New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mon: MonCap: take EntityName instead when expanding profiles #3942

Merged
2 commits merged into from Mar 16, 2015

Conversation

Projects
None yet
3 participants
@ghost

ghost commented Mar 11, 2015

entity_name_t is tightly coupled to the messenger, while EntityName is
tied to auth. When expanding profiles we want to tie the profile
expansion to the entity that was authenticated. Otherwise we may incur
in weird behavior such as having caps validation failing because a given
client messenger inst does not match the auth entity it used.

e.g., running

ceph --name osd.0 config-key exists foo daemon-private/osd.X/foo

has entity_name_t 'client.12345' and EntityName 'osd.0'. Using
entity_name_t during profile expansion would not allow the client access
to daemon-private/osd.X/foo (client.12345 != osd.X).

Fixes: #10844
Backport: firefly,giant

Signed-off-by: Joao Eduardo Luis joao@redhat.com
(cherry picked from commit 87544f6)

@ghost ghost added bug fix core labels Mar 11, 2015

@ghost ghost self-assigned this Mar 11, 2015

@ghost ghost added this to the firefly milestone Mar 11, 2015

@loic-bot

This comment has been minimized.

loic-bot commented Mar 11, 2015

FAIL: the output of run-make-check.sh on centos-7 for 09b37ef is http://paste2.org/YK8NxzGM

:octocat: Sent from GH.

Joao Eduardo Luis added some commits Nov 14, 2014

mon: Monitor: stash auth entity name in session
Backport: giant

Signed-off-by: Joao Eduardo Luis <joao@redhat.com>
(cherry picked from commit ca8e1ef)
mon: MonCap: take EntityName instead when expanding profiles
entity_name_t is tightly coupled to the messenger, while EntityName is
tied to auth.  When expanding profiles we want to tie the profile
expansion to the entity that was authenticated.  Otherwise we may incur
in weird behavior such as having caps validation failing because a given
client messenger inst does not match the auth entity it used.

e.g., running

ceph --name osd.0 config-key exists foo daemon-private/osd.X/foo

has entity_name_t 'client.12345' and EntityName 'osd.0'.  Using
entity_name_t during profile expansion would not allow the client access
to daemon-private/osd.X/foo (client.12345 != osd.X).

Fixes: #10844
Backport: firefly,giant

Signed-off-by: Joao Eduardo Luis <joao@redhat.com>
(cherry picked from commit 87544f6)
@loic-bot

This comment has been minimized.

loic-bot commented Mar 11, 2015

SUCCESS: the output of run-make-check.sh on centos-7 for 5b6263d is http://paste2.org/fPZp8fdh

:octocat: Sent from GH.

@athanatos

This comment has been minimized.

Contributor

athanatos commented Mar 16, 2015

You probably want to run this one by joao

@ghost

This comment has been minimized.

ghost commented Mar 16, 2015

@jecluis does this backport look good to you ? It passed the rados suite

@ghost ghost assigned jecluis and unassigned ghost Mar 16, 2015

@jecluis

This comment has been minimized.

Member

jecluis commented Mar 16, 2015

looks good!

ghost pushed a commit that referenced this pull request Mar 16, 2015

Merge pull request #3942 from dachary/wip-10844-firefly
mon: MonCap: take EntityName instead when expanding profiles

Reviewed-by: Joao Eduardo Luis <joao@redhat.com>

@ghost ghost merged commit de45d9e into ceph:firefly Mar 16, 2015

This issue was closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment