packages/ceph
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!22 update 14.2.15

Browse Source 
From: @markeryang
Reviewed-by: @liuzhiqiang26
Signed-off-by: @chixinze
This commit is contained in:
openeuler-ci-bot 2021-01-26 09:43:36 +08:00 committed by Gitee
commit ed967d13c9
7 changed files with 860 additions and 1027 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
6000-CVE-2018-16889.patch
View File

@ -1,26 +0,0 @@
--- a/src/rgw/rgw_rest_s3.cc 2018-08-31 01:24:39.000000000 +0800
+++ b/src/rgw/rgw_rest_s3.cc 2019-04-04 17:22:37.615000000 +0800
@@ -3751,8 +3751,9 @@ AWSGeneralAbstractor::get_auth_data_v4(c
boost::optional<std::string> canonical_headers = \
get_v4_canonical_headers(s->info, signed_hdrs, using_qs);
if (canonical_headers) {
- ldout(s->cct, 10) << "canonical headers format = " << *canonical_headers
- << dendl;
+ using sanitize = rgw::crypt_sanitize::log_content;
+ ldout(s->cct, 10) << "canonical headers format = "
+ << sanitize{*canonical_headers} << dendl;
} else {
throw -EPERM;
}
--- a/src/rgw/rgw_auth_s3.cc 2018-08-31 01:24:39.000000000 +0800
+++ b/src/rgw/rgw_auth_s3.cc 2019-04-04 17:25:27.208000000 +0800
@@ -659,7 +659,8 @@ get_v4_canon_req_hash(CephContext* cct,
const auto canonical_req_hash = calc_hash_sha256(canonical_req);
- ldout(cct, 10) << "canonical request = " << canonical_req << dendl;
+ using sanitize = rgw::crypt_sanitize::log_content;
+ ldout(cct, 10) << "canonical request = " << sanitize{canonical_req} << dendl;
ldout(cct, 10) << "canonical request hash = "
<< buf_to_hex(canonical_req_hash).data() << dendl;

172
6001-CVE-2018-16846-1.patch
View File

@ -1,172 +0,0 @@
From 4337e6a7d9f92c8549ebee20d0dd67a01e49857f Mon Sep 17 00:00:00 2001
From: "Robin H. Johnson" <rjohnson@digitalocean.com>
Date: Fri, 21 Sep 2018 14:49:34 -0700
Subject: [PATCH] rgw: enforce bounds on max-keys/max-uploads/max-parts
RGW S3 listing operations provided a way for authenticated users to
cause a denial of service against OMAPs holding bucket indices.
Bound the min & max values that a user could pass into the max-X
parameters, to keep the system safe. The default of 1000 is chosen to
match AWS S3 behavior.
Affected operations:
- ListBucket, via max-keys
- ListBucketVersions, via max-keys
- ListBucketMultiPartUploads, via max-uploads
- ListMultipartUploadParts, via max-parts
The Swift bucket listing codepath already enforced a limit, so is
unaffected by this issue.
Prior to this commit, the effective limit is the lower of
osd_max_omap_entries_per_request or osd_max_omap_bytes_per_request.
