1 /* -*- mode: c; c-basic-offset: 8; indent-tabs-mode: nil; -*-
2 * vim:expandtab:shiftwidth=8:tabstop=8:
6 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 only,
10 * as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * General Public License version 2 for more details (a copy is included
16 * in the LICENSE file that accompanied this code).
18 * You should have received a copy of the GNU General Public License
19 * version 2 along with this program; If not, see
20 * http://www.sun.com/software/products/lustre/docs/GPLv2.pdf
22 * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
23 * CA 95054 USA or visit www.sun.com if you need additional information or
29 * Copyright 2008 Sun Microsystems, Inc. All rights reserved
30 * Use is subject to license terms.
33 * This file is part of Lustre, http://www.lustre.org/
34 * Lustre is a trademark of Sun Microsystems, Inc.
36 * lustre/obdfilter/filter_capa.c
38 * Author: Lai Siyao <lsy@clusterfs.com>
41 #define DEBUG_SUBSYSTEM S_FILTER
44 #include <linux/version.h>
45 #include <asm/uaccess.h>
46 #include <linux/file.h>
47 #include <linux/kmod.h>
49 #include <lustre_fsfilt.h>
50 #include <lustre_capa.h>
52 #include "filter_internal.h"
54 static inline __u32 filter_ck_keyid(struct filter_capa_key *key)
56 return key->k_key.lk_keyid;
59 int filter_update_capa_key(struct obd_device *obd, struct lustre_capa_key *new)
61 struct filter_obd *filter = &obd->u.filter;
62 struct filter_capa_key *k, *keys[2] = { NULL, NULL };
65 cfs_spin_lock(&capa_lock);
66 cfs_list_for_each_entry(k, &filter->fo_capa_keys, k_list) {
67 if (k->k_key.lk_mdsid != new->lk_mdsid)
72 if (filter_ck_keyid(keys[1]) > filter_ck_keyid(keys[0]))
73 keys[1] = keys[0], keys[0] = k;
78 cfs_spin_unlock(&capa_lock);
80 for (i = 0; i < 2; i++) {
83 if (filter_ck_keyid(keys[i]) != new->lk_keyid)
85 /* maybe because of recovery or other reasons, MDS sent the
86 * the old capability key again.
88 cfs_spin_lock(&capa_lock);
89 keys[i]->k_key = *new;
90 cfs_spin_unlock(&capa_lock);
96 /* if OSS already have two keys, update the old one */
102 CFS_INIT_LIST_HEAD(&k->k_list);
105 cfs_spin_lock(&capa_lock);
107 if (cfs_list_empty(&k->k_list))
108 cfs_list_add(&k->k_list, &filter->fo_capa_keys);
109 cfs_spin_unlock(&capa_lock);
111 DEBUG_CAPA_KEY(D_SEC, new, "new");
115 int filter_auth_capa(struct obd_export *exp, struct lu_fid *fid, obd_gr group,
116 struct lustre_capa *capa, __u64 opc)
118 struct obd_device *obd = exp->exp_obd;
119 struct filter_obd *filter = &obd->u.filter;
120 struct filter_capa_key *k;
121 struct lustre_capa_key key;
125 int keys_ready = 0, key_found = 0, rc = 0;
128 /* skip capa check for llog and obdecho */
129 if (!filter_group_is_mds(group))
132 /* capability is disabled */
133 if (!filter->fo_fl_oss_capa)
136 if (!(exp->exp_connect_flags & OBD_CONNECT_OSS_CAPA))
139 mdsid = objgrp_to_mdsno(group);
142 CERROR("mdsno/fid/opc "LPU64"/"DFID"/"LPX64
143 ": no capability has been passed\n",
144 mdsid, PFID(fid), opc);
146 CERROR("mdsno/opc "LPU64"/"LPX64
147 ": no capability has been passed\n",
152 if (opc == CAPA_OPC_OSS_READ) {
153 if (!(capa->lc_opc & CAPA_OPC_OSS_RW))
155 } else if (!capa_opc_supported(capa, opc)) {
159 DEBUG_CAPA(D_ERROR, capa, "opc "LPX64" not supported by", opc);
163 oc = capa_lookup(filter->fo_capa_hash, capa, 0);
165 cfs_spin_lock(&oc->c_lock);
166 if (capa_is_expired(oc)) {
167 DEBUG_CAPA(D_ERROR, capa, "expired");
170 cfs_spin_unlock(&oc->c_lock);
176 if (capa_is_expired_sec(capa)) {
177 DEBUG_CAPA(D_ERROR, capa, "expired");
181 cfs_spin_lock(&capa_lock);
182 cfs_list_for_each_entry(k, &filter->fo_capa_keys, k_list) {
183 if (k->k_key.lk_mdsid == mdsid) {
185 if (k->k_key.lk_keyid == capa_keyid(capa)) {
192 cfs_spin_unlock(&capa_lock);
195 CDEBUG(D_SEC, "MDS hasn't propagated capability keys yet, "
201 DEBUG_CAPA(D_ERROR, capa, "no matched capability key for");
205 OBD_ALLOC(hmac, CAPA_HMAC_MAX_LEN);
209 rc = capa_hmac(hmac, capa, key.lk_key);
211 DEBUG_CAPA(D_ERROR, capa, "HMAC failed: rc %d", rc);
212 OBD_FREE(hmac, CAPA_HMAC_MAX_LEN);
216 rc = memcmp(hmac, capa->lc_hmac, CAPA_HMAC_MAX_LEN);
217 OBD_FREE(hmac, CAPA_HMAC_MAX_LEN);
219 DEBUG_CAPA_KEY(D_ERROR, &key, "calculate HMAC with ");
220 DEBUG_CAPA(D_ERROR, capa, "HMAC mismatch");
224 /* store in capa hash */
225 oc = capa_add(filter->fo_capa_hash, capa);
230 int filter_capa_fixoa(struct obd_export *exp, struct obdo *oa, obd_gr group,
231 struct lustre_capa *capa)
237 /* skip capa check for llog and obdecho */
238 if (!filter_group_is_mds(group))
241 if (!(exp->exp_connect_flags & OBD_CONNECT_OSS_CAPA))
247 mdsid = objgrp_to_mdsno(group);
248 if (capa_flags(capa) == LC_ID_CONVERT) {
249 struct obd_device *obd = exp->exp_obd;
250 struct filter_obd *filter = &obd->u.filter;
251 struct filter_capa_key *k;
254 cfs_spin_lock(&capa_lock);
255 cfs_list_for_each_entry(k, &filter->fo_capa_keys, k_list) {
256 if (k->k_key.lk_mdsid == mdsid &&
257 k->k_key.lk_keyid == capa_keyid(capa)) {
262 cfs_spin_unlock(&capa_lock);
271 uid.id64 = capa_uid(capa);
272 gid.id64 = capa_gid(capa);
278 rc = capa_decrypt_id(d, s, k->k_key.lk_key,
279 CAPA_HMAC_KEY_MAX_LEN);
286 DEBUG_CAPA(D_ERROR, capa, "no matched capability key for");
294 void filter_free_capa_keys(struct filter_obd *filter)
296 struct filter_capa_key *key, *n;
298 cfs_spin_lock(&capa_lock);
299 cfs_list_for_each_entry_safe(key, n, &filter->fo_capa_keys, k_list) {
300 cfs_list_del_init(&key->k_list);
301 OBD_FREE(key, sizeof(*key));
303 cfs_spin_unlock(&capa_lock);