1 /* -*- mode: c; c-basic-offset: 8; indent-tabs-mode: nil; -*-
2 * vim:expandtab:shiftwidth=8:tabstop=8:
4 * Copyright (C) 2004-2006 Cluster File Systems, Inc.
5 * Author: Lai Siyao <lsy@clusterfs.com>
6 * Author: Fan Yong <fanyong@clusterfs.com>
9 * This file is part of Lustre, http://www.lustre.org.
11 * Lustre is free software; you can redistribute it and/or
12 * modify it under the terms of version 2 of the GNU General Public
13 * License as published by the Free Software Foundation.
15 * Lustre is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with Lustre; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
28 #define DEBUG_SUBSYSTEM S_MDS
30 #ifndef AUTOCONF_INCLUDED
31 #include <linux/config.h>
33 #include <linux/module.h>
34 #include <linux/kernel.h>
36 #include <linux/kmod.h>
37 #include <linux/string.h>
38 #include <linux/stat.h>
39 #include <linux/errno.h>
40 #include <linux/version.h>
41 #include <linux/unistd.h>
42 #include <asm/system.h>
43 #include <asm/uaccess.h>
45 #include <linux/stat.h>
46 #include <asm/uaccess.h>
47 #include <linux/slab.h>
48 #include <asm/segment.h>
50 #include <libcfs/kp30.h>
52 #include <obd_class.h>
53 #include <obd_support.h>
54 #include <lustre_net.h>
55 #include <lustre_import.h>
56 #include <lustre_dlm.h>
57 #include <lustre_sec.h>
58 #include <lustre_lib.h>
59 #include <lustre_ucache.h>
61 #include "mdt_internal.h"
64 MDT_IDMAP_NOTFOUND = -1,
67 struct mdt_idmap_entry {
68 struct list_head mie_rmt_hash; /* hashed as mie_rmt_id; */
69 struct list_head mie_lcl_hash; /* hashed as mie_lcl_id; */
71 uid_t mie_rmt_id; /* remote uid/gid */
72 uid_t mie_lcl_id; /* local uid/gid */
76 static struct mdt_idmap_table *mdt_idmap_alloc(void)
78 struct mdt_idmap_table *tbl;
85 spin_lock_init(&tbl->mit_lock);
86 for (i = 0; i < ARRAY_SIZE(tbl->mit_idmaps); i++)
87 for (j = 0; j < ARRAY_SIZE(tbl->mit_idmaps[i]); j++)
88 INIT_LIST_HEAD(&tbl->mit_idmaps[i][j]);
93 static struct mdt_idmap_entry *idmap_entry_alloc(__u32 mie_rmt_id,
96 struct mdt_idmap_entry *e;
102 INIT_LIST_HEAD(&e->mie_rmt_hash);
103 INIT_LIST_HEAD(&e->mie_lcl_hash);
105 e->mie_rmt_id = mie_rmt_id;
106 e->mie_lcl_id = mie_lcl_id;
111 static void idmap_entry_free(struct mdt_idmap_entry *e)
113 if (!list_empty(&e->mie_rmt_hash))
114 list_del(&e->mie_rmt_hash);
115 if (!list_empty(&e->mie_lcl_hash))
116 list_del(&e->mie_lcl_hash);
120 int mdt_init_idmap(struct mdt_thread_info *info)
122 struct ptlrpc_request *req = mdt_info_req(info);
123 char *client = libcfs_nid2str(req->rq_peer.nid);
124 struct mdt_export_data *med = mdt_req2med(req);
125 struct obd_device *obd = req->rq_export->exp_obd;
126 struct obd_connect_data *data, *reply;
130 data = req_capsule_client_get(&info->mti_pill, &RMF_CONNECT_DATA);
131 reply = req_capsule_server_get(&info->mti_pill, &RMF_CONNECT_DATA);
