mirror of
https://github.com/ceph/ceph
synced 2025-01-10 05:00:59 +00:00
5fff611041
Henceforth, we'll require explicit `allow` caps for commands, or for the config-key service. Blanket caps are no longer allowed for the config-key service, except for 'allow *'. Signed-off-by: Joao Eduardo Luis <joao@suse.de>
202 lines
7.0 KiB
Bash
Executable File
202 lines
7.0 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
set -x
|
|
set -e
|
|
|
|
tmp=$(mktemp -d -p /tmp test_mon_config_key_caps.XXXXX)
|
|
entities=()
|
|
|
|
function cleanup()
|
|
{
|
|
set +e
|
|
set +x
|
|
if [[ -e $tmp/keyring ]] && [[ -e $tmp/keyring.orig ]]; then
|
|
grep '\[.*\..*\]' $tmp/keyring.orig > $tmp/entities.orig
|
|
for e in $(grep '\[.*\..*\]' $tmp/keyring | \
|
|
diff $tmp/entities.orig - | \
|
|
sed -n 's/^.*\[\(.*\..*\)\]/\1/p');
|
|
do
|
|
ceph auth rm $e 2>&1 >& /dev/null
|
|
done
|
|
fi
|
|
#rm -fr $tmp
|
|
}
|
|
|
|
trap cleanup 0 # cleanup on exit
|
|
|
|
function expect_false()
|
|
{
|
|
set -x
|
|
if "$@"; then return 1; else return 0; fi
|
|
}
|
|
|
|
# for cleanup purposes
|
|
ceph auth export -o $tmp/keyring.orig
|
|
|
|
k=$tmp/keyring
|
|
|
|
# setup a few keys
|
|
ceph config-key ls
|
|
ceph config-key set daemon-private/osd.123/test-foo
|
|
ceph config-key set mgr/test-foo
|
|
ceph config-key set device/test-foo
|
|
ceph config-key set test/foo
|
|
|
|
allow_aa=client.allow_aa
|
|
allow_bb=client.allow_bb
|
|
allow_cc=client.allow_cc
|
|
|
|
mgr_a=mgr.a
|
|
mgr_b=mgr.b
|
|
osd_a=osd.100
|
|
osd_b=osd.200
|
|
|
|
prefix_aa=client.prefix_aa
|
|
prefix_bb=client.prefix_bb
|
|
prefix_cc=client.prefix_cc
|
|
match_aa=client.match_aa
|
|
match_bb=client.match_bb
|
|
|
|
fail_aa=client.fail_aa
|
|
fail_bb=client.fail_bb
|
|
fail_cc=client.fail_cc
|
|
fail_dd=client.fail_dd
|
|
fail_ee=client.fail_ee
|
|
fail_ff=client.fail_ff
|
|
fail_gg=client.fail_gg
|
|
fail_writes=client.fail_writes
|
|
|
|
ceph auth get-or-create $allow_aa mon 'allow *'
|
|
ceph auth get-or-create $allow_bb mon 'allow service config-key rwx'
|
|
ceph auth get-or-create $allow_cc mon 'allow command "config-key get"'
|
|
|
|
ceph auth get-or-create $mgr_a mon 'allow profile mgr'
|
|
ceph auth get-or-create $mgr_b mon 'allow profile mgr'
|
|
ceph auth get-or-create $osd_a mon 'allow profile osd'
|
|
ceph auth get-or-create $osd_b mon 'allow profile osd'
|
|
|
|
ceph auth get-or-create $prefix_aa mon \
|
|
"allow command \"config-key get\" with key prefix client/$prefix_aa"
|
|
|
|
cap="allow command \"config-key set\" with key prefix client/"
|
|
cap="$cap,allow command \"config-key get\" with key prefix client/$prefix_bb"
|
|
ceph auth get-or-create $prefix_bb mon "$cap"
|
|
|
|
cap="allow command \"config-key get\" with key prefix client/"
|
|
cap="$cap, allow command \"config-key set\" with key prefix client/"
|
|
cap="$cap, allow command \"config-key ls\""
|
|
ceph auth get-or-create $prefix_cc mon "$cap"
|
|
|
|
cap="allow command \"config-key get\" with key=client/$match_aa/foo"
|
|
ceph auth get-or-create $match_aa mon "$cap"
|
|
cap="allow command \"config-key get\" with key=client/$match_bb/foo"
|
|
cap="$cap,allow command \"config-key set\" with key=client/$match_bb/foo"
|
|
ceph auth get-or-create $match_bb mon "$cap"
|
|
|
|
ceph auth get-or-create $fail_aa mon 'allow rx'
|
|
ceph auth get-or-create $fail_bb mon 'allow r,allow w'
|
|
ceph auth get-or-create $fail_cc mon 'allow rw'
|
|
ceph auth get-or-create $fail_dd mon 'allow rwx'
|
|
ceph auth get-or-create $fail_ee mon 'allow profile bootstrap-rgw'
|
|
ceph auth get-or-create $fail_ff mon 'allow profile bootstrap-rbd'
|
|
# write commands will require rw; wx is not enough
|
|
ceph auth get-or-create $fail_gg mon 'allow service config-key wx'
