/mon/caps.sh |  2 ++
 src/mon/ConfigMonitor.cc |  5 ++---
 src/mon/Monitor.cc       | 19 ++++++++++++++-----
 3 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/qa/workunits/mon/caps.sh b/qa/workunits/mon/caps.sh
index 134d514c4ed..488fcec96ed 100755
--- a/qa/workunits/mon/caps.sh
+++ b/qa/workunits/mon/caps.sh
@@ -1,5 +1,7 @@
 #!/usr/bin/env bash
 
+set -x
+
 tmp=/tmp/cephtest-mon-caps-madness
 
 exit_on_error=1
diff --git a/src/mon/ConfigMonitor.cc b/src/mon/ConfigMonitor.cc
index 55025d35ae1..5a260ab571d 100644
--- a/src/mon/ConfigMonitor.cc
+++ b/src/mon/ConfigMonitor.cc
@@ -648,9 +648,8 @@ void ConfigMonitor::send_config(MonSession *s)
 
 void ConfigMonitor::check_sub(MonSession *s)
 {
-  if (!s->is_capable(s->entity_name.get_type_str(), MON_CAP_R)) {
-    dout(20) << __func__ << " not capable for " << s->entity_name << " with "
-	     << s->caps << dendl;
+  if (!s->authenticated) {
+    dout(20) << __func__ << " not authenticated " << s->entity_name << dendl;
     return;
   }
   auto p = s->sub_map.find("config");
diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
index 0237d3f7626..48cfed21ffb 100644
--- a/src/mon/Monitor.cc
+++ b/src/mon/Monitor.cc
@@ -4065,6 +4065,11 @@ void Monitor::dispatch_op(MonOpRequestRef op)
 
     case CEPH_MSG_MON_METADATA:
       return handle_mon_metadata(op);
+
+    case CEPH_MSG_MON_SUBSCRIBE:
+      /* FIXME: check what's being subscribed, filter accordingly */
+      handle_subscribe(op);
+      return;
   }
 
   /* well, maybe the op belongs to a service... */
@@ -4135,11 +4140,6 @@ void Monitor::dispatch_op(MonOpRequestRef op)
     case CEPH_MSG_MON_GET_VERSION:
       handle_get_version(op);
       return;
-
-    case CEPH_MSG_MON_SUBSCRIBE:
-      /* FIXME: check what's being subscribed, filter accordingly */
-      handle_subscribe(op);
-      return;
   }
 
   if (!op->is_src_mon()) {
@@ -4720,6 +4720,15 @@ void Monitor::handle_subscribe(MonOpRequestRef op)
   for (map<string,ceph_mon_subscribe_item>::iterator p = m->what.begin();
        p != m->what.end();
        ++p) {
+    if (p->first == "monmap" || p->first == "config") {
+      // these require no caps
+    } else if (!s->is_capable("mon", MON_CAP_R)) {
+      dout(5) << __func__ << " " << op->get_req()->get_source_inst()
+	      << " not enough caps for " << *(op->get_req()) << " -- dropping"
+	      << dendl;
+      continue;
+    }
+
     // if there are any non-onetime subscriptions, we need to reply to start the resubscribe timer
     if ((p->second.flags & CEPH_SUBSCRIBE_ONETIME) == 0)
       reply = true;