From 942a9853f7b4c6fe22729468f1802ab782087e4e Mon Sep 17 00:00:00 2001
From: Sebastien Buisson <sbuisson@ddn.com>
Date: Wed, 2 Aug 2017 18:44:33 +0900
Subject: [PATCH] LU-9727 nodemap: add audit_mode flag to nodemap

Give the ability to specify an audit_mode flag on a nodemap.
When set to 1, a client pertaining to this nodemap will be able to
record file system access events to the Changelogs, if Changelogs are
otherwise activated.
When set to 0, events are not logged into the Changelogs, no matter
Changelogs are activated or not.
By default, audit_mode flag is set to 1 in newly created nodemap
entries. And it is also set to 1 on 'default' nodemap.

The idea of disabling audit on a per-nodemap basis is that it would
be possible to have some nodes (e.g. backup, HSM agent nodes) that do
not flood the audit logs.

Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: Ieb6c461c443b1734312afef44680d903deee5398
Reviewed-on: https://review.whamcloud.com/28313
Reviewed-by: Jean-Baptiste Riaux <riaux.jb@intel.com>
Reviewed-by: Andreas Dilger <andreas.dilger@intel.com>
Tested-by: Jenkins
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>
---
 lustre/include/lustre_nodemap.h               |  4 ++-
 lustre/include/uapi/linux/lustre/lustre_cfg.h |  1 +
 lustre/mgs/mgs_handler.c                      |  1 +
 lustre/mgs/mgs_llog.c                         |  5 ++++
 lustre/ptlrpc/nodemap_handler.c               | 32 ++++++++++++++++++++++++
 lustre/ptlrpc/nodemap_lproc.c                 | 36 +++++++++++++++++++++++++++
 lustre/ptlrpc/nodemap_storage.c               |  7 +++++-
 lustre/utils/obd.c                            |  4 ++-
 8 files changed, 87 insertions(+), 3 deletions(-)

diff --git a/lustre/include/lustre_nodemap.h b/lustre/include/lustre_nodemap.h
index f637d93..9fa9d1c 100644
--- a/lustre/include/lustre_nodemap.h
+++ b/lustre/include/lustre_nodemap.h
@@ -76,7 +76,8 @@ struct lu_nodemap {
 				 nmf_deny_unknown:1,
 				 nmf_allow_root_access:1,
 				 nmf_map_uid_only:1,
-				 nmf_map_gid_only:1;
+				 nmf_map_gid_only:1,
+				 nmf_enable_audit:1;
 	/* unique ID set by MGS */
 	unsigned int		 nm_id;
 	/* nodemap ref counter */
@@ -135,6 +136,7 @@ int nodemap_set_deny_unknown(const char *name, bool deny_unknown);
 int nodemap_set_mapping_mode(const char *name, enum nodemap_mapping_modes mode);
 int nodemap_set_squash_uid(const char *name, uid_t uid);
 int nodemap_set_squash_gid(const char *name, gid_t gid);
+int nodemap_set_audit_mode(const char *name, bool enable_audit);
 bool nodemap_can_setquota(const struct lu_nodemap *nodemap);
 int nodemap_add_idmap(const char *name, enum nodemap_id_type id_type,
 		      const __u32 map[2]);
diff --git a/lustre/include/uapi/linux/lustre/lustre_cfg.h b/lustre/include/uapi/linux/lustre/lustre_cfg.h
index c71be81..b5d6cb9 100644
--- a/lustre/include/uapi/linux/lustre/lustre_cfg.h
+++ b/lustre/include/uapi/linux/lustre/lustre_cfg.h
@@ -148,6 +148,7 @@ enum lcfg_command_type {
 						 *  users
 						 */
 	LCFG_NODEMAP_MAP_MODE	  = 0x00ce059, /**< set the mapping mode */
+	LCFG_NODEMAP_AUDIT_MODE	  = 0x00ce05a, /**< set the audit mode */
 };
 