Backport: luminous, mimic
Fixes: http://tracker.ceph.com/issues/35994
Signed-off-by: Robin H. Johnson <rjohnson@digitalocean.com>
(cherry picked from commit d79f68a1e31f4bc917eec1b6bbc8e8446377dc6b)
Conflicts:
src/common/options.cc:
Conflicts due to options from master
---
src/common/options.cc | 11 +++++++++++
src/rgw/rgw_op.cc | 21 +++++----------------
src/rgw/rgw_op.h | 25 +++++++++++++++++++++++++
src/rgw/rgw_rest.cc | 11 +++++------
src/rgw/rgw_rest_swift.cc | 2 ++
5 files changed, 48 insertions(+), 22 deletions(-)
diff --git a/src/common/options.cc b/src/common/options.cc
index c1a0e7b05ea0..5b62a3f7c3d6 100644
--- a/src/common/options.cc
+++ b/src/common/options.cc
@@ -5705,6 +5705,17 @@ std::vector<Option> get_rgw_options() {
"of RGW instances under heavy use. If you would like "
"to turn off cache expiry, set this value to zero."),
+ Option("rgw_max_listing_results", Option::TYPE_UINT,
+ Option::LEVEL_ADVANCED)
+ .set_default(1000)
+ .set_min_max(1, 100000)
+ .add_service("rgw")
+ .set_description("Upper bound on results in listing operations, ListBucket max-keys"),
+ .set_long_description("This caps the maximum permitted value for listing-like operations in RGW S3. "
+ "Affects ListBucket(max-keys), "
+ "ListBucketVersions(max-keys), "
+ "ListBucketMultiPartUploads(max-uploads), "
+ "ListMultipartUploadParts(max-parts)"),
});
}
diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 6e7daadcd228..c17d04988169 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -2279,22 +2279,11 @@ int RGWListBucket::verify_permission()
int RGWListBucket::parse_max_keys()
{
- if (!max_keys.empty()) {
- char *endptr;
- max = strtol(max_keys.c_str(), &endptr, 10);
- if (endptr) {
- if (endptr == max_keys.c_str()) return -EINVAL;
- while (*endptr && isspace(*endptr)) // ignore white space
- endptr++;
- if (*endptr) {
- return -EINVAL;
- }
- }
- } else {
- max = default_max;
- }
-
- return 0;
+ // Bound max value of max-keys to configured value for security
+ // Bound min value of max-keys to '0'
+ // Some S3 clients explicitly send max-keys=0 to detect if the bucket is
+ // empty without listing any items.
+ op_ret = parse_value_and_bound(max_keys, &max, 0, g_conf()->rgw_max_listing_results, default_max);
}
void RGWListBucket::pre_exec()
diff --git a/src/rgw/rgw_op.h b/src/rgw/rgw_op.h
index e4d8cd4a980b..521a3d179d76 100644
--- a/src/rgw/rgw_op.h
+++ b/src/rgw/rgw_op.h
@@ -2214,6 +2214,31 @@ class RGWGetClusterStat : public RGWOp {
virtual const string name() { return "get_cluster_stat"; }
};
+static inline int parse_value_and_bound(const string &input, long *output, const long lower_bound, const long upper_bound, const long default_val)
+{
+ if (!input.empty()) {
+ char *endptr;
+ *output = strtol(input.c_str(), &endptr, 10);
+ if (endptr) {
+ if (endptr == input.c_str()) return -EINVAL;
+ while (*endptr && isspace(*endptr)) // ignore white space
+ endptr++;
+ if (*endptr) {
+ return -EINVAL;
+ }
+ }
+ if(*output > upper_bound) {
+ *output = upper_bound;
+ }
+ if(*output < lower_bound) {
+ *output = lower_bound;
+ }
+ } else {
+ *output = default_val;
+ }
+
+ return 0;
+}
#endif /* CEPH_RGW_OP_H */
diff --git a/src/rgw/rgw_rest.cc b/src/rgw/rgw_rest.cc
index 80a886ec5d11..539cebeb6981 100644
--- a/src/rgw/rgw_rest.cc
+++ b/src/rgw/rgw_rest.cc
@@ -1659,8 +1659,7 @@ int RGWListMultipart_ObjStore::get_params()
}
string str = s->info.args.get("max-parts");
- if (!str.empty())
- max_parts = atoi(str.c_str());
+ op_ret = parse_value_and_bound(str, &max_parts, 0, g_conf()->rgw_max_listing_results, max_parts);
return op_ret;
}
@@ -1670,10 +1669,10 @@ int RGWListBucketMultiparts_ObjStore::get_params()
delimiter = s->info.args.get("delimiter");
prefix = s->info.args.get("prefix");
string str = s->info.args.get("max-uploads");
- if (!str.empty())
- max_uploads = atoi(str.c_str());
- else
- max_uploads = default_max;
+ op_ret = parse_value_and_bound(str, &max_uploads, 0, g_conf()->rgw_max_listing_results, default_max);
+ if (op_ret < 0) {
+ return op_ret;
+ }
string key_marker = s->info.args.get("key-marker");
string upload_id_marker = s->info.args.get("upload-id-marker");
diff --git a/src/rgw/rgw_rest_swift.cc b/src/rgw/rgw_rest_swift.cc
index c9d96d9631bf..35e192c150ed 100644
--- a/src/rgw/rgw_rest_swift.cc
+++ b/src/rgw/rgw_rest_swift.cc
@@ -303,6 +303,8 @@ int RGWListBucket_ObjStore_SWIFT::get_params()
if (op_ret < 0) {
return op_ret;
}
+ // S3 behavior is to silently cap the max-keys.
