* Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
- * Copyright (c) 2012, Intel Corporation.
+ * Copyright (c) 2012, 2013, Intel Corporation.
*/
/*
* This file is part of Lustre, http://www.lustre.org/
#include <linux/kernel.h>
#include <linux/mm.h>
#include <linux/kmod.h>
+#include <linux/user_namespace.h>
+#ifdef HAVE_UIDGID_HEADER
+# include <linux/uidgid.h>
+#endif
#include <linux/string.h>
#include <linux/stat.h>
#include <linux/errno.h>
#include <linux/slab.h>
#include <libcfs/libcfs.h>
-#include <libcfs/lucache.h>
#include <obd.h>
#include <obd_class.h>
#include <obd_support.h>
#include "mdt_internal.h"
-#define mdt_init_sec_none(reply, exp) \
-do { \
- reply->ocd_connect_flags &= ~(OBD_CONNECT_RMT_CLIENT | \
- OBD_CONNECT_RMT_CLIENT_FORCE | \
- OBD_CONNECT_MDS_CAPA | \
- OBD_CONNECT_OSS_CAPA); \
-} while (0)
-
-int mdt_init_sec_level(struct mdt_thread_info *info)
+int mdt_init_idmap(struct tgt_session_info *tsi)
{
- struct mdt_device *mdt = info->mti_mdt;
- struct ptlrpc_request *req = mdt_info_req(info);
- char *client = libcfs_nid2str(req->rq_peer.nid);
- struct obd_connect_data *data, *reply;
- int rc = 0, remote;
- ENTRY;
-
- data = req_capsule_client_get(info->mti_pill, &RMF_CONNECT_DATA);
- reply = req_capsule_server_get(info->mti_pill, &RMF_CONNECT_DATA);
- if (data == NULL || reply == NULL)
- RETURN(-EFAULT);
-
- /* connection from MDT is always trusted */
- if (req->rq_auth_usr_mdt) {
- mdt_init_sec_none(reply, exp);
- RETURN(0);
- }
-
- /* no GSS support case */
- if (!req->rq_auth_gss) {
- if (mdt->mdt_sec_level > LUSTRE_SEC_NONE) {
- CWARN("%s: client %s -> target %s does not user GSS, "
- "can not run under security level %d.\n",
- mdt_obd_name(mdt), client, mdt_obd_name(mdt),
- mdt->mdt_sec_level);
- RETURN(-EACCES);
- } else {
- mdt_init_sec_none(reply, exp);
- RETURN(0);
- }
- }
-
- /* old version case */
- if (unlikely(!(data->ocd_connect_flags & OBD_CONNECT_RMT_CLIENT) ||
- !(data->ocd_connect_flags & OBD_CONNECT_MDS_CAPA) ||
- !(data->ocd_connect_flags & OBD_CONNECT_OSS_CAPA))) {
- if (mdt->mdt_sec_level > LUSTRE_SEC_NONE) {
- CWARN("%s: client %s -> target %s uses old version, "
- "can not run under security level %d.\n",
- mdt_obd_name(mdt), client, mdt_obd_name(mdt),
- mdt->mdt_sec_level);
- RETURN(-EACCES);
- } else {
- CWARN("%s: client %s -> target %s uses old version, "
- "run under security level %d.\n",
- mdt_obd_name(mdt), client, mdt_obd_name(mdt),
- mdt->mdt_sec_level);
- mdt_init_sec_none(reply, exp);
- RETURN(0);
- }
- }
-
- remote = data->ocd_connect_flags & OBD_CONNECT_RMT_CLIENT_FORCE;
- if (remote) {
- if (!req->rq_auth_remote)
- CDEBUG(D_SEC, "%s: client (local realm) %s -> "
- "target %s asked to be remote.\n",
- mdt_obd_name(mdt), client, mdt_obd_name(mdt));
- } else if (req->rq_auth_remote) {
- remote = 1;
- CDEBUG(D_SEC, "%s: client (remote realm) %s -> "
- "target %s is set as remote by default.\n",
- mdt_obd_name(mdt), client, mdt_obd_name(mdt));
- }
-
- if (remote) {
- if (!mdt->mdt_opts.mo_oss_capa) {
- CDEBUG(D_SEC, "%s: client %s -> target %s is set as "
- "remote,but OSS capabilities are not enabled: "
- "%d.\n",
- mdt_obd_name(mdt), client, mdt_obd_name(mdt),
- mdt->mdt_opts.mo_oss_capa);
- RETURN(-EACCES);
- }
- } else {
- if (req->rq_auth_uid == INVALID_UID) {
- CDEBUG(D_SEC, "%s: client %s -> target %s: user is not "
- "authenticated!\n",
- mdt_obd_name(mdt), client, mdt_obd_name(mdt));
- RETURN(-EACCES);
- }
- }
-
- switch (mdt->mdt_sec_level) {
- case LUSTRE_SEC_NONE:
- if (!remote) {
- mdt_init_sec_none(reply, exp);
- break;
- } else {
- CDEBUG(D_SEC, "%s: client %s -> target %s is set as "
- "remote, can not run under security level %d.\n",
- mdt_obd_name(mdt), client, mdt_obd_name(mdt),
- mdt->mdt_sec_level);