132 if (data == NULL || reply == NULL)
135 if (!req->rq_auth_gss || req->rq_auth_usr_mdt) {
136 med->med_rmtclient = 0;
137 reply->ocd_connect_flags &= ~OBD_CONNECT_RMT_CLIENT;
138 //reply->ocd_connect_flags |= OBD_CONNECT_LCL_CLIENT;
142 remote = data->ocd_connect_flags & OBD_CONNECT_RMT_CLIENT;
145 med->med_rmtclient = 1;
146 if (!req->rq_auth_remote)
147 CWARN("client (local realm) %s -> target %s asked "
148 "to be remote!\n", client, obd->obd_name);
149 } else if (req->rq_auth_remote) {
150 med->med_rmtclient = 1;
151 CWARN("client (remote realm) %s -> target %s forced "
152 "to be remote!\n", client, obd->obd_name);
155 if (med->med_rmtclient) {
156 med->med_nllu = data->ocd_nllu;
157 med->med_nllg = data->ocd_nllg;
159 med->med_idmap = mdt_idmap_alloc();
160 if (!med->med_idmap) {
161 CERROR("client %s -> target %s failed to alloc idmap!\n"
162 , client, obd->obd_name);
166 reply->ocd_connect_flags &= ~OBD_CONNECT_LCL_CLIENT;
167 //reply->ocd_connect_flags |= OBD_CONNECT_RMT_CLIENT;
168 CDEBUG(D_SEC, "client %s -> target %s is remote.\n",
169 client, obd->obd_name);
171 /* NB, MDT_CONNECT establish root idmap too! */
172 rc = mdt_handle_idmap(info);
174 if (req->rq_auth_uid == INVALID_UID) {
175 CERROR("client %s -> target %s: user is not "
176 "authenticated!\n", client, obd->obd_name);
179 reply->ocd_connect_flags &= ~OBD_CONNECT_RMT_CLIENT;
180 //reply->ocd_connect_flags |= OBD_CONNECT_LCL_CLIENT;
186 static void idmap_clear_mie_rmt_hash(struct list_head *list)
188 struct mdt_idmap_entry *e;
191 for (i = 0; i < MDT_IDMAP_HASHSIZE; i++) {
192 while (!list_empty(&list[i])) {
193 e = list_entry(list[i].next, struct mdt_idmap_entry,
200 void mdt_cleanup_idmap(struct mdt_export_data *med)
202 struct mdt_idmap_table *tbl = med->med_idmap;
205 LASSERT(med->med_rmtclient);
208 spin_lock(&tbl->mit_lock);
209 idmap_clear_mie_rmt_hash(tbl->mit_idmaps[RMT_UIDMAP_IDX]);
210 idmap_clear_mie_rmt_hash(tbl->mit_idmaps[RMT_GIDMAP_IDX]);
212 /* paranoid checking */
213 for (i = 0; i < MDT_IDMAP_HASHSIZE; i++) {
214 LASSERT(list_empty(&tbl->mit_idmaps[LCL_UIDMAP_IDX][i]));
215 LASSERT(list_empty(&tbl->mit_idmaps[LCL_GIDMAP_IDX][i]));
217 spin_unlock(&tbl->mit_lock);
220 med->med_idmap = NULL;
223 static inline void mdt_revoke_export_locks(struct obd_export *exp)
225 /* don't revoke locks during recovery */
226 if (exp->exp_obd->obd_recovering)
229 ldlm_revoke_export_locks(exp);
233 struct mdt_idmap_entry *idmap_lookup_entry(struct list_head *mie_rmt_hash,
234 uid_t mie_rmt_id, uid_t mie_lcl_id)
236 struct list_head *rmt_head =
237 &mie_rmt_hash[MDT_IDMAP_HASHFUNC(mie_rmt_id)];
238 struct mdt_idmap_entry *e;
240 list_for_each_entry(e, rmt_head, mie_rmt_hash) {
241 if ((e->mie_rmt_id == mie_rmt_id) &&
242 (e->mie_lcl_id == mie_lcl_id))