+ // Swift behavior is to abort.
if (max > default_max)
return -ERR_PRECONDITION_FAILED;

121
6002-CVE-2018-16846-2.patch
View File

@ -1,121 +0,0 @@
From ab29bed2fc9f961fe895de1086a8208e21ddaddc Mon Sep 17 00:00:00 2001
From: Joao Eduardo Luis <joao@suse.de>
Date: Thu, 29 Nov 2018 01:05:31 +0000
Subject: [PATCH] rgw: fix issues with 'enforce bounds' patch
The patch to enforce bounds on max-keys/max-uploads/max-parts had a few
issues that would prevent us from compiling it. Instead of changing the
code provided by the submitter, we're addressing them in a separate
commit to maintain the DCO.
Signed-off-by: Joao Eduardo Luis <joao@suse.de>
Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com>
(cherry picked from commit 29bc434a6a81a2e5c5b8cfc4c8d5c82ca5bf538a)
mimic specific fixes:
As the largeish change from master g_conf() isn't in mimic yet, use the g_conf
global structure, also make rgw_op use the value from req_info ceph context as
we do for all the requests
---
src/common/options.cc | 2 +-
src/rgw/rgw_op.cc | 4 +++-
src/rgw/rgw_op.h | 19 ++++++++++++-------
src/rgw/rgw_rest.cc | 8 ++++++--
4 files changed, 22 insertions(+), 11 deletions(-)
diff --git a/src/common/options.cc b/src/common/options.cc
index a543256d8ad3..d906d1d04e10 100644
--- a/src/common/options.cc
+++ b/src/common/options.cc
@@ -6238,7 +6238,7 @@ std::vector<Option> get_rgw_options() {
.set_default(1000)
.set_min_max(1, 100000)
.add_service("rgw")
- .set_description("Upper bound on results in listing operations, ListBucket max-keys"),
+ .set_description("Upper bound on results in listing operations, ListBucket max-keys")
.set_long_description("This caps the maximum permitted value for listing-like operations in RGW S3. "
"Affects ListBucket(max-keys), "
"ListBucketVersions(max-keys), "
diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 509592943c67..1863d7933375 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -2383,7 +2383,9 @@ int RGWListBucket::parse_max_keys()
// Bound min value of max-keys to '0'
// Some S3 clients explicitly send max-keys=0 to detect if the bucket is
// empty without listing any items.
- op_ret = parse_value_and_bound(max_keys, &max, 0, g_conf()->rgw_max_listing_results, default_max);
+ return parse_value_and_bound(max_keys, max, 0,
+ s->cct->_conf->get_val<uint64_t>("rgw_max_listing_results"),
+ default_max);
}
void RGWListBucket::pre_exec()
diff --git a/src/rgw/rgw_op.h b/src/rgw/rgw_op.h
index 57352ae8c142..21bc8c7a6fb9 100644
--- a/src/rgw/rgw_op.h
+++ b/src/rgw/rgw_op.h
@@ -2235,11 +2235,16 @@ class RGWGetClusterStat : public RGWOp {
virtual const string name() { return "get_cluster_stat"; }
};
-static inline int parse_value_and_bound(const string &input, long *output, const long lower_bound, const long upper_bound, const long default_val)
+static inline int parse_value_and_bound(
+ const string &input,
+ int &output,
+ const long lower_bound,
+ const long upper_bound,
+ const long default_val)
{
if (!input.empty()) {
char *endptr;
- *output = strtol(input.c_str(), &endptr, 10);
+ output = strtol(input.c_str(), &endptr, 10);
if (endptr) {
if (endptr == input.c_str()) return -EINVAL;
