mon: validate capabilitys before add auth entity

Fixes: http://tracker.ceph.com/issues/22525 Signed-off-by: Jing Li lijing@gohighsec.com
ceph · Jan 6, 2018 · 27fd5ac · 27fd5ac
1 parent e4a0cb5
commit 27fd5ac
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 7 deletions.
diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
@@ -1155,6 +1155,12 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op)
     }
     err = 0;
 
+    //if capability strings are malformed, return with error msg.
+    if (!valid_caps(caps_vec, &ss)) {
+      err = -EINVAL;
+      goto done;
+    }
+
     // okay, add it.
     if (!has_keyring) {
       dout(10) << "AuthMonitor::prepare_command generating random key for "

diff --git a/src/mon/AuthMonitor.h b/src/mon/AuthMonitor.h
@@ -18,10 +18,13 @@
 #include <map>
 #include <set>
 
+#include "global/global_init.h"
 #include "include/ceph_features.h"
 #include "include/types.h"
+#include "mds/MDSAuthCaps.h"
 #include "mon/PaxosService.h"
 #include "mon/MonitorDBStore.h"
+#include "osd/OSDCap.h"
 
 class MMonCommand;
 struct MAuth;
@@ -127,16 +130,28 @@ class AuthMonitor : public PaxosService {
     pending_auth.push_back(inc);
   }
 
-  /* validate mon caps ; don't care about caps for other services as
+  /* validate mon/osd/mds caps ; don't care about caps for other services as
    * we don't know how to validate them */
   bool valid_caps(const vector<string>& caps, ostream *out) {
     for (vector<string>::const_iterator p = caps.begin();
          p != caps.end(); p += 2) {
-      if (!p->empty() && *p != "mon")
-        continue;
-      MonCap tmp;
-      if (!tmp.parse(*(p+1), out))
-        return false;
+      if (!p->empty() && *p == "mon") {
+        MonCap tmp;
+        if (!tmp.parse(*(p+1), out))
+          return false;
+      }
+
+      if (!p->empty() && *p == "osd") {
+        OSDCap ocap;
+        if (!ocap.parse(*(p+1), out))
+          return false;
+      }
+
+      if (!p->empty() && *p == "mds") {
+        MDSAuthCaps mdscap;
+        if (!mdscap.parse(g_ceph_context, *(p+1), out))
+          return false;
+      }
     }
     return true;
   }

diff --git a/src/mon/CMakeLists.txt b/src/mon/CMakeLists.txt
@@ -18,7 +18,9 @@ set(lib_mon_srcs
   HealthMonitor.cc
   PGMap.cc
   ConfigKeyService.cc
-  ../mgr/mgr_commands.cc)
+  ../mds/MDSAuthCaps.cc
+  ../mgr/mgr_commands.cc
+  ../osd/OSDCap.cc)
 add_library(mon STATIC
   ${lib_mon_srcs}
   $<TARGET_OBJECTS:kv_objs>