250 * NULL: not found entry
251 * ERR_PTR(-EACCES): found multi->single mapped entry
252 * others: found normal entry
255 struct mdt_idmap_entry *idmap_search_entry(struct list_head *mie_rmt_hash,
257 struct list_head *mie_lcl_hash,
259 const char *warn_msg)
261 struct list_head *rmt_head =
262 &mie_rmt_hash[MDT_IDMAP_HASHFUNC(mie_rmt_id)];
263 struct list_head *lcl_head =
264 &mie_lcl_hash[MDT_IDMAP_HASHFUNC(mie_lcl_id)];
265 struct mdt_idmap_entry *e;
267 list_for_each_entry(e, rmt_head, mie_rmt_hash) {
268 if (e->mie_rmt_id == mie_rmt_id) {
269 if (e->mie_lcl_id == mie_lcl_id) {
273 CERROR("%s: rmt id %u already be mapped to %u"
274 " (new %u)\n", warn_msg, e->mie_rmt_id,
275 e->mie_lcl_id, mie_lcl_id);
276 return ERR_PTR(-EACCES);
281 list_for_each_entry(e, lcl_head, mie_lcl_hash) {
282 if (e->mie_lcl_id == mie_lcl_id) {
283 if (e->mie_rmt_id == mie_rmt_id) {
287 CERROR("%s: lcl id %u already be mapped from %u"
288 " (new %u)\n", warn_msg, e->mie_lcl_id,
289 e->mie_rmt_id, mie_rmt_id);
290 return ERR_PTR(-EACCES);
299 struct mdt_idmap_entry *idmap_insert_entry(struct list_head *mie_rmt_hash,
300 struct list_head *mie_lcl_hash,
301 struct mdt_idmap_entry *new,
302 const char *warn_msg)
304 struct list_head *rmt_head =
305 &mie_rmt_hash[MDT_IDMAP_HASHFUNC(new->mie_rmt_id)];
306 struct list_head *lcl_head =
307 &mie_lcl_hash[MDT_IDMAP_HASHFUNC(new->mie_lcl_id)];
308 struct mdt_idmap_entry *e;
310 e = idmap_search_entry(mie_rmt_hash, new->mie_rmt_id,
311 mie_lcl_hash, new->mie_lcl_id,
314 list_add_tail(&new->mie_rmt_hash, rmt_head);
315 list_add_tail(&new->mie_lcl_hash, lcl_head);
320 static int idmap_remove_entry(struct list_head *mie_rmt_hash,
321 struct list_head *mie_lcl_hash,
322 __u32 mie_rmt_id, __u32 mie_lcl_id)
324 struct mdt_idmap_entry *e;
327 e = idmap_lookup_entry(mie_rmt_hash, mie_rmt_id, mie_lcl_id);
330 if ((rc = e->mie_refcount) <= 0)
336 static int mdt_idmap_add(struct mdt_idmap_table *tbl,
337 uid_t ruid, uid_t luid,
338 gid_t rgid, gid_t lgid)
340 struct mdt_idmap_entry *ue0, *ue1, *ge0, *ge1;
345 spin_lock(&tbl->mit_lock);
346 ue0 = idmap_search_entry(tbl->mit_idmaps[RMT_UIDMAP_IDX], ruid,
347 tbl->mit_idmaps[LCL_UIDMAP_IDX], luid,
349 spin_unlock(&tbl->mit_lock);
351 ue0 = idmap_entry_alloc(ruid, luid);
355 spin_lock(&tbl->mit_lock);
356 ue1 = idmap_insert_entry(tbl->mit_idmaps[RMT_UIDMAP_IDX],
357 tbl->mit_idmaps[LCL_UIDMAP_IDX],
360 idmap_entry_free(ue0);
363 spin_unlock(&tbl->mit_lock);
366 RETURN(PTR_ERR(ue1));
367 } else if (IS_ERR(ue0)) {
368 RETURN(PTR_ERR(ue0));
371 spin_lock(&tbl->mit_lock);
372 ge0 = idmap_search_entry(tbl->mit_idmaps[RMT_GIDMAP_IDX], rgid,
373 tbl->mit_idmaps[LCL_GIDMAP_IDX], lgid,
375 spin_unlock(&tbl->mit_lock);
377 ge0 = idmap_entry_alloc(rgid, lgid);
378 spin_lock(&tbl->mit_lock);