while (*endptr && isspace(*endptr)) // ignore white space
@@ -2248,14 +2253,14 @@ static inline int parse_value_and_bound(const string &input, long *output, const
return -EINVAL;
}
}
- if(*output > upper_bound) {
- *output = upper_bound;
+ if(output > upper_bound) {
+ output = upper_bound;
}
- if(*output < lower_bound) {
- *output = lower_bound;
+ if(output < lower_bound) {
+ output = lower_bound;
}
} else {
- *output = default_val;
+ output = default_val;
}
return 0;
diff --git a/src/rgw/rgw_rest.cc b/src/rgw/rgw_rest.cc
index c87192d5674b..fdb1a713efe0 100644
--- a/src/rgw/rgw_rest.cc
+++ b/src/rgw/rgw_rest.cc
@@ -1588,7 +1588,9 @@ int RGWListMultipart_ObjStore::get_params()
}
string str = s->info.args.get("max-parts");
- op_ret = parse_value_and_bound(str, &max_parts, 0, g_conf()->rgw_max_listing_results, max_parts);
+ op_ret = parse_value_and_bound(str, max_parts, 0,
+ g_conf->get_val<uint64_t>("rgw_max_listing_results"),
+ max_parts);
return op_ret;
}
@@ -1598,7 +1600,9 @@ int RGWListBucketMultiparts_ObjStore::get_params()
delimiter = s->info.args.get("delimiter");
prefix = s->info.args.get("prefix");
string str = s->info.args.get("max-uploads");
- op_ret = parse_value_and_bound(str, &max_uploads, 0, g_conf()->rgw_max_listing_results, default_max);
+ op_ret = parse_value_and_bound(str, max_uploads, 0,
+ g_conf->get_val<uint64_t>("rgw_max_listing_results"),
+ default_max);
if (op_ret < 0) {
return op_ret;
}

279
6003-CVE-2018-14662.patch
View File

@ -1,279 +0,0 @@
From a2acedd2a7e12d58af6db35edbd8a9d29c557578 Mon Sep 17 00:00:00 2001
From: Joao Eduardo Luis <joao@suse.de>
Date: Wed, 17 Oct 2018 14:42:15 +0100
Subject: [PATCH] mon/config-key: limit caps allowed to access the store
Henceforth, we'll require explicit `allow` caps for commands, or for the
config-key service. Blanket caps are no longer allowed for the
config-key service, except for 'allow *'.
(for luminous and mimic, we're also ensuring MonCap's parser is able to
understand forward slashes '/' when parsing prefixes)
Signed-off-by: Joao Eduardo Luis <joao@suse.de>
(cherry picked from commit 5fff611041c5afeaf3c8eb09e4de0cc919d69237)
---
.../singleton/all/mon-config-key-caps.yaml | 17 ++
qa/workunits/mon/test_config_key_caps.sh | 201 ++++++++++++++++++
src/mon/MonCap.cc | 8 +-
3 files changed, 225 insertions(+), 1 deletion(-)
create mode 100644 qa/suites/rados/singleton/all/mon-config-key-caps.yaml
create mode 100755 qa/workunits/mon/test_config_key_caps.sh
diff --git a/qa/suites/rados/singleton/all/mon-config-key-caps.yaml b/qa/suites/rados/singleton/all/mon-config-key-caps.yaml
new file mode 100644
index 0000000000..0b0b95c52e
--- /dev/null
+++ b/qa/suites/rados/singleton/all/mon-config-key-caps.yaml
@@ -0,0 +1,17 @@
+roles:
+- - mon.a
+ - mgr.x
+ - osd.0
+ - osd.1
+ - osd.2
+ - client.0
+tasks:
+- install:
+- ceph:
+ log-whitelist:
+ - overall HEALTH_
+ - \(AUTH_BAD_CAPS\)
+- workunit:
+ clients:
+ all:
+ - mon/test_config_key_caps.sh
diff --git a/qa/workunits/mon/test_config_key_caps.sh b/qa/workunits/mon/test_config_key_caps.sh
new file mode 100755
index 0000000000..77b4b53b70
--- /dev/null
+++ b/qa/workunits/mon/test_config_key_caps.sh
