1 /* -*- mode: c; c-basic-offset: 8; indent-tabs-mode: nil; -*-
2 * vim:expandtab:shiftwidth=8:tabstop=8:
6 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 only,
10 * as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * General Public License version 2 for more details (a copy is included
16 * in the LICENSE file that accompanied this code).
18 * You should have received a copy of the GNU General Public License
19 * version 2 along with this program; If not, see
20 * http://www.sun.com/software/products/lustre/docs/GPLv2.pdf
22 * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
23 * CA 95054 USA or visit www.sun.com if you need additional information or
29 * Copyright 2008 Sun Microsystems, Inc. All rights reserved
30 * Use is subject to license terms.
33 * This file is part of Lustre, http://www.lustre.org/
34 * Lustre is a trademark of Sun Microsystems, Inc.
36 * lustre/mdt/mdt_idmap.c
38 * Author: Lai Siyao <lsy@clusterfs.com>
39 * Author: Fan Yong <fanyong@clusterfs.com>
45 #define DEBUG_SUBSYSTEM S_MDS
47 #ifndef AUTOCONF_INCLUDED
48 #include <linux/config.h>
50 #include <linux/module.h>
51 #include <linux/kernel.h>
53 #include <linux/kmod.h>
54 #include <linux/string.h>
55 #include <linux/stat.h>
56 #include <linux/errno.h>
57 #include <linux/version.h>
58 #include <linux/unistd.h>
59 #include <asm/system.h>
60 #include <asm/uaccess.h>
62 #include <linux/stat.h>
63 #include <asm/uaccess.h>
64 #include <linux/slab.h>
66 #include <libcfs/libcfs.h>
68 #include <obd_class.h>
69 #include <obd_support.h>
70 #include <lustre_net.h>
71 #include <lustre_import.h>
72 #include <lustre_dlm.h>
73 #include <lustre_sec.h>
74 #include <lustre_lib.h>
75 #include <lustre_ucache.h>
77 #include "mdt_internal.h"
79 int mdt_init_idmap(struct mdt_thread_info *info)
81 struct ptlrpc_request *req = mdt_info_req(info);
82 char *client = libcfs_nid2str(req->rq_peer.nid);
83 struct mdt_export_data *med = mdt_req2med(req);
84 struct obd_device *obd = req->rq_export->exp_obd;
85 struct obd_connect_data *data, *reply;
89 data = req_capsule_client_get(info->mti_pill, &RMF_CONNECT_DATA);
90 reply = req_capsule_server_get(info->mti_pill, &RMF_CONNECT_DATA);
91 if (data == NULL || reply == NULL)
94 if (!req->rq_auth_gss || req->rq_auth_usr_mdt) {
95 med->med_rmtclient = 0;
96 reply->ocd_connect_flags &= ~OBD_CONNECT_RMT_CLIENT;
100 remote = data->ocd_connect_flags & OBD_CONNECT_RMT_CLIENT;
103 med->med_rmtclient = 1;
104 if (!req->rq_auth_remote)
105 CDEBUG(D_SEC, "client (local realm) %s -> target %s "
106 "asked to be remote!\n", client, obd->obd_name);
107 } else if (req->rq_auth_remote) {
108 med->med_rmtclient = 1;
109 CDEBUG(D_SEC, "client (remote realm) %s -> target %s forced "
110 "to be remote!\n", client, obd->obd_name);
113 if (med->med_rmtclient) {
114 down(&med->med_idmap_sem);
116 med->med_idmap = lustre_idmap_init();
117 up(&med->med_idmap_sem);
119 if (IS_ERR(med->med_idmap)) {