381 if (ue0->mie_refcount <= 0)
382 idmap_entry_free(ue0);
383 spin_unlock(&tbl->mit_lock);
387 ge1 = idmap_insert_entry(tbl->mit_idmaps[RMT_GIDMAP_IDX],
388 tbl->mit_idmaps[LCL_GIDMAP_IDX],
392 if (ue0->mie_refcount <= 0)
393 idmap_entry_free(ue0);
394 idmap_entry_free(ge0);
396 spin_unlock(&tbl->mit_lock);
399 RETURN(PTR_ERR(ge1));
400 } else if (IS_ERR(ge0)) {
401 spin_lock(&tbl->mit_lock);
403 if (ue0->mie_refcount <= 0)
404 idmap_entry_free(ue0);
405 spin_unlock(&tbl->mit_lock);
406 RETURN(PTR_ERR(ge0));
412 static int mdt_idmap_del(struct mdt_idmap_table *tbl,
413 uid_t ruid, uid_t luid,
414 gid_t rgid, gid_t lgid)
421 spin_lock(&tbl->mit_lock);
422 idmap_remove_entry(tbl->mit_idmaps[RMT_UIDMAP_IDX],
423 tbl->mit_idmaps[LCL_UIDMAP_IDX],
425 idmap_remove_entry(tbl->mit_idmaps[RMT_GIDMAP_IDX],
426 tbl->mit_idmaps[LCL_GIDMAP_IDX],
428 spin_unlock(&tbl->mit_lock);
433 int mdt_handle_idmap(struct mdt_thread_info *info)
435 struct ptlrpc_request *req = mdt_info_req(info);
436 struct mdt_device *mdt = info->mti_mdt;
437 struct mdt_export_data *med;
438 struct ptlrpc_user_desc *pud = req->rq_user_desc;
439 struct mdt_identity *identity;
448 med = mdt_req2med(req);
449 if (!med->med_rmtclient)
452 opc = lustre_msg_get_opc(req->rq_reqmsg);
453 /* Bypass other opc */
454 if ((opc != SEC_CTX_INIT) && (opc != SEC_CTX_INIT_CONT) &&
455 (opc != SEC_CTX_FINI) && (opc != MDS_CONNECT))
459 LASSERT(med->med_idmap);
461 if (req->rq_auth_mapped_uid == INVALID_UID) {
462 CERROR("invalid authorized mapped uid, please check "
463 "/etc/lustre/idmap.conf!\n");
467 if (is_identity_get_disabled(mdt->mdt_identity_cache)) {
468 CERROR("remote client must run with identity_get enabled!\n");
472 identity = mdt_identity_get(mdt->mdt_identity_cache,
473 req->rq_auth_mapped_uid);
475 CERROR("can't get mdt identity(%u), no mapping added\n",
476 req->rq_auth_mapped_uid);
482 case SEC_CTX_INIT_CONT:
484 rc = mdt_idmap_add(med->med_idmap,
485 pud->pud_uid, identity->mi_uid,
486 pud->pud_gid, identity->mi_gid);
489 rc = mdt_idmap_del(med->med_idmap,
490 pud->pud_uid, identity->mi_uid,
491 pud->pud_gid, identity->mi_gid);
495 mdt_identity_put(mdt->mdt_identity_cache, identity);
502 case SEC_CTX_INIT_CONT:
504 mdt_revoke_export_locks(req->rq_export);
510 static __u32 idmap_lookup_id(struct list_head *hash, int reverse, __u32 id)
512 struct list_head *head = &hash[MDT_IDMAP_HASHFUNC(id)];
513 struct mdt_idmap_entry *e;
516 list_for_each_entry(e, head, mie_rmt_hash) {
517 if (e->mie_rmt_id == id)
518 return e->mie_lcl_id;
521 list_for_each_entry(e, head, mie_lcl_hash) {
522 if (e->mie_lcl_id == id)
523 return e->mie_rmt_id;
526 return MDT_IDMAP_NOTFOUND;
529 static int mdt_idmap_lookup_uid(struct mdt_idmap_table *tbl, int reverse,
532 struct list_head *hash;
535 return MDT_IDMAP_NOTFOUND;
