Give the ability to specify an audit_mode flag on a nodemap.
When set to 1, a client pertaining to this nodemap will be able to
record file system access events to the Changelogs, if Changelogs are
otherwise activated.
When set to 0, events are not logged into the Changelogs, no matter
Changelogs are activated or not.
By default, audit_mode flag is set to 1 in newly created nodemap
entries. And it is also set to 1 on 'default' nodemap.
The idea of disabling audit on a per-nodemap basis is that it would
be possible to have some nodes (e.g. backup, HSM agent nodes) that do
not flood the audit logs.
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: Ieb6c461c443b1734312afef44680d903deee5398
Reviewed-on: https://review.whamcloud.com/28313
Reviewed-by: Jean-Baptiste Riaux <riaux.jb@intel.com>
Reviewed-by: Andreas Dilger <andreas.dilger@intel.com>
Tested-by: Jenkins
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>
nmf_deny_unknown:1,
nmf_allow_root_access:1,
nmf_map_uid_only:1,
- nmf_map_gid_only:1;
+ nmf_map_gid_only:1,
+ nmf_enable_audit:1;
/* unique ID set by MGS */
unsigned int nm_id;
/* nodemap ref counter */
int nodemap_set_mapping_mode(const char *name, enum nodemap_mapping_modes mode);
int nodemap_set_squash_uid(const char *name, uid_t uid);
int nodemap_set_squash_gid(const char *name, gid_t gid);
+int nodemap_set_audit_mode(const char *name, bool enable_audit);
bool nodemap_can_setquota(const struct lu_nodemap *nodemap);
int nodemap_add_idmap(const char *name, enum nodemap_id_type id_type,
const __u32 map[2]);
* users
*/
LCFG_NODEMAP_MAP_MODE = 0x00ce059, /**< set the mapping mode */
+ LCFG_NODEMAP_AUDIT_MODE = 0x00ce05a, /**< set the audit mode */
};
struct lustre_cfg_bufs {
case LCFG_NODEMAP_SQUASH_UID:
case LCFG_NODEMAP_SQUASH_GID:
case LCFG_NODEMAP_MAP_MODE:
+ case LCFG_NODEMAP_AUDIT_MODE:
if (lcfg->lcfg_bufcount != 4)
GOTO(out_lcfg, rc = -EINVAL);
nodemap_name = lustre_cfg_string(lcfg, 1);
bool_switch = simple_strtoul(param, NULL, 10);
rc = nodemap_set_deny_unknown(nodemap_name, bool_switch);
break;
+ case LCFG_NODEMAP_AUDIT_MODE:
+ rc = kstrtoul(param, 10, (unsigned long *)&bool_switch);
+ if (rc == 0)
+ rc = nodemap_set_audit_mode(nodemap_name, bool_switch);
+ break;
case LCFG_NODEMAP_MAP_MODE:
if (strcmp("both", param) == 0)
rc = nodemap_set_mapping_mode(nodemap_name,
nodemap->nmf_deny_unknown = 0;
nodemap->nmf_map_uid_only = 0;
nodemap->nmf_map_gid_only = 0;
+ nodemap->nmf_enable_audit = 1;
nodemap->nm_squash_uid = NODEMAP_NOBODY_UID;
nodemap->nm_squash_gid = NODEMAP_NOBODY_GID;
default_nodemap->nmf_map_uid_only;
nodemap->nmf_map_gid_only =
default_nodemap->nmf_map_gid_only;
+ nodemap->nmf_enable_audit =
+ default_nodemap->nmf_enable_audit;
nodemap->nm_squash_uid = default_nodemap->nm_squash_uid;
nodemap->nm_squash_gid = default_nodemap->nm_squash_gid;
EXPORT_SYMBOL(nodemap_can_setquota);
/**
+ * Set the nmf_enable_audit flag to true or false.