 struct lustre_cfg_bufs {
diff --git a/lustre/mgs/mgs_handler.c b/lustre/mgs/mgs_handler.c
index 20ccd7e..c1d4f58 100644
--- a/lustre/mgs/mgs_handler.c
+++ b/lustre/mgs/mgs_handler.c
@@ -884,6 +884,7 @@ static int mgs_iocontrol_nodemap(const struct lu_env *env,
 	case LCFG_NODEMAP_SQUASH_UID:
 	case LCFG_NODEMAP_SQUASH_GID:
 	case LCFG_NODEMAP_MAP_MODE:
+	case LCFG_NODEMAP_AUDIT_MODE:
 		if (lcfg->lcfg_bufcount != 4)
 			GOTO(out_lcfg, rc = -EINVAL);
 		nodemap_name = lustre_cfg_string(lcfg, 1);
diff --git a/lustre/mgs/mgs_llog.c b/lustre/mgs/mgs_llog.c
index 530d3ca..e9c0b74 100644
--- a/lustre/mgs/mgs_llog.c
+++ b/lustre/mgs/mgs_llog.c
@@ -5116,6 +5116,11 @@ int mgs_nodemap_cmd(const struct lu_env *env, struct mgs_device *mgs,
 		bool_switch = simple_strtoul(param, NULL, 10);
 		rc = nodemap_set_deny_unknown(nodemap_name, bool_switch);
 		break;
+	case LCFG_NODEMAP_AUDIT_MODE:
+		rc = kstrtoul(param, 10, (unsigned long *)&bool_switch);
+		if (rc == 0)
+			rc = nodemap_set_audit_mode(nodemap_name, bool_switch);
+		break;
 	case LCFG_NODEMAP_MAP_MODE:
 		if (strcmp("both", param) == 0)
 			rc = nodemap_set_mapping_mode(nodemap_name,
diff --git a/lustre/ptlrpc/nodemap_handler.c b/lustre/ptlrpc/nodemap_handler.c
index dd10288..41d8984 100644
--- a/lustre/ptlrpc/nodemap_handler.c
+++ b/lustre/ptlrpc/nodemap_handler.c
@@ -1055,6 +1055,7 @@ struct lu_nodemap *nodemap_create(const char *name,
 		nodemap->nmf_deny_unknown = 0;
 		nodemap->nmf_map_uid_only = 0;
 		nodemap->nmf_map_gid_only = 0;
+		nodemap->nmf_enable_audit = 1;
 
 		nodemap->nm_squash_uid = NODEMAP_NOBODY_UID;
 		nodemap->nm_squash_gid = NODEMAP_NOBODY_GID;
@@ -1073,6 +1074,8 @@ struct lu_nodemap *nodemap_create(const char *name,
 				default_nodemap->nmf_map_uid_only;
 		nodemap->nmf_map_gid_only =
 				default_nodemap->nmf_map_gid_only;
+		nodemap->nmf_enable_audit =
+			default_nodemap->nmf_enable_audit;
 
 		nodemap->nm_squash_uid = default_nodemap->nm_squash_uid;
 		nodemap->nm_squash_gid = default_nodemap->nm_squash_gid;
@@ -1286,6 +1289,35 @@ bool nodemap_can_setquota(const struct lu_nodemap *nodemap)
 EXPORT_SYMBOL(nodemap_can_setquota);
 
 /**
+ * Set the nmf_enable_audit flag to true or false.
+ * \param	name		nodemap name
+ * \param	audit_mode	if true, allow audit
+ * \retval	0 on success
+ *
+ */
+int nodemap_set_audit_mode(const char *name, bool enable_audit)
+{
+	struct lu_nodemap	*nodemap = NULL;
+	int			rc = 0;
+
+	mutex_lock(&active_config_lock);
+	nodemap = nodemap_lookup(name);
+	mutex_unlock(&active_config_lock);
+	if (IS_ERR(nodemap))
+		GOTO(out, rc = PTR_ERR(nodemap));
+
+	nodemap->nmf_enable_audit = enable_audit;
+	rc = nodemap_idx_nodemap_update(nodemap);
+
+	nm_member_revoke_locks(nodemap);
+	nodemap_putref(nodemap);
+out:
+	return rc;
+}
+EXPORT_SYMBOL(nodemap_set_audit_mode);
+
+
+/**
  * Add a nodemap
  *
  * \param	name		name of nodemap
diff --git a/lustre/ptlrpc/nodemap_lproc.c b/lustre/ptlrpc/nodemap_lproc.c
index 28bd018..047af69 100644
--- a/lustre/ptlrpc/nodemap_lproc.c
+++ b/lustre/ptlrpc/nodemap_lproc.c
@@ -541,6 +541,33 @@ static int nodemap_deny_unknown_seq_show(struct seq_file *m, void *data)
 	return 0;
 }
 