@@ -0,0 +1,201 @@
+#!/usr/bin/env bash
+
+set -x
+set -e
+
+tmp=$(mktemp -d -p /tmp test_mon_config_key_caps.XXXXX)
+entities=()
+
+function cleanup()
+{
+ set +e
+ set +x
+ if [[ -e $tmp/keyring ]] && [[ -e $tmp/keyring.orig ]]; then
+ grep '\[.*\..*\]' $tmp/keyring.orig > $tmp/entities.orig
+ for e in $(grep '\[.*\..*\]' $tmp/keyring | \
+ diff $tmp/entities.orig - | \
+ sed -n 's/^.*\[\(.*\..*\)\]/\1/p');
+ do
+ ceph auth rm $e 2>&1 >& /dev/null
+ done
+ fi
+ #rm -fr $tmp
+}
+
+trap cleanup 0 # cleanup on exit
+
+function expect_false()
+{
+ set -x
+ if "$@"; then return 1; else return 0; fi
+}
+
+# for cleanup purposes
+ceph auth export -o $tmp/keyring.orig
+
+k=$tmp/keyring
+
+# setup a few keys
+ceph config-key ls
+ceph config-key set daemon-private/osd.123/test-foo
+ceph config-key set mgr/test-foo
+ceph config-key set device/test-foo
+ceph config-key set test/foo
+
+allow_aa=client.allow_aa
+allow_bb=client.allow_bb
+allow_cc=client.allow_cc
+
+mgr_a=mgr.a
+mgr_b=mgr.b
+osd_a=osd.100
+osd_b=osd.200
+
+prefix_aa=client.prefix_aa
+prefix_bb=client.prefix_bb
+prefix_cc=client.prefix_cc
+match_aa=client.match_aa
+match_bb=client.match_bb
+
+fail_aa=client.fail_aa
+fail_bb=client.fail_bb
+fail_cc=client.fail_cc
+fail_dd=client.fail_dd
+fail_ee=client.fail_ee
+fail_ff=client.fail_ff
+fail_gg=client.fail_gg
+fail_writes=client.fail_writes
+
+ceph auth get-or-create $allow_aa mon 'allow *'
+ceph auth get-or-create $allow_bb mon 'allow service config-key rwx'
+ceph auth get-or-create $allow_cc mon 'allow command "config-key get"'
+
+ceph auth get-or-create $mgr_a mon 'allow profile mgr'
+ceph auth get-or-create $mgr_b mon 'allow profile mgr'
+ceph auth get-or-create $osd_a mon 'allow profile osd'
+ceph auth get-or-create $osd_b mon 'allow profile osd'
+
+ceph auth get-or-create $prefix_aa mon \
+ "allow command \"config-key get\" with key prefix client/$prefix_aa"
+
+cap="allow command \"config-key set\" with key prefix client/"
+cap="$cap,allow command \"config-key get\" with key prefix client/$prefix_bb"
+ceph auth get-or-create $prefix_bb mon "$cap"
+
+cap="allow command \"config-key get\" with key prefix client/"
+cap="$cap, allow command \"config-key set\" with key prefix client/"
+cap="$cap, allow command \"config-key ls\""
+ceph auth get-or-create $prefix_cc mon "$cap"
+
+cap="allow command \"config-key get\" with key=client/$match_aa/foo"
+ceph auth get-or-create $match_aa mon "$cap"
+cap="allow command \"config-key get\" with key=client/$match_bb/foo"
+cap="$cap,allow command \"config-key set\" with key=client/$match_bb/foo"
+ceph auth get-or-create $match_bb mon "$cap"
+
+ceph auth get-or-create $fail_aa mon 'allow rx'
+ceph auth get-or-create $fail_bb mon 'allow r,allow w'
+ceph auth get-or-create $fail_cc mon 'allow rw'
+ceph auth get-or-create $fail_dd mon 'allow rwx'
+ceph auth get-or-create $fail_ee mon 'allow profile bootstrap-rgw'
+ceph auth get-or-create $fail_ff mon 'allow profile bootstrap-rbd'
+# write commands will require rw; wx is not enough
+ceph auth get-or-create $fail_gg mon 'allow service config-key wx'
+# read commands will only require 'r'; 'rx' should be enough.
