From f93c4c7188245567ace3f18ec2972c9683f0d970 Mon Sep 17 00:00:00 2001 From: Rishabh Dave Date: Tue, 17 Mar 2020 18:09:47 +0530 Subject: [PATCH] src/mds: allow passing fs names and path in same cap Allow passing path along with fs names and capspec while creating an MDS cap. The new syntax looks as follows - allow rw fsname= path= To provide caps for multiple file systems, pass the same phrase multiple times separated by commas - allow rw fsname= path=, allow rw fsname= path=, ... This commit also makes sure that the old syntax 'allow rw path=' is supported for backwards compatibility. The old syntax would imply 'allow rw fsname=* path=' and would grant read-write permission for all FSs containing the path . Signed-off-by: Rishabh Dave --- PendingReleaseNotes | 3 +++ src/mds/MDSAuthCaps.cc | 1 + src/mds/mdstypes.h | 1 + src/mon/AuthMonitor.cc | 23 +++++++++++++---------- 4 files changed, 18 insertions(+), 10 deletions(-) diff --git a/PendingReleaseNotes b/PendingReleaseNotes index 858c720ef74..a2d176c3319 100644 --- a/PendingReleaseNotes +++ b/PendingReleaseNotes @@ -157,3 +157,6 @@ and operate on specific Ceph file systems. The FS can be specificed using ``fsname`` in caps. This also affects subcommand ``fs authorize``, the caps produce by it will be specific to the FS name passed in its arguments. + +* fs: "fs authorize" now sets MON cap to "allow fsname=" + instead of setting it to "allow r" all the time. diff --git a/src/mds/MDSAuthCaps.cc b/src/mds/MDSAuthCaps.cc index 40db4c1ec1a..19c4bab0a0d 100644 --- a/src/mds/MDSAuthCaps.cc +++ b/src/mds/MDSAuthCaps.cc @@ -73,6 +73,7 @@ struct MDSCapParser : qi::grammar match = -( (uid >> gidlist)[_val = phoenix::construct(_1, _2)] | (path >> uid >> gidlist)[_val = phoenix::construct(_1, _2, _3)] | + (fs_name >> path)[_val = phoenix::construct(_2, _1)] | (path)[_val = phoenix::construct(_1)] | (fs_name)[_val = phoenix::construct(std::string(), _1)]); diff --git a/src/mds/mdstypes.h b/src/mds/mdstypes.h index de38ef79de8..7ffc39ffb33 100644 --- a/src/mds/mdstypes.h +++ b/src/mds/mdstypes.h @@ -77,6 +77,7 @@ extern const mds_gid_t MDS_GID_NONE; typedef int32_t fs_cluster_id_t; constexpr fs_cluster_id_t FS_CLUSTER_ID_NONE = -1; + // The namespace ID of the anonymous default filesystem from legacy systems constexpr fs_cluster_id_t FS_CLUSTER_ID_ANONYMOUS = 0; diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc index d6b5fe65233..f299724fe22 100644 --- a/src/mon/AuthMonitor.cc +++ b/src/mon/AuthMonitor.cc @@ -1639,21 +1639,24 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op) mds_cap_string += mds_cap_string.empty() ? "" : ", "; mds_cap_string += "allow " + cap; + + if (filesystem != "*" && filesystem != "all") { + auto fs = mon->mdsmon()->get_fsmap().get_filesystem(filesystem); + if (!fs) { + ss << "filesystem " << filesystem << " does not exist."; + err = -EINVAL; + goto done; + } else { + mds_cap_string += " fsname=" + std::string(fs->mds_map.get_fs_name()); + } + } + if (path != "/") { mds_cap_string += " path=" + path; } } - if (filesystem != "*" && filesystem != "all") { - auto fs = mon->mdsmon()->get_fsmap().get_filesystem(filesystem); - if (!fs) { - ss << "filesystem " << filesystem << " does not exist."; - err = -EINVAL; - goto done; - } - } - - osd_cap_string += osd_cap_string.empty()? "" : ", "; + osd_cap_string += osd_cap_string.empty() ? "" : ", "; osd_cap_string += "allow " + osd_cap_wanted + " tag " + pg_pool_t::APPLICATION_NAME_CEPHFS + " data=" + filesystem;