- RETURN(-EACCES);
- }
- case LUSTRE_SEC_REMOTE:
- if (!remote)
- mdt_init_sec_none(reply, exp);
- break;
- case LUSTRE_SEC_ALL:
- if (!remote) {
- reply->ocd_connect_flags &= ~(OBD_CONNECT_RMT_CLIENT |
- OBD_CONNECT_RMT_CLIENT_FORCE);
- if (!mdt->mdt_opts.mo_mds_capa)
- reply->ocd_connect_flags &= ~OBD_CONNECT_MDS_CAPA;
- if (!mdt->mdt_opts.mo_oss_capa)
- reply->ocd_connect_flags &= ~OBD_CONNECT_OSS_CAPA;
- }
- break;
- default:
- RETURN(-EINVAL);
- }
-
- RETURN(rc);
-}
-
-int mdt_init_idmap(struct mdt_thread_info *info)
-{
- struct ptlrpc_request *req = mdt_info_req(info);
+ struct ptlrpc_request *req = tgt_ses_req(tsi);
struct mdt_export_data *med = mdt_req2med(req);
struct obd_export *exp = req->rq_export;
char *client = libcfs_nid2str(req->rq_peer.nid);
med->med_idmap = NULL;
CERROR("%s: client %s -> target %s "
"failed to init idmap [%ld]!\n",
- mdt_obd_name(info->mti_mdt), client,
- mdt_obd_name(info->mti_mdt), err);
+ tgt_name(tsi->tsi_tgt), client,
+ tgt_name(tsi->tsi_tgt), err);
RETURN(err);
} else if (!med->med_idmap) {
CERROR("%s: client %s -> target %s "
"failed to init(2) idmap!\n",
- mdt_obd_name(info->mti_mdt), client,
- mdt_obd_name(info->mti_mdt));
+ tgt_name(tsi->tsi_tgt), client,
+ tgt_name(tsi->tsi_tgt));
RETURN(-ENOMEM);
}
CDEBUG(D_SEC, "%s: client %s -> target %s is remote.\n",
- mdt_obd_name(info->mti_mdt), client,
- mdt_obd_name(info->mti_mdt));
+ tgt_name(tsi->tsi_tgt), client,
+ tgt_name(tsi->tsi_tgt));
/* NB, MDS_CONNECT establish root idmap too! */
- rc = mdt_handle_idmap(info);
+ rc = mdt_handle_idmap(tsi);
}
RETURN(rc);
}
ldlm_revoke_export_locks(exp);
}
-int mdt_handle_idmap(struct mdt_thread_info *info)
+int mdt_handle_idmap(struct tgt_session_info *tsi)
{
- struct ptlrpc_request *req = mdt_info_req(info);
- struct mdt_device *mdt = info->mti_mdt;
+ struct ptlrpc_request *req = tgt_ses_req(tsi);
+ struct mdt_device *mdt = mdt_exp2dev(req->rq_export);
struct mdt_export_data *med;
struct ptlrpc_user_desc *pud = req->rq_user_desc;
struct md_identity *identity;
RETURN(0);
med = mdt_req2med(req);
- if (!exp_connect_rmtclient(info->mti_exp))
+ if (!exp_connect_rmtclient(req->rq_export))
RETURN(0);
opc = lustre_msg_get_opc(req->rq_reqmsg);
RETURN(-EACCES);
}
- if (req->rq_auth_mapped_uid == INVALID_UID) {
+ if (!uid_valid(make_kuid(&init_user_ns, req->rq_auth_mapped_uid))) {
CDEBUG(D_SEC, "invalid authorized mapped uid, please check "
"/etc/lustre/idmap.conf!\n");
RETURN(-EACCES);
if (!exp_connect_rmtclient(info->mti_exp))
return;
- if (body->valid & OBD_MD_FLUID) {
- uid_t uid = lustre_idmap_lookup_uid(uc, idmap, 1, body->uid);
+ if (body->mbo_valid & OBD_MD_FLUID) {
+ uid_t uid;
- if (uid == CFS_IDMAP_NOTFOUND) {
- uid = NOBODY_UID;
- if (body->valid & OBD_MD_FLMODE)
- body->mode = (body->mode & ~S_IRWXU) |
- ((body->mode & S_IRWXO) << 6);
- }
+ uid = lustre_idmap_lookup_uid(uc, idmap, 1, body->mbo_uid);
- body->uid = uid;
- }
+ if (uid == CFS_IDMAP_NOTFOUND) {
+ uid = NOBODY_UID;
+ if (body->mbo_valid & OBD_MD_FLMODE)
+ body->mbo_mode = (body->mbo_mode & ~S_IRWXU) |
+ ((body->mbo_mode & S_IRWXO) << 6);
+ }
+
+ body->mbo_uid = uid;
+ }
- if (body->valid & OBD_MD_FLGID) {
- gid_t gid = lustre_idmap_lookup_gid(uc, idmap, 1, body->gid);
+ if (body->mbo_valid & OBD_MD_FLGID) {
+ gid_t gid;
- if (gid == CFS_IDMAP_NOTFOUND) {
- gid = NOBODY_GID;
- if (body->valid & OBD_MD_FLMODE)
- body->mode = (body->mode & ~S_IRWXG) |
- ((body->mode & S_IRWXO) << 3);
- }
+ gid = lustre_idmap_lookup_gid(uc, idmap, 1, body->mbo_gid);
+
+ if (gid == CFS_IDMAP_NOTFOUND) {
+ gid = NOBODY_GID;
+ if (body->mbo_valid & OBD_MD_FLMODE)
+ body->mbo_mode = (body->mbo_mode & ~S_IRWXG) |
+ ((body->mbo_mode & S_IRWXO) << 3);
+ }
- body->gid = gid;
+ body->mbo_gid = gid;
}
}