+ceph auth get-or-create $fail_writes mon 'allow service config-key rx'
+
+# grab keyring
+ceph auth export -o $k
+
+# keys will all the caps can do whatever
+for c in $allow_aa $allow_bb $allow_cc $mgr_a $mgr_b; do
+ ceph -k $k --name $c config-key get daemon-private/osd.123/test-foo
+ ceph -k $k --name $c config-key get mgr/test-foo
+ ceph -k $k --name $c config-key get device/test-foo
+ ceph -k $k --name $c config-key get test/foo
+done
+
+for c in $osd_a $osd_b; do
+ ceph -k $k --name $c config-key put daemon-private/$c/test-foo
+ ceph -k $k --name $c config-key get daemon-private/$c/test-foo
+ expect_false ceph -k $k --name $c config-key ls
+ expect_false ceph -k $k --name $c config-key get mgr/test-foo
+ expect_false ceph -k $k --name $c config-key get device/test-foo
+ expect_false ceph -k $k --name $c config-key get test/foo
+done
+
+expect_false ceph -k $k --name $osd_a get daemon-private/$osd_b/test-foo
+expect_false ceph -k $k --name $osd_b get daemon-private/$osd_a/test-foo
+
+expect_false ceph -k $k --name $prefix_aa \
+ config-key ls
+expect_false ceph -k $k --name $prefix_aa \
+ config-key get daemon-private/osd.123/test-foo
+expect_false ceph -k $k --name $prefix_aa \
+ config-key set test/bar
+expect_false ceph -k $k --name $prefix_aa \
+ config-key set client/$prefix_aa/foo
+
+# write something so we can read, use a custom entity
+ceph -k $k --name $allow_bb config-key set client/$prefix_aa/foo
+ceph -k $k --name $prefix_aa config-key get client/$prefix_aa/foo
+# check one writes to the other's prefix, the other is able to read
+ceph -k $k --name $prefix_bb config-key set client/$prefix_aa/bar
+ceph -k $k --name $prefix_aa config-key get client/$prefix_aa/bar
+
+ceph -k $k --name $prefix_bb config-key set client/$prefix_bb/foo
+ceph -k $k --name $prefix_bb config-key get client/$prefix_bb/foo
+
+expect_false ceph -k $k --name $prefix_bb config-key get client/$prefix_aa/bar
+expect_false ceph -k $k --name $prefix_bb config-key ls
+expect_false ceph -k $k --name $prefix_bb \
+ config-key get daemon-private/osd.123/test-foo
+expect_false ceph -k $k --name $prefix_bb config-key get mgr/test-foo
+expect_false ceph -k $k --name $prefix_bb config-key get device/test-foo
+expect_false ceph -k $k --name $prefix_bb config-key get test/bar
+expect_false ceph -k $k --name $prefix_bb config-key set test/bar
+
+ceph -k $k --name $prefix_cc config-key set client/$match_aa/foo
+ceph -k $k --name $prefix_cc config-key set client/$match_bb/foo
+ceph -k $k --name $prefix_cc config-key get client/$match_aa/foo
+ceph -k $k --name $prefix_cc config-key get client/$match_bb/foo
+expect_false ceph -k $k --name $prefix_cc config-key set other/prefix
+expect_false ceph -k $k --name $prefix_cc config-key get mgr/test-foo
+ceph -k $k --name $prefix_cc config-key ls >& /dev/null
+
+ceph -k $k --name $match_aa config-key get client/$match_aa/foo
+expect_false ceph -k $k --name $match_aa config-key get client/$match_bb/foo
+expect_false ceph -k $k --name $match_aa config-key set client/$match_aa/foo
+ceph -k $k --name $match_bb config-key get client/$match_bb/foo
+ceph -k $k --name $match_bb config-key set client/$match_bb/foo
+expect_false ceph -k $k --name $match_bb config-key get client/$match_aa/foo
+expect_false ceph -k $k --name $match_bb config-key set client/$match_aa/foo
+
+keys=(daemon-private/osd.123/test-foo
+ mgr/test-foo
+ device/test-foo
+ test/foo
+ client/$prefix_aa/foo
+ client/$prefix_bb/foo
+ client/$match_aa/foo
+ client/$match_bb/foo
+)
+# expect these all to fail accessing config-key
+for c in $fail_aa $fail_bb $fail_cc \
+ $fail_dd $fail_ee $fail_ff \
+ $fail_gg; do
+ for m in get set; do
+ for key in ${keys[*]} client/$prefix_aa/foo client/$prefix_bb/foo; do
+ expect_false ceph -k $k --name $c config-key $m $key
+ done
+ done
+done
+
+# fail writes but succeed on reads
+expect_false ceph -k $k --name $fail_writes config-key set client/$match_aa/foo
+expect_false ceph -k $k --name $fail_writes config-key set test/foo
+ceph -k $k --name $fail_writes config-key ls
+ceph -k $k --name $fail_writes config-key get client/$match_aa/foo
+ceph -k $k --name $fail_writes config-key get daemon-private/osd.123/test-foo
+
+echo "OK"
diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc
index 6340ad7b14..c64f7e1081 100644
--- a/src/mon/MonCap.cc
+++ b/src/mon/MonCap.cc
@@ -350,6 +350,12 @@ mon_rwxa_t MonCapGrant::get_allowed(CephContext *cct,
}
return MON_CAP_ALL;
}
+ // we don't allow config-key service to be accessed with blanket caps other
+ // than '*' (i.e., 'any'), and that should have been checked by the caller
+ // via 'is_allow_all()'.
