cephfs: disallow removing root_squash via "fs authorize" cmd

Removing root_squasn from MDS auth caps through "fs authorize" command should not be allowed as this command it not allowed to/meant for removing caps. Fixes: https://tracker.ceph.com/issues/65808 Signed-off-by: Rishabh Dave <ridave@redhat.com>
2025-02-24 11:37:37 +00:00 · 2024-07-11 23:58:22 +05:30 · 2024-07-11 23:58:22 +05:30 · c6e2c97c6e
commit c6e2c97c6e
parent e392142c65
2 changed files with 5 additions and 4 deletions
--- a/qa/tasks/cephfs/test_admin.py
+++ b/qa/tasks/cephfs/test_admin.py
@ -2145,9 +2145,6 @@ class TestFsAuthorizeUpdate(CephFSTestCase):
                caps mon = "allow r fsname=a"
                caps osd = "allow rw tag cephfs data=a"
        """
-        self.skipTest('this test is broken ATM, see '
-                      'https://tracker.ceph.com/issues/65808')
-
        PERM, PATH = 'rw', 'dir1'
        self.mount_a.run_shell(f'mkdir {PATH}')
        self.captester = CapTester(self.mount_a, PATH)
--- a/src/mds/MDSAuthCaps.cc
+++ b/src/mds/MDSAuthCaps.cc
@ -410,7 +410,11 @@ bool MDSAuthCaps::merge_one_cap_grant(MDSCapGrant ng)
      // fsname and path match but value of root_squash is different. update
      // its value.
      if (g.match.root_squash != ng.match.root_squash) {
-	g.match.root_squash = ng.match.root_squash;
+	// "fs authorize" command is not allowed to deduct caps. so, we can add
+	// but not remove root_squash from MDS auth caps.
+	if (g.match.root_squash == false) {
+	  g.match.root_squash = ng.match.root_squash;
+	}
      }

      // Since fsname and path matched and either perm/spec or root_squash