1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
4 * Ceph - scalable distributed file system
6 * Copyright (C) 2014 Red Hat
8 * This is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License version 2.1, as published by the Free Software
11 * Foundation. See file COPYING.
16 #ifndef MDS_AUTH_CAPS_H
17 #define MDS_AUTH_CAPS_H
22 #include "include/types.h"
23 #include "common/debug.h"
25 // unix-style capabilities
39 bool read, write, any;
41 // True if the capability permits setting vxattrs (layout, quota, etc)
44 MDSCapSpec() : read(false), write(false), any(false), set_vxattr(false) {}
45 MDSCapSpec(bool r, bool w, bool a, bool lop)
46 : read(r), write(w), any(a), set_vxattr(lop) {}
48 bool allow_all() const {
52 bool allows(bool r, bool w) const {
62 bool allows_set_vxattr() const {
67 // conditions before we are allowed to do it
69 static const int64_t MDS_AUTH_UID_ANY = -1;
71 int64_t uid; // Require UID to be equal to this, if !=MDS_AUTH_UID_ANY
72 std::vector<gid_t> gids; // Use these GIDs
73 std::string path; // Require path to be child of this (may be "" or "/" for any)
75 MDSCapMatch() : uid(MDS_AUTH_UID_ANY) {}
76 MDSCapMatch(int64_t uid_, std::vector<gid_t>& gids_) : uid(uid_), gids(gids_) {}
77 explicit MDSCapMatch(std::string path_)
78 : uid(MDS_AUTH_UID_ANY), path(path_) {
81 MDSCapMatch(std::string path_, int64_t uid_, std::vector<gid_t>& gids_)
82 : uid(uid_), gids(gids_), path(path_) {
86 void normalize_path();
88 bool is_match_all() const
90 return uid == MDS_AUTH_UID_ANY && path == "";
93 // check whether this grant matches against a given file and caller uid:gid
94 bool match(const std::string &target_path,
97 const vector<uint64_t> *caller_gid_list) const;
100 * Check whether this path *might* be accessible (actual permission
101 * depends on the stronger check in match()).
103 * @param target_path filesystem path without leading '/'
105 bool match_path(const std::string &target_path) const;
112 MDSCapGrant(const MDSCapSpec &spec_, const MDSCapMatch &match_)
113 : spec(spec_), match(match_) {}
120 std::vector<MDSCapGrant> grants;
123 explicit MDSAuthCaps(CephContext *cct_=NULL)
126 // this ctor is used by spirit/phoenix; doesn't need cct.
127 explicit MDSAuthCaps(const std::vector<MDSCapGrant> &grants_)
128 : cct(NULL), grants(grants_) { }
130 void set_allow_all();
131 bool parse(CephContext *cct, const std::string &str, std::ostream *err);
133 bool allow_all() const;
134 bool is_capable(const std::string &inode_path,
135 uid_t inode_uid, gid_t inode_gid, unsigned inode_mode,
136 uid_t uid, gid_t gid, const vector<uint64_t> *caller_gid_list,
137 unsigned mask, uid_t new_uid, gid_t new_gid) const;
138 bool path_capable(const std::string &inode_path) const;
140 friend std::ostream &operator<<(std::ostream &out, const MDSAuthCaps &cap);
144 std::ostream &operator<<(std::ostream &out, const MDSCapMatch &match);
145 std::ostream &operator<<(std::ostream &out, const MDSCapSpec &spec);
146 std::ostream &operator<<(std::ostream &out, const MDSCapGrant &grant);
147 std::ostream &operator<<(std::ostream &out, const MDSAuthCaps &cap);
149 #endif // MDS_AUTH_CAPS_H