LU-16524 sec: enforce rbac roles

[fs/lustre-release.git] / lustre / ptlrpc / nodemap_handler.c

diff --git a/lustre/ptlrpc/nodemap_handler.c b/lustre/ptlrpc/nodemap_handler.c
index ec1008a..159ea99 100644 (file)
--- a/lustre/ptlrpc/nodemap_handler.c
+++ b/lustre/ptlrpc/nodemap_handler.c
@@ -669,6 +669,12 @@ __u32 nodemap_map_id(struct lu_nodemap *nodemap,
        if (unlikely(nodemap == NULL))
                goto out;
 
+       if (id == 0) {
+               if (nodemap->nmf_allow_root_access)
+                       goto out;
+               goto squash;
+       }
+
        if (id_type == NODEMAP_UID &&
            !(nodemap->nmf_map_mode & NODEMAP_MAP_UID))
                goto out;
@@ -681,13 +687,6 @@ __u32 nodemap_map_id(struct lu_nodemap *nodemap,
            !(nodemap->nmf_map_mode & NODEMAP_MAP_PROJID))
                goto out;
 
-       if (id == 0) {
-               if (nodemap->nmf_allow_root_access)
-                       goto out;
-               else
-                       goto squash;
-       }
-
        if (nodemap->nmf_trust_client_ids)
                goto out;
 
@@ -1185,6 +1184,7 @@ struct lu_nodemap *nodemap_create(const char *name,
                nodemap->nmf_enable_audit = 1;
                nodemap->nmf_forbid_encryption = 0;
                nodemap->nmf_readonly_mount = 0;
+               nodemap->nmf_rbac = NODEMAP_RBAC_ALL;
 
                nodemap->nm_squash_uid = NODEMAP_NOBODY_UID;
                nodemap->nm_squash_gid = NODEMAP_NOBODY_GID;
@@ -1206,6 +1206,7 @@ struct lu_nodemap *nodemap_create(const char *name,
                        default_nodemap->nmf_forbid_encryption;
                nodemap->nmf_readonly_mount =
                        default_nodemap->nmf_readonly_mount;
+               nodemap->nmf_rbac = default_nodemap->nmf_rbac;
 
                nodemap->nm_squash_uid = default_nodemap->nm_squash_uid;
                nodemap->nm_squash_gid = default_nodemap->nm_squash_gid;
@@ -1328,6 +1329,49 @@ out:
 }
 EXPORT_SYMBOL(nodemap_set_mapping_mode);
 
+int nodemap_set_rbac(const char *name, enum nodemap_rbac_roles rbac)
+{
+       struct lu_nodemap *nodemap = NULL;
+       enum nodemap_rbac_roles old_rbac;
+       int rc = 0;
+
+       mutex_lock(&active_config_lock);
+       nodemap = nodemap_lookup(name);
+       mutex_unlock(&active_config_lock);
+       if (IS_ERR(nodemap))
+               GOTO(out, rc = PTR_ERR(nodemap));
+
+       if (is_default_nodemap(nodemap))
+               GOTO(put, rc = -EINVAL);
+
+       old_rbac = nodemap->nmf_rbac;
+       /* if value does not change, do nothing */
+       if (rbac == old_rbac)
+               GOTO(put, rc = 0);
+
+       nodemap->nmf_rbac = rbac;
+       if (rbac == NODEMAP_RBAC_ALL)
+               /* if new value is ALL (default), just delete
+                * NODEMAP_CLUSTER_ROLES idx
+                */
+               rc = nodemap_idx_cluster_roles_del(nodemap);
+       else if (old_rbac == NODEMAP_RBAC_ALL)
+               /* if old value is ALL (default), need to insert
+                * NODEMAP_CLUSTER_ROLES idx
+                */
+               rc = nodemap_idx_cluster_roles_add(nodemap);
+       else
+               /* otherwise just update existing NODEMAP_CLUSTER_ROLES idx */
+               rc = nodemap_idx_cluster_roles_update(nodemap);
+
+       nm_member_revoke_locks(nodemap);
+put:
+       nodemap_putref(nodemap);
+out:
+       return rc;
+}
+EXPORT_SYMBOL(nodemap_set_rbac);
+
 /**
  * Update the squash_uid for a nodemap.
  *
@@ -1445,7 +1489,8 @@ bool nodemap_can_setquota(struct lu_nodemap *nodemap, __u32 qc_type, __u32 id)
        if (!nodemap_active)
                return true;
 
-       if (!nodemap || !nodemap->nmf_allow_root_access)
+       if (!nodemap || !nodemap->nmf_allow_root_access ||
+           !(nodemap->nmf_rbac & NODEMAP_RBAC_QUOTA_OPS))
                return false;
 
        if (qc_type == PRJQUOTA) {