1 /* -*- mode: c; c-basic-offset: 8; indent-tabs-mode: nil; -*-
2 * vim:expandtab:shiftwidth=8:tabstop=8:
4 * Copyright (C) 2004-2006 Cluster File Systems, Inc.
5 * Author: Lai Siyao <lsy@clusterfs.com>
6 * Author: Fan Yong <fanyong@clusterfs.com>
9 * This file is part of Lustre, http://www.lustre.org.
11 * Lustre is free software; you can redistribute it and/or
12 * modify it under the terms of version 2 of the GNU General Public
13 * License as published by the Free Software Foundation.
15 * Lustre is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with Lustre; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
28 #define DEBUG_SUBSYSTEM S_MDS
30 #include <linux/config.h>
31 #include <linux/module.h>
32 #include <linux/kernel.h>
34 #include <linux/kmod.h>
35 #include <linux/string.h>
36 #include <linux/stat.h>
37 #include <linux/errno.h>
38 #include <linux/version.h>
39 #include <linux/unistd.h>
40 #include <asm/system.h>
41 #include <asm/uaccess.h>
43 #include <linux/stat.h>
44 #include <asm/uaccess.h>
45 #include <linux/slab.h>
47 #include <asm/segment.h>
50 #include <libcfs/kp30.h>
52 #include <obd_class.h>
53 #include <obd_support.h>
54 #include <lustre_net.h>
55 #include <lustre_import.h>
56 #include <lustre_dlm.h>
57 #include <lustre_sec.h>
58 #include <lustre_lib.h>
59 #include <lustre_ucache.h>
61 #include "mdt_internal.h"
63 int mdt_init_idmap(struct mdt_thread_info *info)
65 struct ptlrpc_request *req = mdt_info_req(info);
66 char *client = libcfs_nid2str(req->rq_peer.nid);
67 struct mdt_export_data *med = mdt_req2med(req);
68 struct obd_device *obd = req->rq_export->exp_obd;
69 struct obd_connect_data *data, *reply;
73 data = req_capsule_client_get(info->mti_pill, &RMF_CONNECT_DATA);
74 reply = req_capsule_server_get(info->mti_pill, &RMF_CONNECT_DATA);
75 if (data == NULL || reply == NULL)
78 if (!req->rq_auth_gss || req->rq_auth_usr_mdt) {
79 med->med_rmtclient = 0;
80 reply->ocd_connect_flags &= ~OBD_CONNECT_RMT_CLIENT;
84 remote = data->ocd_connect_flags & OBD_CONNECT_RMT_CLIENT;
87 med->med_rmtclient = 1;
88 if (!req->rq_auth_remote)
89 CDEBUG(D_SEC, "client (local realm) %s -> target %s "
90 "asked to be remote!\n", client, obd->obd_name);
91 } else if (req->rq_auth_remote) {
92 med->med_rmtclient = 1;
93 CDEBUG(D_SEC, "client (remote realm) %s -> target %s forced "
94 "to be remote!\n", client, obd->obd_name);
97 if (med->med_rmtclient) {
98 down(&med->med_idmap_sem);
100 med->med_idmap = lustre_idmap_init();
101 up(&med->med_idmap_sem);
103 if (IS_ERR(med->med_idmap)) {
104 long err = PTR_ERR(med->med_idmap);
106 med->med_idmap = NULL;
107 CERROR("client %s -> target %s "
108 "failed to init idmap [%ld]!\n",
109 client, obd->obd_name, err);
111 } else if (!med->med_idmap) {
112 CERROR("client %s -> target %s "