+ if (s == "config-key") {
+ return 0;
+ }
return allow;
}
@@ -484,7 +490,7 @@ struct MonCapParser : qi::grammar<Iterator, MonCap()>
quoted_string %=
lexeme['"' >> +(char_ - '"') >> '"'] |
lexeme['\'' >> +(char_ - '\'') >> '\''];
- unquoted_word %= +char_("a-zA-Z0-9_.-");
+ unquoted_word %= +char_("a-zA-Z0-9_/.-");
str %= quoted_string | unquoted_word;
spaces = +(lit(' ') | lit('\n') | lit('\t'));

168
6004-py3.patch
View File

@ -1,168 +0,0 @@
From 96e17e73608333c1d23e8950f7daf59d6e290248 Mon Sep 17 00:00:00 2001
From: Kaleb S. KEITHLEY <kkeithle@redhat.com>
Date: Thu, 29 Oct 2020 14:37:47 +0800
Subject: [PATCH] cpeh-remove-python3
https://src.fedoraproject.org/rpms/ceph/c/96e17e73608333c1d23e8950f7daf59d6e290248
Signed-off-by: Kaleb S. KEITHLEY <kkeithle@redhat.com>
---
src/CMakeLists.txt | 3 ---
src/brag/client/ceph-brag | 2 +-
src/ceph-create-keys | 2 +-
src/ceph-detect-init/ceph_detect_init/main.py | 2 +-
src/ceph-disk/ceph_disk/main.py | 2 +-
src/ceph-rest-api | 2 +-
src/ceph-volume/bin/ceph-volume | 2 +-
src/ceph-volume/bin/ceph-volume-systemd | 2 +-
src/ceph.in | 2 +-
src/mount.fuse.ceph | 2 +-
src/pybind/CMakeLists.txt | 3 +--
src/tools/setup-virtualenv.sh | 4 +++-
12 files changed, 13 insertions(+), 15 deletions(-)
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 80d4b351..7ca500b1 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -244,9 +244,6 @@ if(WITH_CEPHFS_JAVA)
endif()
# Python stuff
-find_package(PythonInterp 2 REQUIRED)
-find_package(PythonLibs 2 REQUIRED)
-
option(WITH_PYTHON3 "build python3 bindings" "CHECK")
if(WITH_PYTHON3 MATCHES "check|CHECK")
find_package(Python3Interp 3 QUIET)
diff --git a/src/brag/client/ceph-brag b/src/brag/client/ceph-brag
index 7df51674..69bbba20 100755
--- a/src/brag/client/ceph-brag
+++ b/src/brag/client/ceph-brag
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/python3
from __future__ import print_function
diff --git a/src/ceph-create-keys b/src/ceph-create-keys
index c14c02f2..7e80aab6 100755
--- a/src/ceph-create-keys
+++ b/src/ceph-create-keys
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/python3
import argparse
import errno
import json
diff --git a/src/ceph-detect-init/ceph_detect_init/main.py b/src/ceph-detect-init/ceph_detect_init/main.py
index 320ae170..c18ce74c 100644
--- a/src/ceph-detect-init/ceph_detect_init/main.py
+++ b/src/ceph-detect-init/ceph_detect_init/main.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/python3
#
# Copyright (C) 2015 <contact@redhat.com>
# Copyright (C) 2015 SUSE LINUX GmbH
diff --git a/src/ceph-disk/ceph_disk/main.py b/src/ceph-disk/ceph_disk/main.py
index 0058f1ac..0bdbcba3 100644
--- a/src/ceph-disk/ceph_disk/main.py
+++ b/src/ceph-disk/ceph_disk/main.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/python3
