mon: don't log "config set" and "config-key set" dispatch and finished messages

Signed-off-by: Neha Ojha <nojha@redhat.com>
(cherry picked from commit 4b83dfb1f74e8a59c802ff3c0eb4595f7e763762)

Origin: upstream, https://github.com/ceph/ceph/pull/38614/commits/630f614751d9b0932c21e9ab22f23f883a8fa5e9

Gbp-Pq: Name CVE-2020-25678-2.patch

diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
index 76c3c77081b8845f50856acb82d464803ff95489..636314cd86950c7a99084da07b93252cc5e85faa 100644 (file)
--- a/src/mon/Monitor.cc
+++ b/src/mon/Monitor.cc
@@ -3174,18 +3174,20 @@ void Monitor::handle_command(MonOpRequestRef op)
   if (!_allowed_command(session, service, prefix, cmdmap,
                         param_str_map, mon_cmd)) {
     dout(1) << __func__ << " access denied" << dendl;
-    (cmd_is_rw ? audit_clog->info() : audit_clog->debug())
-      << "from='" << session->inst << "' "
-      << "entity='" << session->entity_name << "' "
-      << "cmd=" << m->cmd << ":  access denied";
+    if (prefix != "config set" && prefix != "config-key set")
+      (cmd_is_rw ? audit_clog->info() : audit_clog->debug())
+        << "from='" << session->inst << "' "
+        << "entity='" << session->entity_name << "' "
+        << "cmd=" << m->cmd << ":  access denied";
     reply_command(op, -EACCES, "access denied", 0);
     return;
   }
 
-  (cmd_is_rw ? audit_clog->info() : audit_clog->debug())
-    << "from='" << session->inst << "' "
-    << "entity='" << session->entity_name << "' "
-    << "cmd=" << m->cmd << ": dispatch";
+  if (prefix != "config set" && prefix != "config-key set")
+    (cmd_is_rw ? audit_clog->info() : audit_clog->debug())
+      << "from='" << session->inst << "' "
+      << "entity='" << session->entity_name << "' "
+      << "cmd=" << m->cmd << ": dispatch";
 
   if (mon_cmd->is_mgr() &&
       osdmon()->osdmap.require_osd_release >= CEPH_RELEASE_LUMINOUS) {

diff --git a/src/mon/Monitor.h b/src/mon/Monitor.h
index 008947e85be34d2203421f8d12f80e9bc00fd2cd..e8f712e984baacffef91f07c4468b3a8eece5906 100644 (file)
--- a/src/mon/Monitor.h
+++ b/src/mon/Monitor.h
@@ -40,6 +40,7 @@
 #include "PGStatService.h"
 #include "MonCommand.h"
 
+#include "common/cmdparse.h"
 #include "common/LogClient.h"
 #include "auth/cephx/CephxKeyServer.h"
 #include "auth/AuthMethodList.h"
@@ -860,7 +861,13 @@ public:
             ss << "session dropped for command ";
           }
         }
-        ss << "cmd='" << m->cmd << "': finished";
+        cmdmap_t cmdmap;
+        stringstream ds;
+        string prefix;
+        cmdmap_from_json(m->cmd, &cmdmap, ds);
+        cmd_getval(g_ceph_context, cmdmap, "prefix", prefix);
+        if (prefix != "config set" && prefix != "config-key set")
+          ss << "cmd='" << m->cmd << "': finished";
 
         mon->audit_clog->info() << ss.str();
        mon->reply_command(op, rc, rs, rdata, version);