113 "failed to init(2) idmap!\n",
114 client, obd->obd_name);
118 reply->ocd_connect_flags &= ~OBD_CONNECT_LCL_CLIENT;
119 CDEBUG(D_SEC, "client %s -> target %s is remote.\n",
120 client, obd->obd_name);
122 /* NB, MDS_CONNECT establish root idmap too! */
123 rc = mdt_handle_idmap(info);
125 if (req->rq_auth_uid == INVALID_UID) {
126 CDEBUG(D_SEC, "client %s -> target %s: user is not "
127 "authenticated!\n", client, obd->obd_name);
130 reply->ocd_connect_flags &= ~OBD_CONNECT_RMT_CLIENT;
136 void mdt_cleanup_idmap(struct mdt_export_data *med)
138 LASSERT(med->med_rmtclient);
140 down(&med->med_idmap_sem);
141 if (med->med_idmap != NULL) {
142 lustre_idmap_fini(med->med_idmap);
143 med->med_idmap = NULL;
145 up(&med->med_idmap_sem);
148 static inline void mdt_revoke_export_locks(struct obd_export *exp)
150 /* don't revoke locks during recovery */
151 if (exp->exp_obd->obd_recovering)
154 ldlm_revoke_export_locks(exp);
157 int mdt_handle_idmap(struct mdt_thread_info *info)
159 struct ptlrpc_request *req = mdt_info_req(info);
160 struct mdt_device *mdt = info->mti_mdt;
161 struct mdt_export_data *med;
162 struct ptlrpc_user_desc *pud = req->rq_user_desc;
163 struct md_identity *identity;
171 med = mdt_req2med(req);
172 if (!med->med_rmtclient)
175 opc = lustre_msg_get_opc(req->rq_reqmsg);
176 /* Bypass other opc */
177 if ((opc != SEC_CTX_INIT) && (opc != SEC_CTX_INIT_CONT) &&
178 (opc != SEC_CTX_FINI) && (opc != MDS_CONNECT))
181 LASSERT(med->med_idmap);
183 if (unlikely(!pud)) {
184 CDEBUG(D_SEC, "remote client must run with rq_user_desc "
189 if (req->rq_auth_mapped_uid == INVALID_UID) {
190 CDEBUG(D_SEC, "invalid authorized mapped uid, please check "
191 "/etc/lustre/idmap.conf!\n");
195 if (is_identity_get_disabled(mdt->mdt_identity_cache)) {
196 CDEBUG(D_SEC, "remote client must run with identity_get "
201 identity = mdt_identity_get(mdt->mdt_identity_cache,
202 req->rq_auth_mapped_uid);
203 if (IS_ERR(identity)) {
204 CDEBUG(D_SEC, "can't get mdt identity(%u), no mapping added\n",
205 req->rq_auth_mapped_uid);
211 case SEC_CTX_INIT_CONT:
213 rc = lustre_idmap_add(med->med_idmap,
214 pud->pud_uid, identity->mi_uid,
215 pud->pud_gid, identity->mi_gid);
218 rc = lustre_idmap_del(med->med_idmap,
219 pud->pud_uid, identity->mi_uid,
220 pud->pud_gid, identity->mi_gid);
224 mdt_identity_put(mdt->mdt_identity_cache, identity);
231 case SEC_CTX_INIT_CONT:
233 mdt_revoke_export_locks(req->rq_export);
240 int ptlrpc_user_desc_do_idmap(struct ptlrpc_request *req,
241 struct ptlrpc_user_desc *pud)
243 struct mdt_export_data *med = mdt_req2med(req);
244 struct lustre_idmap_table *idmap = med->med_idmap;
248 /* Only remote client need desc_to_idmap. */
249 if (!med->med_rmtclient)
252 uid = lustre_idmap_lookup_uid(NULL, idmap, 0, pud->pud_uid);
253 if (uid == CFS_IDMAP_NOTFOUND) {
