RETURN(0);
}
-int filter_auth_capa(struct obd_export *exp, struct lu_fid *fid, __u64 mdsid,
+int filter_auth_capa(struct obd_export *exp, struct lu_fid *fid, obd_gr group,
struct lustre_capa *capa, __u64 opc)
{
struct obd_device *obd = exp->exp_obd;
struct filter_capa_key *k;
struct lustre_capa_key key;
struct obd_capa *oc;
+ __u64 mdsid;
__u8 *hmac;
int keys_ready = 0, key_found = 0, rc = 0;
ENTRY;
+ /* skip capa check for llog and obdecho */
+ if (!filter_group_is_mds(group))
+ RETURN(0);
+
/* capability is disabled */
if (!filter->fo_fl_oss_capa)
RETURN(0);
+ if (!(exp->exp_connect_flags & OBD_CONNECT_OSS_CAPA))
+ RETURN(0);
+
+ mdsid = objgrp_to_mdsno(group);
if (capa == NULL) {
if (fid)
CERROR("mdsno/fid/opc "LPU64"/"DFID"/"LPX64
RETURN(rc);
}
+ if (capa_is_expired_sec(capa)) {
+ DEBUG_CAPA(D_ERROR, capa, "expired");
+ RETURN(-ESTALE);
+ }
+
spin_lock(&capa_lock);
- list_for_each_entry(k, &filter->fo_capa_keys, k_list)
+ list_for_each_entry(k, &filter->fo_capa_keys, k_list) {
if (k->k_key.lk_mdsid == mdsid) {
keys_ready = 1;
if (k->k_key.lk_keyid == capa_keyid(capa)) {
break;
}
}
+ }
spin_unlock(&capa_lock);
if (!keys_ready) {
RETURN(0);
}
+int filter_capa_fixoa(struct obd_export *exp, struct obdo *oa, obd_gr group,
+ struct lustre_capa *capa)
+{
+ __u64 mdsid;
+ int rc = 0;
+ ENTRY;
+
+ /* skip capa check for llog and obdecho */
+ if (!filter_group_is_mds(group))
+ RETURN(0);
+
+ if (!(exp->exp_connect_flags & OBD_CONNECT_OSS_CAPA))
+ RETURN(0);
+
+ if (unlikely(!capa))
+ RETURN(-EACCES);
+
+ mdsid = objgrp_to_mdsno(group);
+ if (capa_flags(capa) == LC_ID_CONVERT) {
+ struct obd_device *obd = exp->exp_obd;
+ struct filter_obd *filter = &obd->u.filter;
+ struct filter_capa_key *k;
+ int found = 0;
+
+ spin_lock(&capa_lock);
+ list_for_each_entry(k, &filter->fo_capa_keys, k_list) {
+ if (k->k_key.lk_mdsid == mdsid &&
+ k->k_key.lk_keyid == capa_keyid(capa)) {
+ found = 1;
+ break;
+ }
+ }
+ spin_unlock(&capa_lock);
+
+ if (found) {
+ union {
+ __u64 id64;
+ __u32 id32[2];
+ } uid, gid;
+ __u32 d[4], s[4];
+
+ uid.id64 = capa_uid(capa);
+ gid.id64 = capa_gid(capa);
+ s[0] = uid.id32[0];
+ s[1] = uid.id32[1];
+ s[2] = gid.id32[0];
+ s[3] = gid.id32[1];
+
+ rc = capa_decrypt_id(d, s, k->k_key.lk_key,
+ CAPA_HMAC_KEY_MAX_LEN);
+ if (unlikely(rc))
+ RETURN(rc);
+
+ oa->o_uid = d[0];
+ oa->o_gid = d[2];
+ } else {
+ DEBUG_CAPA(D_ERROR, capa, "no matched capability key for");
+ rc = -ESTALE;
+ }
+ }
+
+ RETURN(rc);
+}
+
void filter_free_capa_keys(struct filter_obd *filter)
{
struct filter_capa_key *key, *n;