1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
4 * Ceph - scalable distributed file system
6 * Copyright (C) 2014 Red Hat
8 * This is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License version 2.1, as published by the Free Software
11 * Foundation. See file COPYING.
19 #include <boost/spirit/include/qi.hpp>
20 #include <boost/spirit/include/phoenix_operator.hpp>
21 #include <boost/spirit/include/phoenix.hpp>
23 #include "common/debug.h"
24 #include "MDSAuthCaps.h"
26 #define dout_subsys ceph_subsys_mds
29 #define dout_prefix *_dout << "MDSAuthCap "
33 namespace qi = boost::spirit::qi;
34 namespace ascii = boost::spirit::ascii;
35 namespace phoenix = boost::phoenix;
37 template <typename Iterator>
38 struct MDSCapParser : qi::grammar<Iterator, MDSAuthCaps()>
40 MDSCapParser() : MDSCapParser::base_type(mdscaps)
54 spaces = +(lit(' ') | lit('\n') | lit('\t'));
57 lexeme[lit("\"") >> *(char_ - '"') >> '"'] |
58 lexeme[lit("'") >> *(char_ - '\'') >> '\''];
59 unquoted_path %= +char_("a-zA-Z0-9_./-");
61 // match := [path=<path>] [uid=<uid> [gids=<gid>[,<gid>...]]
62 path %= (spaces >> lit("path") >> lit('=') >> (quoted_path | unquoted_path));
63 uid %= (spaces >> lit("uid") >> lit('=') >> uint_);
64 uintlist %= (uint_ % lit(','));
65 gidlist %= -(spaces >> lit("gids") >> lit('=') >> uintlist);
67 (uid >> gidlist)[_val = phoenix::construct<MDSCapMatch>(_1, _2)] |
68 (path >> uid >> gidlist)[_val = phoenix::construct<MDSCapMatch>(_1, _2, _3)] |
69 (path)[_val = phoenix::construct<MDSCapMatch>(_1)]);
73 lit("*")[_val = MDSCapSpec(true, true, true, true)]
75 (lit("rwp"))[_val = MDSCapSpec(true, true, false, true)]
77 (lit("rw"))[_val = MDSCapSpec(true, true, false, false)]
79 (lit("r"))[_val = MDSCapSpec(true, false, false, false)]
82 grant = lit("allow") >> (capspec >> match)[_val = phoenix::construct<MDSCapGrant>(_1, _2)];
83 grants %= (grant % (*lit(' ') >> (lit(';') | lit(',')) >> *lit(' ')));
84 mdscaps = grants [_val = phoenix::construct<MDSAuthCaps>(_1)];
86 qi::rule<Iterator> spaces;
87 qi::rule<Iterator, string()> quoted_path, unquoted_path;
88 qi::rule<Iterator, MDSCapSpec()> capspec;
89 qi::rule<Iterator, string()> path;
90 qi::rule<Iterator, uint32_t()> uid;
91 qi::rule<Iterator, std::vector<uint32_t>() > uintlist;
92 qi::rule<Iterator, std::vector<uint32_t>() > gidlist;
93 qi::rule<Iterator, MDSCapMatch()> match;
94 qi::rule<Iterator, MDSCapGrant()> grant;
95 qi::rule<Iterator, std::vector<MDSCapGrant>()> grants;
96 qi::rule<Iterator, MDSAuthCaps()> mdscaps;
99 void MDSCapMatch::normalize_path()
101 // drop any leading /
102 while (path.length() && path[0] == '/') {
103 path = path.substr(1);
111 bool MDSCapMatch::match(const std::string &target_path,
112 const int caller_uid,
113 const int caller_gid,
114 const vector<uint64_t> *caller_gid_list) const
116 if (uid != MDS_AUTH_UID_ANY) {
117 if (uid != caller_uid)
119 bool gid_matched = false;
120 if (std::find(gids.begin(), gids.end(), caller_gid) != gids.end())
122 if (caller_gid_list) {
123 for (auto i = caller_gid_list->begin(); i != caller_gid_list->end(); ++i) {
124 if (std::find(gids.begin(), gids.end(), *i) != gids.end()) {
134 if (!match_path(target_path)) {
141 bool MDSCapMatch::match_path(const std::string &target_path) const
144 if (target_path.find(path) != 0)
146 // if path doesn't already have a trailing /, make sure the target
147 // does so that path=/foo doesn't match target_path=/food
148 if (target_path.length() > path.length() &&
149 path[path.length()-1] != '/' &&
150 target_path[path.length()] != '/')
158 * Is the client *potentially* able to access this path? Actual
159 * permission will depend on uids/modes in the full is_capable.
161 bool MDSAuthCaps::path_capable(const std::string &inode_path) const
163 for (const auto &i : grants) {
164 if (i.match.match_path(inode_path)) {
173 * For a given filesystem path, query whether this capability carries`
174 * authorization to read or write.
176 * This is true if any of the 'grant' clauses in the capability match the
177 * requested path + op.