120 long err = PTR_ERR(med->med_idmap);
122 med->med_idmap = NULL;
123 CERROR("client %s -> target %s "
124 "failed to init idmap [%ld]!\n",
125 client, obd->obd_name, err);
127 } else if (!med->med_idmap) {
128 CERROR("client %s -> target %s "
129 "failed to init(2) idmap!\n",
130 client, obd->obd_name);
134 reply->ocd_connect_flags &= ~OBD_CONNECT_LCL_CLIENT;
135 CDEBUG(D_SEC, "client %s -> target %s is remote.\n",
136 client, obd->obd_name);
138 /* NB, MDS_CONNECT establish root idmap too! */
139 rc = mdt_handle_idmap(info);
141 if (req->rq_auth_uid == INVALID_UID) {
142 CDEBUG(D_SEC, "client %s -> target %s: user is not "
143 "authenticated!\n", client, obd->obd_name);
146 reply->ocd_connect_flags &= ~OBD_CONNECT_RMT_CLIENT;
152 void mdt_cleanup_idmap(struct mdt_export_data *med)
154 LASSERT(med->med_rmtclient);
156 down(&med->med_idmap_sem);
157 if (med->med_idmap != NULL) {
158 lustre_idmap_fini(med->med_idmap);
159 med->med_idmap = NULL;
161 up(&med->med_idmap_sem);
164 static inline void mdt_revoke_export_locks(struct obd_export *exp)
166 /* don't revoke locks during recovery */
167 if (exp->exp_obd->obd_recovering)
170 ldlm_revoke_export_locks(exp);
173 int mdt_handle_idmap(struct mdt_thread_info *info)
175 struct ptlrpc_request *req = mdt_info_req(info);
176 struct mdt_device *mdt = info->mti_mdt;
177 struct mdt_export_data *med;
178 struct ptlrpc_user_desc *pud = req->rq_user_desc;
179 struct md_identity *identity;
187 med = mdt_req2med(req);
188 if (!med->med_rmtclient)
191 opc = lustre_msg_get_opc(req->rq_reqmsg);
192 /* Bypass other opc */
193 if ((opc != SEC_CTX_INIT) && (opc != SEC_CTX_INIT_CONT) &&
194 (opc != SEC_CTX_FINI) && (opc != MDS_CONNECT))
197 LASSERT(med->med_idmap);
199 if (unlikely(!pud)) {
200 CDEBUG(D_SEC, "remote client must run with rq_user_desc "
205 if (req->rq_auth_mapped_uid == INVALID_UID) {
206 CDEBUG(D_SEC, "invalid authorized mapped uid, please check "
207 "/etc/lustre/idmap.conf!\n");
211 if (is_identity_get_disabled(mdt->mdt_identity_cache)) {
212 CDEBUG(D_SEC, "remote client must run with identity_get "
217 identity = mdt_identity_get(mdt->mdt_identity_cache,
218 req->rq_auth_mapped_uid);
219 if (IS_ERR(identity)) {
220 CDEBUG(D_SEC, "can't get mdt identity(%u), no mapping added\n",
221 req->rq_auth_mapped_uid);
227 case SEC_CTX_INIT_CONT:
229 rc = lustre_idmap_add(med->med_idmap,
230 pud->pud_uid, identity->mi_uid,
231 pud->pud_gid, identity->mi_gid);
234 rc = lustre_idmap_del(med->med_idmap,
235 pud->pud_uid, identity->mi_uid,
236 pud->pud_gid, identity->mi_gid);
240 mdt_identity_put(mdt->mdt_identity_cache, identity);
247 case SEC_CTX_INIT_CONT:
249 mdt_revoke_export_locks(req->rq_export);
256 int ptlrpc_user_desc_do_idmap(struct ptlrpc_request *req,
257 struct ptlrpc_user_desc *pud)
259 struct mdt_export_data *med = mdt_req2med(req);
260 struct lustre_idmap_table *idmap = med->med_idmap;
264 /* Only remote client need desc_to_idmap. */
