X-Git-Url: https://git.whamcloud.com/?a=blobdiff_plain;f=lustre%2Fobdfilter%2Ffilter_capa.c;h=59cf195e8387ef547ffc972223da700cff27af54;hb=2ba2a15001b898b397c538c0545202f6cc1dff83;hp=83ccbed05d899d789e0082071cec833fee85947e;hpb=d2d56f38da01001c92a09afc6b52b5acbd9bc13c;p=fs%2Flustre-release.git diff --git a/lustre/obdfilter/filter_capa.c b/lustre/obdfilter/filter_capa.c index 83ccbed..59cf195 100644 --- a/lustre/obdfilter/filter_capa.c +++ b/lustre/obdfilter/filter_capa.c @@ -1,24 +1,39 @@ -/* -*- mode: c; c-basic-offset: 8; indent-tabs-mode: nil; -*- - * vim:expandtab:shiftwidth=8:tabstop=8: +/* + * GPL HEADER START * - * Copyright (C) 2005 Cluster File Systems, Inc. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * - * Author: Lai Siyao + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 only, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License version 2 for more details (a copy is included + * in the LICENSE file that accompanied this code). * - * This file is part of Lustre, http://www.lustre.org. + * You should have received a copy of the GNU General Public License + * version 2 along with this program; If not, see + * http://www.sun.com/software/products/lustre/docs/GPLv2.pdf * - * Lustre is free software; you can redistribute it and/or - * modify it under the terms of version 2 of the GNU General Public - * License as published by the Free Software Foundation. + * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, + * CA 95054 USA or visit www.sun.com if you need additional information or + * have any questions. + * + * GPL HEADER END + */ +/* + * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. + * Use is subject to license terms. + */ +/* + * This file is part of Lustre, http://www.lustre.org/ + * Lustre is a trademark of Sun Microsystems, Inc. * - * Lustre is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. + * lustre/obdfilter/filter_capa.c * - * You should have received a copy of the GNU General Public License - * along with Lustre; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + * Author: Lai Siyao */ #define DEBUG_SUBSYSTEM S_FILTER @@ -34,93 +49,6 @@ #include "filter_internal.h" -/* - * FIXME - * keep this as simple as possible. we suppose the blacklist usually - * be empry or very short (<5), since long term blacklist should be - * done on MDS side. A more sophisticated blacklist will be implemented - * later. - * - * note blacklist didn't take effect when OSS capability disabled. this - * looks reasonable to me. - */ -#define BLACKLIST_MAX (32) -static int nblacklist = 0; -static uid_t blacklist[BLACKLIST_MAX]; -static spinlock_t blacklist_lock = SPIN_LOCK_UNLOCKED; - -int blacklist_display(char *buf, int bufsize) -{ - char one[16]; - int i; - LASSERT(buf); - - buf[0] = '\0'; - spin_lock(&blacklist_lock); - for (i = 0; i < nblacklist; i++) { - snprintf(one, 16, "%u\n", blacklist[i]); - strncat(buf, one, bufsize); - } - spin_unlock(&blacklist_lock); - return strnlen(buf, bufsize); -} - -void blacklist_add(uid_t uid) -{ - int i; - - spin_lock(&blacklist_lock); - if (nblacklist == BLACKLIST_MAX) { - CERROR("can't add more in blacklist\n"); - spin_unlock(&blacklist_lock); - return; - } - - for (i = 0; i < nblacklist; i++) { - if (blacklist[i] == uid) { - spin_unlock(&blacklist_lock); - return; - } - } - - blacklist[nblacklist++] = uid; - spin_unlock(&blacklist_lock); -} - -void blacklist_del(uid_t uid) -{ - int i; - - spin_lock(&blacklist_lock); - for (i = 0; i < nblacklist; i++) { - if (blacklist[i] == uid) { - nblacklist--; - while (i < nblacklist) { - blacklist[i] = blacklist[i+1]; - i++; - } - spin_unlock(&blacklist_lock); - return; - } - } - spin_unlock(&blacklist_lock); -} - -static int blacklist_check(uid_t uid) -{ - int i, rc = 0; - - spin_lock(&blacklist_lock); - for (i = 0; i < nblacklist; i++) { - if (blacklist[i] == uid) { - rc = 1; - break; - } - } - spin_unlock(&blacklist_lock); - return rc; -} - static inline __u32 filter_ck_keyid(struct filter_capa_key *key) { return key->k_key.lk_keyid; @@ -132,9 +60,9 @@ int filter_update_capa_key(struct obd_device *obd, struct lustre_capa_key *new) struct filter_capa_key *k, *keys[2] = { NULL, NULL }; int i; - spin_lock(&capa_lock); - list_for_each_entry(k, &filter->fo_capa_keys, k_list) { - if (k->k_key.lk_mdsid != new->lk_mdsid) + cfs_spin_lock(&capa_lock); + cfs_list_for_each_entry(k, &filter->fo_capa_keys, k_list) { + if (k->k_key.lk_seq != new->lk_seq) continue; if (keys[0]) { @@ -145,7 +73,7 @@ int filter_update_capa_key(struct obd_device *obd, struct lustre_capa_key *new) keys[0] = k; } } - spin_unlock(&capa_lock); + cfs_spin_unlock(&capa_lock); for (i = 0; i < 2; i++) { if (!keys[i]) @@ -155,9 +83,9 @@ int filter_update_capa_key(struct obd_device *obd, struct lustre_capa_key *new) /* maybe because of recovery or other reasons, MDS sent the * the old capability key again. */ - spin_lock(&capa_lock); + cfs_spin_lock(&capa_lock); keys[i]->k_key = *new; - spin_unlock(&capa_lock); + cfs_spin_unlock(&capa_lock); RETURN(0); } @@ -169,20 +97,20 @@ int filter_update_capa_key(struct obd_device *obd, struct lustre_capa_key *new) OBD_ALLOC_PTR(k); if (!k) RETURN(-ENOMEM); - INIT_LIST_HEAD(&k->k_list); + CFS_INIT_LIST_HEAD(&k->k_list); } - spin_lock(&capa_lock); + cfs_spin_lock(&capa_lock); k->k_key = *new; - if (list_empty(&k->k_list)) - list_add(&k->k_list, &filter->fo_capa_keys); - spin_unlock(&capa_lock); + if (cfs_list_empty(&k->k_list)) + cfs_list_add(&k->k_list, &filter->fo_capa_keys); + cfs_spin_unlock(&capa_lock); DEBUG_CAPA_KEY(D_SEC, new, "new"); RETURN(0); } -int filter_auth_capa(struct obd_export *exp, struct lu_fid *fid, __u64 mdsid, +int filter_auth_capa(struct obd_export *exp, struct lu_fid *fid, obd_seq seq, struct lustre_capa *capa, __u64 opc) { struct obd_device *obd = exp->exp_obd; @@ -194,30 +122,29 @@ int filter_auth_capa(struct obd_export *exp, struct lu_fid *fid, __u64 mdsid, int keys_ready = 0, key_found = 0, rc = 0; ENTRY; + /* skip capa check for llog and obdecho */ + if (!fid_seq_is_mdt(seq)) + RETURN(0); + /* capability is disabled */ if (!filter->fo_fl_oss_capa) RETURN(0); + if (!(exp->exp_connect_flags & OBD_CONNECT_OSS_CAPA)) + RETURN(0); + if (capa == NULL) { if (fid) - CERROR("mdsno/fid/opc "LPU64"/"DFID"/"LPX64 + CERROR("seq/fid/opc "LPU64"/"DFID"/"LPX64 ": no capability has been passed\n", - mdsid, PFID(fid), opc); + seq, PFID(fid), opc); else - CERROR("mdsno/opc "LPU64"/"LPX64 + CERROR("seq/opc "LPU64"/"LPX64 ": no capability has been passed\n", - mdsid, opc); + seq, opc); RETURN(-EACCES); } - if (blacklist_check(capa->lc_uid)) { - DEBUG_CAPA(D_ERROR, capa, "uid %u found in blacklist,", - capa->lc_uid); - RETURN(-EACCES); - } - -#warning "enable fid check in filter_auth_capa() when fid stored in OSS object" - if (opc == CAPA_OPC_OSS_READ) { if (!