+ * \param name nodemap name
+ * \param audit_mode if true, allow audit
+ * \retval 0 on success
+ *
+ */
+int nodemap_set_audit_mode(const char *name, bool enable_audit)
+{
+ struct lu_nodemap *nodemap = NULL;
+ int rc = 0;
+
+ mutex_lock(&active_config_lock);
+ nodemap = nodemap_lookup(name);
+ mutex_unlock(&active_config_lock);
+ if (IS_ERR(nodemap))
+ GOTO(out, rc = PTR_ERR(nodemap));
+
+ nodemap->nmf_enable_audit = enable_audit;
+ rc = nodemap_idx_nodemap_update(nodemap);
+
+ nm_member_revoke_locks(nodemap);
+ nodemap_putref(nodemap);
+out:
+ return rc;
+}
+EXPORT_SYMBOL(nodemap_set_audit_mode);
+
+
+/**
* Add a nodemap
*
* \param name name of nodemap
return 0;
}
+/**
+ * Reads and prints the audit_mode flag for the given nodemap.
+ *
+ * \param m seq file in proc fs
+ * \param data unused
+ * \retval 0 success
+ */
+static int nodemap_audit_mode_seq_show(struct seq_file *m, void *data)
+{
+ struct lu_nodemap *nodemap;
+ int rc;
+
+ mutex_lock(&active_config_lock);
+ nodemap = nodemap_lookup(m->private);
+ mutex_unlock(&active_config_lock);
+ if (IS_ERR(nodemap)) {
+ rc = PTR_ERR(nodemap);
+ CERROR("cannot find nodemap '%s': rc = %d\n",
+ (char *)m->private, rc);
+ return rc;
+ }
+
+ seq_printf(m, "%d\n", (int)nodemap->nmf_enable_audit);
+ nodemap_putref(nodemap);
+ return 0;
+}
+
#ifdef NODEMAP_PROC_DEBUG
/**
* Helper functions to set nodemap flags.
LPROC_SEQ_FOPS_RO(nodemap_deny_unknown);
LPROC_SEQ_FOPS_RO(nodemap_map_mode);
+LPROC_SEQ_FOPS_RO(nodemap_audit_mode);
const struct file_operations nodemap_ranges_fops = {
.open = nodemap_ranges_open,
.fops = &nodemap_map_mode_fops,
},
{
+ .name = "audit_mode",
+ .fops = &nodemap_audit_mode_fops,
+ },
+ {
.name = "squash_uid",
.fops = &nodemap_squash_uid_fops,
},
.fops = &nodemap_exports_fops,
},
{
+ .name = "audit_mode",
+ .fops = &nodemap_audit_mode_fops,
+ },
+ {
NULL
}
};
NM_FL_DENY_UNKNOWN = 0x4,
NM_FL_MAP_UID_ONLY = 0x8,
NM_FL_MAP_GID_ONLY = 0x10,
+ NM_FL_ENABLE_AUDIT = 0x20,
};
static void nodemap_cluster_key_init(struct nodemap_key *nk, unsigned int nm_id)
(nodemap->nmf_map_uid_only ?
NM_FL_MAP_UID_ONLY : 0) |
(nodemap->nmf_map_gid_only ?
- NM_FL_MAP_GID_ONLY : 0));
+ NM_FL_MAP_GID_ONLY : 0) |
+ (nodemap->nmf_enable_audit ?
+ NM_FL_ENABLE_AUDIT : 0));
}
static void nodemap_idmap_key_init(struct nodemap_key *nk, unsigned int nm_id,
flags & NM_FL_MAP_UID_ONLY;
nodemap->nmf_map_gid_only =
flags & NM_FL_MAP_GID_ONLY;
+ nodemap->nmf_enable_audit =
+ flags & NM_FL_ENABLE_AUDIT;
if (*recent_nodemap == NULL) {
*recent_nodemap = nodemap;
fprintf(stderr, "usage: nodemap_modify --name <nodemap_name> "
"--property <property_name> --value <value>\n");
fprintf(stderr, "valid properties: admin trusted map_mode "
- "squash_uid squash_gid deny_unknown\n");
+ "squash_uid squash_gid deny_unknown audit_mode\n");
return -1;
}
cmd = LCFG_NODEMAP_SQUASH_GID;
} else if (strcmp("map_mode", param) == 0) {
cmd = LCFG_NODEMAP_MAP_MODE;
+ } else if (strcmp("audit_mode", param) == 0) {
+ cmd = LCFG_NODEMAP_AUDIT_MODE;
} else {
fprintf(stderr, "error: %s: nodemap_modify invalid "
"subcommand: %s\n",