1 files changed, 100 insertions, 0 deletions

diff --git a/recipes-extended/ceph/ceph/0001-mgr-require-all-caps-for-pre-octopus-tell-commands.patch b/recipes-extended/ceph/ceph/0001-mgr-require-all-caps-for-pre-octopus-tell-commands.patch
new file mode 100644
index 00000000..de191bf8
--- /dev/null
+++ b/recipes-extended/ceph/ceph/0001-mgr-require-all-caps-for-pre-octopus-tell-commands.patch
@@ -0,0 +1,100 @@
+From de67c1dab5597c91538970421b25f6ec667af492 Mon Sep 17 00:00:00 2001
+From: Josh Durgin <jdurgin@redhat.com>
+Date: Mon, 4 May 2020 17:03:35 -0400
+Subject: [PATCH 1/3] mgr: require all caps for pre-octopus tell commands
+
+This matches the requirements for admin socket commands
+sent via tell elsewhere.
+
+Signed-off-by: Josh Durgin <jdurgin@redhat.com>
+
+Upstream-status: Backport
+[https://github.com/ceph/ceph/commit/347003e13167c428187a5450517850f4d85e09ad]
+
+Signed-off-by: Liu Haitao <haitao.liu@windriver.com>
+---
+ src/mgr/DaemonServer.cc | 37 ++++++++++++++++++++++---------------
+ 1 file changed, 22 insertions(+), 15 deletions(-)
+
+diff --git a/src/mgr/DaemonServer.cc b/src/mgr/DaemonServer.cc
+index becd428a..527326e3 100644
+--- a/src/mgr/DaemonServer.cc
++++ b/src/mgr/DaemonServer.cc
+@@ -808,20 +808,12 @@ public:
+ bool DaemonServer::handle_command(const ref_t<MCommand>& m)
+ {
+   std::lock_guard l(lock);
+-  // a blank fsid in MCommand signals a legacy client sending a "mon-mgr" CLI
+-  // command.
+-  if (m->fsid != uuid_d()) {
+-    cct->get_admin_socket()->queue_tell_command(m);
++  auto cmdctx = std::make_shared<CommandContext>(m);
++  try {
++    return _handle_command(cmdctx);
++  } catch (const bad_cmd_get& e) {
++    cmdctx->reply(-EINVAL, e.what());
+     return true;
+-  } else {
+-    // legacy client; send to CLI processing
+-    auto cmdctx = std::make_shared<CommandContext>(m);
+-    try {
+-      return _handle_command(cmdctx);
+-    } catch (const bad_cmd_get& e) {
+-      cmdctx->reply(-EINVAL, e.what());
+-      return true;
+-    }
+   }
+ }
+ 
+@@ -853,8 +845,12 @@ bool DaemonServer::_handle_command(
+   std::shared_ptr<CommandContext>& cmdctx)
+ {
+   MessageRef m;
++  bool admin_socket_cmd = false;
+   if (cmdctx->m_tell) {
+     m = cmdctx->m_tell;
++    // a blank fsid in MCommand signals a legacy client sending a "mon-mgr" CLI
++    // command.
++    admin_socket_cmd = (cmdctx->m_tell->fsid != uuid_d());
+   } else {
+     m = cmdctx->m_mgr;
+   }
+@@ -888,7 +884,10 @@ bool DaemonServer::_handle_command(
+ 
+   dout(10) << "decoded-size=" << cmdctx->cmdmap.size() << " prefix=" << prefix  << dendl;
+ 
+-  if (prefix == "get_command_descriptions") {
++  // this is just for mgr commands - admin socket commands will fall
++  // through and use the admin socket version of
++  // get_command_descriptions
++  if (prefix == "get_command_descriptions" && !admin_socket_cmd) {
+     dout(10) << "reading commands from python modules" << dendl;
+     const auto py_commands = py_modules.get_commands();
+ 
+@@ -925,7 +924,10 @@ bool DaemonServer::_handle_command(
+ 
+   bool is_allowed = false;
+   ModuleCommand py_command;
+-  if (!mgr_cmd) {
++  if (admin_socket_cmd) {
++    // admin socket commands require all capabilities
++    is_allowed = session->caps.is_allow_all();
++  } else if (!mgr_cmd) {
+     // Resolve the command to the name of the module that will
+     // handle it (if the command exists)
+     auto py_commands = py_modules.get_py_commands();
+@@ -958,6 +960,11 @@ bool DaemonServer::_handle_command(
+     << "entity='" << session->entity_name << "' "
+     << "cmd=" << cmdctx->cmd << ": dispatch";
+ 
++  if (admin_socket_cmd) {
++    cct->get_admin_socket()->queue_tell_command(cmdctx->m_tell);
++    return true;
++  }
++
+   // ----------------
+   // service map commands
+   if (prefix == "service dump") {
+-- 
+2.25.1
+