179 bool MDSAuthCaps::is_capable(const std::string &inode_path,
180 uid_t inode_uid, gid_t inode_gid,
182 uid_t caller_uid, gid_t caller_gid,
183 const vector<uint64_t> *caller_gid_list,
185 uid_t new_uid, gid_t new_gid) const
188 ldout(cct, 10) << __func__ << " inode(path /" << inode_path
189 << " owner " << inode_uid << ":" << inode_gid
190 << " mode 0" << std::oct << inode_mode << std::dec
191 << ") by caller " << caller_uid << ":" << caller_gid
192 // << "[" << caller_gid_list << "]";
194 << " new " << new_uid << ":" << new_gid
195 << " cap: " << *this << dendl;
197 for (std::vector<MDSCapGrant>::const_iterator i = grants.begin();
201 if (i->match.match(inode_path, caller_uid, caller_gid, caller_gid_list) &&
202 i->spec.allows(mask & (MAY_READ|MAY_EXECUTE), mask & MAY_WRITE)) {
203 // we have a match; narrow down GIDs to those specifically allowed here
204 vector<uint64_t> gids;
205 if (std::find(i->match.gids.begin(), i->match.gids.end(), caller_gid) !=
206 i->match.gids.end()) {
207 gids.push_back(caller_gid);
209 if (caller_gid_list) {
210 std::set_intersection(i->match.gids.begin(), i->match.gids.end(),
211 caller_gid_list->begin(), caller_gid_list->end(),
212 std::back_inserter(gids));
213 std::sort(gids.begin(), gids.end());
217 // Spec is non-allowing if caller asked for set pool but spec forbids it
218 if (mask & MAY_SET_VXATTR) {
219 if (!i->spec.allows_set_vxattr()) {
224 // check unix permissions?
225 if (i->match.uid == MDSCapMatch::MDS_AUTH_UID_ANY) {
230 if (mask & MAY_CHOWN) {
231 if (new_uid != caller_uid || // you can't chown to someone else
232 inode_uid != caller_uid) { // you can't chown from someone else
236 if (mask & MAY_CHGRP) {
237 // you can only chgrp *to* one of your groups... if you own the file.
238 if (inode_uid != caller_uid ||
239 std::find(gids.begin(), gids.end(), new_gid) ==
245 if (inode_uid == caller_uid) {
246 if ((!(mask & MAY_READ) || (inode_mode & S_IRUSR)) &&
247 (!(mask & MAY_WRITE) || (inode_mode & S_IWUSR)) &&
248 (!(mask & MAY_EXECUTE) || (inode_mode & S_IXUSR))) {
251 } else if (std::find(gids.begin(), gids.end(),
252 inode_gid) != gids.end()) {
253 if ((!(mask & MAY_READ) || (inode_mode & S_IRGRP)) &&
254 (!(mask & MAY_WRITE) || (inode_mode & S_IWGRP)) &&
255 (!(mask & MAY_EXECUTE) || (inode_mode & S_IXGRP))) {
259 if ((!(mask & MAY_READ) || (inode_mode & S_IROTH)) &&
260 (!(mask & MAY_WRITE) || (inode_mode & S_IWOTH)) &&
261 (!(mask & MAY_EXECUTE) || (inode_mode & S_IXOTH))) {
271 void MDSAuthCaps::set_allow_all()
274 grants.push_back(MDSCapGrant(
275 MDSCapSpec(true, true, true, true),
279 bool MDSAuthCaps::parse(CephContext *c, const std::string& str, ostream *err)
281 // Special case for legacy caps
282 if (str == "allow") {
284 grants.push_back(MDSCapGrant(MDSCapSpec(true, true, false, true), MDSCapMatch()));
288 MDSCapParser<std::string::const_iterator> g;
289 std::string::const_iterator iter = str.begin();
290 std::string::const_iterator end = str.end();
292 bool r = qi::phrase_parse(iter, end, g, ascii::space, *this);
293 cct = c; // set after parser self-assignment
294 if (r && iter == end) {
295 for (auto& grant : grants) {
296 std::sort(grant.match.gids.begin(), grant.match.gids.end());
300 // Make sure no grants are kept after parsing failed!
304 *err << "MDSAuthCaps parse failed, stopped at '" << std::string(iter, end)
305 << "' of '" << str << "'\n";
311 bool MDSAuthCaps::allow_all() const
313 for (std::vector<MDSCapGrant>::const_iterator i = grants.begin(); i != grants.end(); ++i) {
314 if (i->match.is_match_all() && i->spec.allow_all()) {
323 ostream &operator<<(ostream &out, const MDSCapMatch &match)
325 if (match.path.length()) {
326 out << "path=\"/" << match.path << "\"";
327 if (match.uid != MDSCapMatch::MDS_AUTH_UID_ANY) {
331 if (match.uid != MDSCapMatch::MDS_AUTH_UID_ANY) {
332 out << "uid=" << match.uid;
333 if (!match.gids.empty()) {
335 for (std::vector<gid_t>::const_iterator p = match.gids.begin();
336 p != match.gids.end();
338 if (p != match.gids.begin())
349 ostream &operator<<(ostream &out, const MDSCapSpec &spec)
366 ostream &operator<<(ostream &out, const MDSCapGrant &grant)
370 if (!grant.match.is_match_all()) {
371 out << " " << grant.match;
378 ostream &operator<<(ostream &out, const MDSAuthCaps &cap)
380 out << "MDSAuthCaps[";
381 for (size_t i = 0; i < cap.grants.size(); ++i) {
382 out << cap.grants[i];
383 if (i < cap.grants.size() - 1) {