#
# Copyright (C) 2015, 2016, 2017 Red Hat <contact@redhat.com>
# Copyright (C) 2014 Inktank <info@inktank.com>
diff --git a/src/ceph-rest-api b/src/ceph-rest-api
index d185a804..2761dcc7 100755
--- a/src/ceph-rest-api
+++ b/src/ceph-rest-api
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/python3
# vim: ts=4 sw=4 smarttab expandtab
import argparse
diff --git a/src/ceph-volume/bin/ceph-volume b/src/ceph-volume/bin/ceph-volume
index 5905cfcc..a4f62b4a 100755
--- a/src/ceph-volume/bin/ceph-volume
+++ b/src/ceph-volume/bin/ceph-volume
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/python3
from ceph_volume import main
diff --git a/src/ceph-volume/bin/ceph-volume-systemd b/src/ceph-volume/bin/ceph-volume-systemd
index 7da8ec6b..f6c751cf 100755
--- a/src/ceph-volume/bin/ceph-volume-systemd
+++ b/src/ceph-volume/bin/ceph-volume-systemd
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/python3
from ceph_volume.systemd import main
diff --git a/src/ceph.in b/src/ceph.in
index 7c1eda2c..5e0471cb 100755
--- a/src/ceph.in
+++ b/src/ceph.in
@@ -1,4 +1,4 @@
-#!@PYTHON_EXECUTABLE@
+#!@PYTHON3_EXECUTABLE@
# -*- mode:python -*-
# vim: ts=4 sw=4 smarttab expandtab
#
diff --git a/src/mount.fuse.ceph b/src/mount.fuse.ceph
index 5c65ddca..4c0addf5 100755
--- a/src/mount.fuse.ceph
+++ b/src/mount.fuse.ceph
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/python3
'''
Helper to mount ceph-fuse from /etc/fstab. To use, add an entry
like:
diff --git a/src/pybind/CMakeLists.txt b/src/pybind/CMakeLists.txt
index dbdb23f1..1a14df97 100644
--- a/src/pybind/CMakeLists.txt
+++ b/src/pybind/CMakeLists.txt
@@ -6,7 +6,6 @@ set(CYTHON_MODULE_DIR ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}/cython_modules)
if(WITH_PYTHON3)
set(py_vers 3)
endif()
-list(APPEND py_vers 2)
foreach(python_version ${py_vers})
if(${python_version} EQUAL 2)
@@ -58,7 +57,7 @@ endforeach()
install(FILES
${CMAKE_CURRENT_SOURCE_DIR}/ceph_rest_api.py
- DESTINATION ${PYTHON_INSTDIR})
+ DESTINATION ${PYTHON${PYTHON_VERSION}_INSTDIR})
if(WITH_MGR)
# Location needs to match default setting for mgr_module_path, currently:
diff --git a/src/tools/setup-virtualenv.sh b/src/tools/setup-virtualenv.sh
index d249d49f..51763ac6 100755
--- a/src/tools/setup-virtualenv.sh
+++ b/src/tools/setup-virtualenv.sh
@@ -15,10 +15,12 @@
# GNU Library Public License for more details.
#
+echo ====================== setup-virtualenv $DIR ================
+
DIR=$1
rm -fr $DIR
mkdir -p $DIR
-virtualenv --python python2.7 $DIR
+virtualenv --python python3 $DIR
. $DIR/bin/activate
if pip --help | grep -q disable-pip-version-check; then
--
2.27.0

BIN
ceph-12.2.8.tar.gz → ceph-14.2.15.tar.gz
View File

Binary file not shown.

1121
ceph.spec
View File

File diff suppressed because it is too large Load Diff