LU-6356 mgs: fix security flavor setting for connection to mgs

Security flavor setting for connections to MGS is done with special
target '_mgs'. If set, only allow connections to MGS with the given
flavor. If not set, all flavors must be allowed.

Signed-off-by: Sebastien Buisson <sebastien.buisson@bull.net>
Change-Id: Id47aae25f6d5591870656d9926a64e52ab789c56
Reviewed-on: http://review.whamcloud.com/14349
Tested-by: Jenkins
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: Dmitry Eremin <dmitry.eremin@intel.com>
Reviewed-by: Jeremy Filizetti <jeremy.filizetti@gmail.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>

diff --git a/lustre/mgs/mgs_handler.c b/lustre/mgs/mgs_handler.c
index a77c1cf..2fc88bf 100644 (file)
--- a/lustre/mgs/mgs_handler.c
+++ b/lustre/mgs/mgs_handler.c
@@ -1084,6 +1084,7 @@ static int mgs_init0(const struct lu_env *env, struct mgs_device *mgs,
        struct lustre_mount_info        *lmi;
        struct llog_ctxt                *ctxt;
        struct fs_db                    *fsdb = NULL;
+       struct fs_db                    *fsdb_srpc = NULL;
        int                              rc;
 
        ENTRY;
@@ -1164,6 +1165,9 @@ static int mgs_init0(const struct lu_env *env, struct mgs_device *mgs,
                CERROR("%s: %s fsdb and log setup failed: rc = %d\n",
                       obd->obd_name, PARAMS_FILENAME, rc);
 
+       /* Setup _mgs fsdb, useful for srpc */
+       mgs__mgs_fsdb_setup(env, mgs, fsdb_srpc);
+
        ptlrpc_init_client(LDLM_CB_REQUEST_PORTAL, LDLM_CB_REPLY_PORTAL,
                           "mgs_ldlm_client", &obd->obd_ldlm_client);
 

diff --git a/lustre/mgs/mgs_internal.h b/lustre/mgs/mgs_internal.h
index bf38873..489f0bc 100644 (file)
--- a/lustre/mgs/mgs_internal.h
+++ b/lustre/mgs/mgs_internal.h
@@ -189,6 +189,8 @@ struct mgs_object {
 
 int mgs_init_fsdb_list(struct mgs_device *mgs);
 int mgs_cleanup_fsdb_list(struct mgs_device *mgs);
+int mgs__mgs_fsdb_setup(const struct lu_env *env, struct mgs_device *mgs,
+                       struct fs_db *fsdb);
 int mgs_params_fsdb_setup(const struct lu_env *env, struct mgs_device *mgs,
                          struct fs_db *fsdb);
 int mgs_params_fsdb_cleanup(const struct lu_env *env, struct mgs_device *mgs);

diff --git a/lustre/mgs/mgs_llog.c b/lustre/mgs/mgs_llog.c
index b835aa5..7252ee5 100644 (file)
--- a/lustre/mgs/mgs_llog.c
+++ b/lustre/mgs/mgs_llog.c
@@ -348,6 +348,7 @@ static struct fs_db *mgs_new_fsdb(const struct lu_env *env,
 
         if (strcmp(fsname, MGSSELF_NAME) == 0) {
                set_bit(FSDB_MGS_SELF, &fsdb->fsdb_flags);
+               fsdb->fsdb_mgs = mgs;
         } else {
                 OBD_ALLOC(fsdb->fsdb_ost_index_map, INDEX_MAP_SIZE);
                 OBD_ALLOC(fsdb->fsdb_mdt_index_map, INDEX_MAP_SIZE);
@@ -3072,6 +3073,9 @@ static int mgs_srpc_set_param_mem(struct fs_db *fsdb,
                 }
 
                 rset = &tgtconf->mtsc_rset;
+       } else if (strcmp(svname, MGSSELF_NAME) == 0) {
+               /* put _mgs related srpc rule directly in mgs ruleset */
+               rset = &fsdb->fsdb_mgs->mgs_lut.lut_sptlrpc_rset;
         } else {
                 rset = &fsdb->fsdb_srpc_gen;
         }
@@ -3831,6 +3835,19 @@ static void print_lustre_cfg(struct lustre_cfg *lcfg)
         EXIT;
 }
 
+/* Setup _mgs fsdb and log
+ */
+int mgs__mgs_fsdb_setup(const struct lu_env *env, struct mgs_device *mgs,
+                         struct fs_db *fsdb)
+{
+       int                     rc;
+       ENTRY;
+
+       rc = mgs_find_or_make_fsdb(env, mgs, MGSSELF_NAME, &fsdb);
+
+       RETURN(rc);
+}
+
 /* Setup params fsdb and log
  */
 int mgs_params_fsdb_setup(const struct lu_env *env, struct mgs_device *mgs,

diff --git a/lustre/target/tgt_handler.c b/lustre/target/tgt_handler.c
index 2e369a6..d28c242 100644 (file)
--- a/lustre/target/tgt_handler.c
+++ b/lustre/target/tgt_handler.c
@@ -931,6 +931,16 @@ int tgt_connect_check_sptlrpc(struct ptlrpc_request *req, struct obd_export *exp
                spin_lock(&exp->exp_lock);
                exp->exp_sp_peer = req->rq_sp_from;
                exp->exp_flvr = flvr;
+
+               /* when on mgs, if no restriction is set, or if client
+                * is loopback, allow any flavor */
+               if ((strcmp(exp->exp_obd->obd_type->typ_name,
+                          LUSTRE_MGS_NAME) == 0) &&
+                    (exp->exp_flvr.sf_rpc == SPTLRPC_FLVR_NULL ||
+                     LNET_NETTYP(LNET_NIDNET(exp->exp_connection->c_peer.nid))
+                     == LOLND))
+                       exp->exp_flvr.sf_rpc = SPTLRPC_FLVR_ANY;
+
                if (exp->exp_flvr.sf_rpc != SPTLRPC_FLVR_ANY &&
                    exp->exp_flvr.sf_rpc != req->rq_flvr.sf_rpc) {
                        CERROR("%s: unauthorized rpc flavor %x from %s, "