537 hash = tbl->mit_idmaps[reverse ? LCL_UIDMAP_IDX : RMT_UIDMAP_IDX];
539 spin_lock(&tbl->mit_lock);
540 uid = idmap_lookup_id(hash, reverse, uid);
541 spin_unlock(&tbl->mit_lock);
546 static int mdt_idmap_lookup_gid(struct mdt_idmap_table *tbl, int reverse,
549 struct list_head *hash;
552 return MDT_IDMAP_NOTFOUND;
554 hash = tbl->mit_idmaps[reverse ? LCL_GIDMAP_IDX : RMT_GIDMAP_IDX];
556 spin_lock(&tbl->mit_lock);
557 gid = idmap_lookup_id(hash, reverse, gid);
558 spin_unlock(&tbl->mit_lock);
563 int ptlrpc_user_desc_do_idmap(struct ptlrpc_request *req,
564 struct ptlrpc_user_desc *pud)
566 struct mdt_export_data *med = mdt_req2med(req);
567 struct mdt_idmap_table *idmap = med->med_idmap;
571 /* Only remote client need desc_to_idmap. */
572 if (!med->med_rmtclient)
575 uid = mdt_idmap_lookup_uid(idmap, 0, pud->pud_uid);
576 if (uid == MDT_IDMAP_NOTFOUND) {
577 CERROR("no mapping for uid %u\n", pud->pud_uid);
581 if (pud->pud_uid == pud->pud_fsuid) {
584 fsuid = mdt_idmap_lookup_uid(idmap, 0, pud->pud_fsuid);
585 if (fsuid == MDT_IDMAP_NOTFOUND) {
586 CERROR("no mapping for fsuid %u\n", pud->pud_fsuid);
591 gid = mdt_idmap_lookup_gid(idmap, 0, pud->pud_gid);
592 if (gid == MDT_IDMAP_NOTFOUND) {
593 CERROR("no mapping for gid %u\n", pud->pud_gid);
597 if (pud->pud_gid == pud->pud_fsgid) {
600 fsgid = mdt_idmap_lookup_gid(idmap, 0, pud->pud_fsgid);
601 if (fsgid == MDT_IDMAP_NOTFOUND) {
602 CERROR("no mapping for fsgid %u\n", pud->pud_fsgid);
609 pud->pud_fsuid = fsuid;
610 pud->pud_fsgid = fsgid;
617 * Do not ignore rootsquash.
619 void mdt_body_reverse_idmap(struct mdt_thread_info *info, struct mdt_body *body)
621 struct ptlrpc_request *req = mdt_info_req(info);
622 struct md_ucred *uc = mdt_ucred(info);
623 struct mdt_export_data *med = mdt_req2med(req);
624 struct mdt_idmap_table *idmap = med->med_idmap;
628 if (!med->med_rmtclient)
631 if (body->valid & OBD_MD_FLUID) {
632 if (((uc->mu_valid == UCRED_OLD) ||
633 (uc->mu_valid == UCRED_NEW)) &&
634 !(uc->mu_squash & SQUASH_UID)) {
635 if (body->uid == uc->mu_uid)
637 else if (body->uid == uc->mu_fsuid)
638 uid = uc->mu_o_fsuid;
640 uid = mdt_idmap_lookup_uid(idmap, 1, body->uid);
642 uid = mdt_idmap_lookup_uid(idmap, 1, body->uid);
645 if (uid == MDT_IDMAP_NOTFOUND) {
647 if (body->valid & OBD_MD_FLMODE)
648 body->mode = (body->mode & ~S_IRWXU) |
649 ((body->mode & S_IRWXO) << 6);
655 if (body->valid & OBD_MD_FLGID) {
656 if (((uc->mu_valid == UCRED_OLD) ||
657 (uc->mu_valid == UCRED_NEW)) &&
658 !(uc->mu_squash & SQUASH_GID)) {
659 if (body->gid == uc->mu_gid)
661 else if (body->gid == uc->mu_fsgid)
662 gid = uc->mu_o_fsgid;
664 gid = mdt_idmap_lookup_gid(idmap, 1, body->gid);
666 gid = mdt_idmap_lookup_gid(idmap, 1, body->gid);
669 if (gid == MDT_IDMAP_NOTFOUND) {
671 if (body->valid & OBD_MD_FLMODE)