|
|
# read commands will only require 'r'; 'rx' should be enough.
|
|
ceph auth get-or-create $fail_writes mon 'allow service config-key rx'
|
|
|
|
# grab keyring
|
|
ceph auth export -o $k
|
|
|
|
# keys will all the caps can do whatever
|
|
for c in $allow_aa $allow_bb $allow_cc $mgr_a $mgr_b; do
|
|
ceph -k $k --name $c config-key get daemon-private/osd.123/test-foo
|
|
ceph -k $k --name $c config-key get mgr/test-foo
|
|
ceph -k $k --name $c config-key get device/test-foo
|
|
ceph -k $k --name $c config-key get test/foo
|
|
done
|
|
|
|
for c in $osd_a $osd_b; do
|
|
ceph -k $k --name $c config-key put daemon-private/$c/test-foo
|
|
ceph -k $k --name $c config-key get daemon-private/$c/test-foo
|
|
expect_false ceph -k $k --name $c config-key ls
|
|
expect_false ceph -k $k --name $c config-key get mgr/test-foo
|
|
expect_false ceph -k $k --name $c config-key get device/test-foo
|
|
expect_false ceph -k $k --name $c config-key get test/foo
|
|
done
|
|
|
|
expect_false ceph -k $k --name $osd_a get daemon-private/$osd_b/test-foo
|
|
expect_false ceph -k $k --name $osd_b get daemon-private/$osd_a/test-foo
|
|
|
|
expect_false ceph -k $k --name $prefix_aa \
|
|
config-key ls
|
|
expect_false ceph -k $k --name $prefix_aa \
|
|
config-key get daemon-private/osd.123/test-foo
|
|
expect_false ceph -k $k --name $prefix_aa \
|
|
config-key set test/bar
|
|
expect_false ceph -k $k --name $prefix_aa \
|
|
config-key set client/$prefix_aa/foo
|
|
|
|
# write something so we can read, use a custom entity
|
|
ceph -k $k --name $allow_bb config-key set client/$prefix_aa/foo
|
|
ceph -k $k --name $prefix_aa config-key get client/$prefix_aa/foo
|
|
# check one writes to the other's prefix, the other is able to read
|
|
ceph -k $k --name $prefix_bb config-key set client/$prefix_aa/bar
|
|
ceph -k $k --name $prefix_aa config-key get client/$prefix_aa/bar
|
|
|
|
ceph -k $k --name $prefix_bb config-key set client/$prefix_bb/foo
|
|
ceph -k $k --name $prefix_bb config-key get client/$prefix_bb/foo
|
|
|
|
expect_false ceph -k $k --name $prefix_bb config-key get client/$prefix_aa/bar
|
|
expect_false ceph -k $k --name $prefix_bb config-key ls
|
|
expect_false ceph -k $k --name $prefix_bb \
|
|
config-key get daemon-private/osd.123/test-foo
|
|
expect_false ceph -k $k --name $prefix_bb config-key get mgr/test-foo
|
|
expect_false ceph -k $k --name $prefix_bb config-key get device/test-foo
|
|
expect_false ceph -k $k --name $prefix_bb config-key get test/bar
|
|
expect_false ceph -k $k --name $prefix_bb config-key set test/bar
|
|
|
|
ceph -k $k --name $prefix_cc config-key set client/$match_aa/foo
|
|
ceph -k $k --name $prefix_cc config-key set client/$match_bb/foo
|
|
ceph -k $k --name $prefix_cc config-key get client/$match_aa/foo
|
|
ceph -k $k --name $prefix_cc config-key get client/$match_bb/foo
|
|
expect_false ceph -k $k --name $prefix_cc config-key set other/prefix
|
|
expect_false ceph -k $k --name $prefix_cc config-key get mgr/test-foo
|
|
ceph -k $k --name $prefix_cc config-key ls >& /dev/null
|
|
|
|
ceph -k $k --name $match_aa config-key get client/$match_aa/foo
|
|
expect_false ceph -k $k --name $match_aa config-key get client/$match_bb/foo
|
|
expect_false ceph -k $k --name $match_aa config-key set client/$match_aa/foo
|
|
ceph -k $k --name $match_bb config-key get client/$match_bb/foo
|
|
ceph -k $k --name $match_bb config-key set client/$match_bb/foo
|
|
expect_false ceph -k $k --name $match_bb config-key get client/$match_aa/foo
|
|
expect_false ceph -k $k --name $match_bb config-key set client/$match_aa/foo
|
|
|
|
keys=(daemon-private/osd.123/test-foo
|
|
mgr/test-foo
|
|
device/test-foo
|
|
test/foo
|
|
client/$prefix_aa/foo
|
|
client/$prefix_bb/foo
|
|
client/$match_aa/foo
|
|
client/$match_bb/foo
|
|
)
|
|
# expect these all to fail accessing config-key
|
|
for c in $fail_aa $fail_bb $fail_cc \
|
|
$fail_dd $fail_ee $fail_ff \
|
|
$fail_gg; do
|
|
for m in get set; do
|
|
for key in ${keys[*]} client/$prefix_aa/foo client/$prefix_bb/foo; do
|
|
expect_false ceph -k $k --name $c config-key $m $key
|
|
done
|
|
done
|
|
done
|
|
|
|
# fail writes but succeed on reads
|
|
expect_false ceph -k $k --name $fail_writes config-key set client/$match_aa/foo
|
|
expect_false ceph -k $k --name $fail_writes config-key set test/foo
|
|
ceph -k $k --name $fail_writes config-key ls
|
|
ceph -k $k --name $fail_writes config-key get client/$match_aa/foo
|
|
ceph -k $k --name $fail_writes config-key get daemon-private/osd.123/test-foo
|
|
|
|
echo "OK"
|