265 if (!med->med_rmtclient)
268 uid = lustre_idmap_lookup_uid(NULL, idmap, 0, pud->pud_uid);
269 if (uid == CFS_IDMAP_NOTFOUND) {
270 CDEBUG(D_SEC, "no mapping for uid %u\n", pud->pud_uid);
274 if (pud->pud_uid == pud->pud_fsuid) {
277 fsuid = lustre_idmap_lookup_uid(NULL, idmap, 0, pud->pud_fsuid);
278 if (fsuid == CFS_IDMAP_NOTFOUND) {
279 CDEBUG(D_SEC, "no mapping for fsuid %u\n",
285 gid = lustre_idmap_lookup_gid(NULL, idmap, 0, pud->pud_gid);
286 if (gid == CFS_IDMAP_NOTFOUND) {
287 CDEBUG(D_SEC, "no mapping for gid %u\n", pud->pud_gid);
291 if (pud->pud_gid == pud->pud_fsgid) {
294 fsgid = lustre_idmap_lookup_gid(NULL, idmap, 0, pud->pud_fsgid);
295 if (fsgid == CFS_IDMAP_NOTFOUND) {
296 CDEBUG(D_SEC, "no mapping for fsgid %u\n",
304 pud->pud_fsuid = fsuid;
305 pud->pud_fsgid = fsgid;
313 void mdt_body_reverse_idmap(struct mdt_thread_info *info, struct mdt_body *body)
315 struct ptlrpc_request *req = mdt_info_req(info);
316 struct md_ucred *uc = mdt_ucred(info);
317 struct mdt_export_data *med = mdt_req2med(req);
318 struct lustre_idmap_table *idmap = med->med_idmap;
320 if (!med->med_rmtclient)
323 if (body->valid & OBD_MD_FLUID) {
324 uid_t uid = lustre_idmap_lookup_uid(uc, idmap, 1, body->uid);
326 if (uid == CFS_IDMAP_NOTFOUND) {
328 if (body->valid & OBD_MD_FLMODE)
329 body->mode = (body->mode & ~S_IRWXU) |
330 ((body->mode & S_IRWXO) << 6);
336 if (body->valid & OBD_MD_FLGID) {
337 gid_t gid = lustre_idmap_lookup_gid(uc, idmap, 1, body->gid);
339 if (gid == CFS_IDMAP_NOTFOUND) {
341 if (body->valid & OBD_MD_FLMODE)
342 body->mode = (body->mode & ~S_IRWXG) |
343 ((body->mode & S_IRWXO) << 3);
350 /* Do not ignore root_squash for non-setattr case. */
351 int mdt_fix_attr_ucred(struct mdt_thread_info *info, __u32 op)
353 struct ptlrpc_request *req = mdt_info_req(info);
354 struct md_ucred *uc = mdt_ucred(info);
355 struct lu_attr *attr = &info->mti_attr.ma_attr;
356 struct mdt_export_data *med = mdt_req2med(req);
357 struct lustre_idmap_table *idmap = med->med_idmap;
359 if ((uc->mu_valid != UCRED_OLD) && (uc->mu_valid != UCRED_NEW))
362 if (op != REINT_SETATTR) {
363 if ((attr->la_valid & LA_UID) && (attr->la_uid != -1))
364 attr->la_uid = uc->mu_fsuid;
365 /* for S_ISGID, inherit gid from his parent, such work will be
366 * done in cmm/mdd layer, here set all cases as uc->mu_fsgid. */
367 if ((attr->la_valid & LA_GID) && (attr->la_gid != -1))
368 attr->la_gid = uc->mu_fsgid;
369 } else if (med->med_rmtclient) {
370 /* NB: -1 case will be handled by mdt_fix_attr() later. */
371 if ((attr->la_valid & LA_UID) && (attr->la_uid != -1)) {
372 uid_t uid = lustre_idmap_lookup_uid(uc, idmap, 0,
375 if (uid == CFS_IDMAP_NOTFOUND) {
376 CDEBUG(D_SEC, "Deny chown to uid %u\n",
383 if ((attr->la_valid & LA_GID) && (attr->la_gid != -1)) {
384 gid_t gid = lustre_idmap_lookup_gid(uc, idmap, 0,
387 if (gid == CFS_IDMAP_NOTFOUND) {
388 CDEBUG(D_SEC, "Deny chown to gid %u\n",