672 body->mode = (body->mode & ~S_IRWXG) |
673 ((body->mode & S_IRWXO) << 3);
680 /* NB: return error if no mapping, so this will look strange:
681 * if client hasn't kinit the to map xid for the mapped xid, client
682 * will always get -EPERM, and the same for rootsquash case. */
683 int mdt_remote_perm_reverse_idmap(struct ptlrpc_request *req,
684 struct mdt_remote_perm *perm)
686 struct mdt_export_data *med = mdt_req2med(req);
690 LASSERT(med->med_rmtclient);
692 uid = mdt_idmap_lookup_uid(med->med_idmap, 1, perm->rp_uid);
693 if (uid == MDT_IDMAP_NOTFOUND) {
694 CERROR("no mapping for uid %u\n", perm->rp_uid);
698 gid = mdt_idmap_lookup_gid(med->med_idmap, 1, perm->rp_gid);
699 if (gid == MDT_IDMAP_NOTFOUND) {
700 CERROR("no mapping for gid %u\n", perm->rp_gid);
704 if (perm->rp_uid != perm->rp_fsuid) {
705 fsuid = mdt_idmap_lookup_uid(med->med_idmap, 1, perm->rp_fsuid);
706 if (fsuid == MDT_IDMAP_NOTFOUND) {
707 CERROR("no mapping for fsuid %u\n", perm->rp_fsuid);
714 if (perm->rp_gid != perm->rp_fsgid) {
715 fsgid = mdt_idmap_lookup_gid(med->med_idmap, 1, perm->rp_fsgid);
716 if (fsgid == MDT_IDMAP_NOTFOUND) {
717 CERROR("no mapping for fsgid %u\n", perm->rp_fsgid);
726 perm->rp_fsuid = fsuid;
727 perm->rp_fsgid = fsgid;
731 /* Process remote client and rootsquash */
732 int mdt_fix_attr_ucred(struct mdt_thread_info *info, __u32 op)
734 struct ptlrpc_request *req = mdt_info_req(info);
735 struct md_ucred *uc = mdt_ucred(info);
736 struct lu_attr *attr = &info->mti_attr.ma_attr;
737 struct mdt_export_data *med = mdt_req2med(req);
738 struct mdt_idmap_table *idmap = med->med_idmap;
742 if ((uc->mu_valid != UCRED_OLD) && (uc->mu_valid != UCRED_NEW))
745 if (!med->med_rmtclient && (uc->mu_squash == SQUASH_NONE))
748 if (op != REINT_SETATTR) {
749 if ((attr->la_valid & LA_UID) && (attr->la_uid != -1))
750 attr->la_uid = uc->mu_fsuid;
751 if (op != REINT_CREATE) {
752 if ((attr->la_valid & LA_GID) && (attr->la_gid != -1))
753 attr->la_gid = uc->mu_fsgid;
755 /* for S_ISGID, inherit gid from his parent */
756 if (!(attr->la_mode & S_ISGID) && (attr->la_gid != -1))
757 attr->la_gid = uc->mu_fsgid;
759 } else if (med->med_rmtclient) {
760 /* NB: -1 case will be handled by mdt_fix_attr() later. */
761 if ((attr->la_valid & LA_UID) && (attr->la_uid != -1)) {
764 if (attr->la_uid == uc->mu_o_uid)
766 else if (attr->la_uid == uc->mu_o_fsuid)
769 uid = mdt_idmap_lookup_uid(idmap, 0,
772 if (uid == MDT_IDMAP_NOTFOUND) {
773 CWARN("Deny chown to uid %u\n", attr->la_uid);
779 if ((attr->la_valid & LA_GID) && (attr->la_gid != -1)) {
782 if (attr->la_gid == uc->mu_o_gid)
784 else if (attr->la_gid == uc->mu_o_fsgid)
787 gid = mdt_idmap_lookup_gid(idmap, 0,
790 if (gid == MDT_IDMAP_NOTFOUND) {
791 CWARN("Deny chown to gid %u\n", attr->la_gid);