make getidentity upcall can be enable/disable by hand.

diff --git a/lustre/mdd/mdd_handler.c b/lustre/mdd/mdd_handler.c
index 7cf8db2..c181b25 100644 (file)
--- a/lustre/mdd/mdd_handler.c
+++ b/lustre/mdd/mdd_handler.c
@@ -328,7 +328,8 @@ static int mdd_in_group_p(struct md_ucred *uc, gid_t grp)
         if (grp != uc->mu_fsgid) {
                 struct group_info *group_info = NULL;
 
-                if (uc->mu_ginfo || (uc->mu_valid == UCRED_OLD))
+                if (uc->mu_ginfo || (uc->mu_valid == UCRED_OLD) ||
+                    (!uc->mu_ginfo && !uc->mu_identity))
                         if ((grp == uc->mu_suppgids[0]) ||
                             (grp == uc->mu_suppgids[1]))
                                 return 1;

diff --git a/lustre/mdt/mdt_handler.c b/lustre/mdt/mdt_handler.c
index 87ccd0b..76cde0d 100644 (file)
--- a/lustre/mdt/mdt_handler.c
+++ b/lustre/mdt/mdt_handler.c
@@ -3239,7 +3239,7 @@ static int mdt_init0(const struct lu_env *env, struct mdt_device *m,
         obd->obd_namespace = m->mdt_namespace;
 
         m->mdt_identity_cache = upcall_cache_init(obd->obd_name,
-                                                  MDT_IDENTITY_UPCALL_PATH,
+                                                  "NONE",
                                                   &mdt_identity_upcall_cache_ops);
         if (IS_ERR(m->mdt_identity_cache)) {
                 rc = PTR_ERR(m->mdt_identity_cache);

diff --git a/lustre/mdt/mdt_idmap.c b/lustre/mdt/mdt_idmap.c
index 8a7d8fe..808787c 100644 (file)
--- a/lustre/mdt/mdt_idmap.c
+++ b/lustre/mdt/mdt_idmap.c
@@ -412,6 +412,11 @@ int mdt_handle_idmap(struct mdt_thread_info *info)
                 RETURN(-EACCES);
         }
 
+        if (is_identity_get_disabled(mdt->mdt_identity_cache)) {
+                CERROR("remote client must run with identity_get enabled!\n");
+                RETURN(-EACCES);
+        }
+
         identity = mdt_identity_get(mdt->mdt_identity_cache,
                                     req->rq_auth_mapped_uid);
         if (!identity) {

diff --git a/lustre/mdt/mdt_internal.h b/lustre/mdt/mdt_internal.h
index ca6ff65..447019a 100644 (file)
--- a/lustre/mdt/mdt_internal.h
+++ b/lustre/mdt/mdt_internal.h
@@ -594,5 +594,10 @@ static inline struct lustre_capa_key *red_capa_key(struct mdt_device *mdt)
         return &mdt->mdt_capa_keys[1];
 }
 
+static inline int is_identity_get_disabled(struct upcall_cache *cache)
+{
+        return cache ? (strcmp(cache->uc_upcall, "NONE") == 0) : 1;
+}
+
 #endif /* __KERNEL__ */
 #endif /* _MDT_H */

diff --git a/lustre/mdt/mdt_lib.c b/lustre/mdt/mdt_lib.c
index b039b1f..95f3c1b 100644 (file)
--- a/lustre/mdt/mdt_lib.c
+++ b/lustre/mdt/mdt_lib.c
@@ -126,11 +126,15 @@ static int old_init_ucred(struct mdt_thread_info *info,
 
         uc->mu_valid = UCRED_INVALID;
 
-        /* get identity info of this user */
-        identity = mdt_identity_get(mdt->mdt_identity_cache, body->fsuid);
-        if (!identity) {
-                CERROR("Deny access without identity: uid %d\n", body->fsuid);
-                RETURN(-EACCES);
+        if (!is_identity_get_disabled(mdt->mdt_identity_cache)) {
+                /* get identity info of this user */
+                identity = mdt_identity_get(mdt->mdt_identity_cache,
+                                            body->fsuid);
+                if (!identity) {
+                        CERROR("Deny access without identity: uid %d\n",
+                               body->fsuid);
+                        RETURN(-EACCES);
+                }
         }
 
         uc->mu_valid = UCRED_OLD;
@@ -157,11 +161,15 @@ static int old_init_ucred_reint(struct mdt_thread_info *info)
 
         uc->mu_valid = UCRED_INVALID;
 
-        /* get identity info of this user */
-        identity = mdt_identity_get(mdt->mdt_identity_cache, uc->mu_fsuid);
-        if (!identity) {
-                CERROR("Deny access without identity: uid %d\n", uc->mu_fsuid);
-                RETURN(-EACCES);
+        if (!is_identity_get_disabled(mdt->mdt_identity_cache)) {
+                /* get identity info of this user */
+                identity = mdt_identity_get(mdt->mdt_identity_cache,
+                                            uc->mu_fsuid);
+                if (!identity) {
+                        CERROR("Deny access without identity: uid %d\n",
+                               uc->mu_fsuid);
+                        RETURN(-EACCES);
+                }
         }
 
         uc->mu_valid = UCRED_OLD;
@@ -326,6 +334,17 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type,
                 }
         }
 
+        if (is_identity_get_disabled(mdt->mdt_identity_cache)) {
+                if (med->med_rmtclient) {
+                        CERROR("remote client must run with identity_get "
+                               "enabled!\n");
+                        RETURN(-EACCES);
+                } else {
+                        setxid_perm |= LUSTRE_SETGRP_PERM;
+                        goto check_squash;
+                }
+        }
+
         identity = mdt_identity_get(mdt->mdt_identity_cache, pud->pud_uid);
         if (!identity) {
                 CERROR("Deny access without identity: uid %d\n",
@@ -358,6 +377,7 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type,
                 GOTO(out, rc = -EACCES);
         }
 
+check_squash:
         /* FIXME: The exact behavior of root_squash is not defined. */
         root_squashed = mdt_squash_root(mdt, ucred, pud, peernid);
         if (!root_squashed) {