(capa->lc_opc & CAPA_OPC_OSS_RW)) rc = -EACCES; @@ -231,20 +158,25 @@ int filter_auth_capa(struct obd_export *exp, struct lu_fid *fid, __u64 mdsid, oc = capa_lookup(filter->fo_capa_hash, capa, 0); if (oc) { - spin_lock(&oc->c_lock); + cfs_spin_lock(&oc->c_lock); if (capa_is_expired(oc)) { DEBUG_CAPA(D_ERROR, capa, "expired"); rc = -ESTALE; } - spin_unlock(&oc->c_lock); + cfs_spin_unlock(&oc->c_lock); capa_put(oc); RETURN(rc); } - spin_lock(&capa_lock); - list_for_each_entry(k, &filter->fo_capa_keys, k_list) - if (k->k_key.lk_mdsid == mdsid) { + if (capa_is_expired_sec(capa)) { + DEBUG_CAPA(D_ERROR, capa, "expired"); + RETURN(-ESTALE); + } + + cfs_spin_lock(&capa_lock); + cfs_list_for_each_entry(k, &filter->fo_capa_keys, k_list) { + if (k->k_key.lk_seq == seq) { keys_ready = 1; if (k->k_key.lk_keyid == capa_keyid(capa)) { key = k->k_key; @@ -252,7 +184,8 @@ int filter_auth_capa(struct obd_export *exp, struct lu_fid *fid, __u64 mdsid, break; } } - spin_unlock(&capa_lock); + } + cfs_spin_unlock(&capa_lock); if (!keys_ready) { CDEBUG(D_SEC, "MDS hasn't propagated capability keys yet, " @@ -290,14 +223,76 @@ int filter_auth_capa(struct obd_export *exp, struct lu_fid *fid, __u64 mdsid, RETURN(0); } +int filter_capa_fixoa(struct obd_export *exp, struct obdo *oa, obd_seq seq, + struct lustre_capa *capa) +{ + int rc = 0; + ENTRY; + + /* skip capa check for llog and obdecho */ + if (!fid_seq_is_mdt(seq)) + RETURN(0); + + if (!(exp->exp_connect_flags & OBD_CONNECT_OSS_CAPA)) + RETURN(0); + + if (unlikely(!capa)) + RETURN(-EACCES); + + if (capa_flags(capa) == LC_ID_CONVERT) { + struct obd_device *obd = exp->exp_obd; + struct filter_obd *filter = &obd->u.filter; + struct filter_capa_key *k; + int found = 0; + + cfs_spin_lock(&capa_lock); + cfs_list_for_each_entry(k, &filter->fo_capa_keys, k_list) { + if (k->k_key.lk_seq == seq && + k->k_key.lk_keyid == capa_keyid(capa)) { + found = 1; + break; + } + } + cfs_spin_unlock(&capa_lock); + + if (found) { + union { + __u64 id64; + __u32 id32[2]; + } uid, gid; + __u32 d[4], s[4]; + + uid.id64 = capa_uid(capa); + gid.id64 = capa_gid(capa); + s[0] = uid.id32[0]; + s[1] = uid.id32[1]; + s[2] = gid.id32[0]; + s[3] = gid.id32[1]; + + rc = capa_decrypt_id(d, s, k->k_key.lk_key, + CAPA_HMAC_KEY_MAX_LEN); + if (unlikely(rc)) + RETURN(rc); + + oa->o_uid = d[0]; + oa->o_gid = d[2]; + } else { + DEBUG_CAPA(D_ERROR, capa, "no matched capability key for"); + rc = -ESTALE; + } + } + + RETURN(rc); +} + void filter_free_capa_keys(struct filter_obd *filter) { struct filter_capa_key *key, *n; - spin_lock(&capa_lock); - list_for_each_entry_safe(key, n, &filter->fo_capa_keys, k_list) { - list_del_init(&key->k_list); + cfs_spin_lock(&capa_lock); + cfs_list_for_each_entry_safe(key, n, &filter->fo_capa_keys, k_list) { + cfs_list_del_init(&key->k_list); OBD_FREE(key, sizeof(*key)); } - spin_unlock(&capa_lock); + cfs_spin_unlock(&capa_lock); }