254 CDEBUG(D_SEC, "no mapping for uid %u\n", pud->pud_uid);
258 if (pud->pud_uid == pud->pud_fsuid) {
261 fsuid = lustre_idmap_lookup_uid(NULL, idmap, 0, pud->pud_fsuid);
262 if (fsuid == CFS_IDMAP_NOTFOUND) {
263 CDEBUG(D_SEC, "no mapping for fsuid %u\n",
269 gid = lustre_idmap_lookup_gid(NULL, idmap, 0, pud->pud_gid);
270 if (gid == CFS_IDMAP_NOTFOUND) {
271 CDEBUG(D_SEC, "no mapping for gid %u\n", pud->pud_gid);
275 if (pud->pud_gid == pud->pud_fsgid) {
278 fsgid = lustre_idmap_lookup_gid(NULL, idmap, 0, pud->pud_fsgid);
279 if (fsgid == CFS_IDMAP_NOTFOUND) {
280 CDEBUG(D_SEC, "no mapping for fsgid %u\n",
288 pud->pud_fsuid = fsuid;
289 pud->pud_fsgid = fsgid;
297 void mdt_body_reverse_idmap(struct mdt_thread_info *info, struct mdt_body *body)
299 struct ptlrpc_request *req = mdt_info_req(info);
300 struct md_ucred *uc = mdt_ucred(info);
301 struct mdt_export_data *med = mdt_req2med(req);
302 struct lustre_idmap_table *idmap = med->med_idmap;
304 if (!med->med_rmtclient)
307 if (body->valid & OBD_MD_FLUID) {
308 uid_t uid = lustre_idmap_lookup_uid(uc, idmap, 1, body->uid);
310 if (uid == CFS_IDMAP_NOTFOUND) {
312 if (body->valid & OBD_MD_FLMODE)
313 body->mode = (body->mode & ~S_IRWXU) |
314 ((body->mode & S_IRWXO) << 6);
320 if (body->valid & OBD_MD_FLGID) {
321 gid_t gid = lustre_idmap_lookup_gid(uc, idmap, 1, body->gid);
323 if (gid == CFS_IDMAP_NOTFOUND) {
325 if (body->valid & OBD_MD_FLMODE)
326 body->mode = (body->mode & ~S_IRWXG) |
327 ((body->mode & S_IRWXO) << 3);
334 /* Do not ignore root_squash for non-setattr case. */
335 int mdt_fix_attr_ucred(struct mdt_thread_info *info, __u32 op)
337 struct ptlrpc_request *req = mdt_info_req(info);
338 struct md_ucred *uc = mdt_ucred(info);
339 struct lu_attr *attr = &info->mti_attr.ma_attr;
340 struct mdt_export_data *med = mdt_req2med(req);
341 struct lustre_idmap_table *idmap = med->med_idmap;
343 if ((uc->mu_valid != UCRED_OLD) && (uc->mu_valid != UCRED_NEW))
346 if (op != REINT_SETATTR) {
347 if ((attr->la_valid & LA_UID) && (attr->la_uid != -1))
348 attr->la_uid = uc->mu_fsuid;
349 /* for S_ISGID, inherit gid from his parent, such work will be
350 * done in cmm/mdd layer, here set all cases as uc->mu_fsgid. */
351 if ((attr->la_valid & LA_GID) && (attr->la_gid != -1))
352 attr->la_gid = uc->mu_fsgid;
353 } else if (med->med_rmtclient) {
354 /* NB: -1 case will be handled by mdt_fix_attr() later. */
355 if ((attr->la_valid & LA_UID) && (attr->la_uid != -1)) {
356 uid_t uid = lustre_idmap_lookup_uid(uc, idmap, 0,
359 if (uid == CFS_IDMAP_NOTFOUND) {
360 CDEBUG(D_SEC, "Deny chown to uid %u\n",
367 if ((attr->la_valid & LA_GID) && (attr->la_gid != -1)) {
368 gid_t gid = lustre_idmap_lookup_gid(uc, idmap, 0,
371 if (gid == CFS_IDMAP_NOTFOUND) {
372 CDEBUG(D_SEC, "Deny chown to gid %u\n",