+/**
+ * Reads and prints the audit_mode flag for the given nodemap.
+ *
+ * \param	m		seq file in proc fs
+ * \param	data		unused
+ * \retval	0		success
+ */
+static int nodemap_audit_mode_seq_show(struct seq_file *m, void *data)
+{
+	struct lu_nodemap *nodemap;
+	int rc;
+
+	mutex_lock(&active_config_lock);
+	nodemap = nodemap_lookup(m->private);
+	mutex_unlock(&active_config_lock);
+	if (IS_ERR(nodemap)) {
+		rc = PTR_ERR(nodemap);
+		CERROR("cannot find nodemap '%s': rc = %d\n",
+		       (char *)m->private, rc);
+		return rc;
+	}
+
+	seq_printf(m, "%d\n", (int)nodemap->nmf_enable_audit);
+	nodemap_putref(nodemap);
+	return 0;
+}
+
 #ifdef NODEMAP_PROC_DEBUG
 /**
  * Helper functions to set nodemap flags.
@@ -1147,6 +1174,7 @@ LPROC_SEQ_FOPS_RO(nodemap_squash_gid);
 
 LPROC_SEQ_FOPS_RO(nodemap_deny_unknown);
 LPROC_SEQ_FOPS_RO(nodemap_map_mode);
+LPROC_SEQ_FOPS_RO(nodemap_audit_mode);
 
 const struct file_operations nodemap_ranges_fops = {
 	.open			= nodemap_ranges_open,
@@ -1191,6 +1219,10 @@ static struct lprocfs_vars lprocfs_nodemap_vars[] = {
 		.fops		= &nodemap_map_mode_fops,
 	},
 	{
+		.name		= "audit_mode",
+		.fops		= &nodemap_audit_mode_fops,
+	},
+	{
 		.name		= "squash_uid",
 		.fops		= &nodemap_squash_uid_fops,
 	},
@@ -1249,6 +1281,10 @@ static struct lprocfs_vars lprocfs_default_nodemap_vars[] = {
 		.fops		= &nodemap_exports_fops,
 	},
 	{
+		.name		= "audit_mode",
+		.fops		= &nodemap_audit_mode_fops,
+	},
+	{
 		NULL
 	}
 };
diff --git a/lustre/ptlrpc/nodemap_storage.c b/lustre/ptlrpc/nodemap_storage.c
index 96ec978..65a8884 100644
--- a/lustre/ptlrpc/nodemap_storage.c
+++ b/lustre/ptlrpc/nodemap_storage.c
@@ -74,6 +74,7 @@ enum nm_flag_shifts {
 	NM_FL_DENY_UNKNOWN = 0x4,
 	NM_FL_MAP_UID_ONLY = 0x8,
 	NM_FL_MAP_GID_ONLY = 0x10,
+	NM_FL_ENABLE_AUDIT = 0x20,
 };
 
 static void nodemap_cluster_key_init(struct nodemap_key *nk, unsigned int nm_id)
@@ -101,7 +102,9 @@ static void nodemap_cluster_rec_init(union nodemap_rec *nr,
 		(nodemap->nmf_map_uid_only ?
 			NM_FL_MAP_UID_ONLY : 0) |
 		(nodemap->nmf_map_gid_only ?
-			NM_FL_MAP_GID_ONLY : 0));
+			NM_FL_MAP_GID_ONLY : 0) |
+		(nodemap->nmf_enable_audit ?
+			NM_FL_ENABLE_AUDIT : 0));
 }
 
 static void nodemap_idmap_key_init(struct nodemap_key *nk, unsigned int nm_id,
@@ -751,6 +754,8 @@ static int nodemap_process_keyrec(struct nodemap_config *config,
 					flags & NM_FL_MAP_UID_ONLY;
 		nodemap->nmf_map_gid_only =
 					flags & NM_FL_MAP_GID_ONLY;
+		nodemap->nmf_enable_audit =
+					flags & NM_FL_ENABLE_AUDIT;
 
 		if (*recent_nodemap == NULL) {
 			*recent_nodemap = nodemap;
diff --git a/lustre/utils/obd.c b/lustre/utils/obd.c
index d5378a9..1f641ae 100644
--- a/lustre/utils/obd.c
+++ b/lustre/utils/obd.c
@@ -3668,7 +3668,7 @@ int jt_nodemap_modify(int argc, char **argv)
 		fprintf(stderr, "usage: nodemap_modify --name <nodemap_name> "
 				"--property <property_name> --value <value>\n");
 		fprintf(stderr, "valid properties: admin trusted map_mode "
-				"squash_uid squash_gid deny_unknown\n");
+				"squash_uid squash_gid deny_unknown audit_mode\n");
 		return -1;
 	}
 
@@ -3684,6 +3684,8 @@ int jt_nodemap_modify(int argc, char **argv)
 		cmd = LCFG_NODEMAP_SQUASH_GID;
 	} else if (strcmp("map_mode", param) == 0) {
 		cmd = LCFG_NODEMAP_MAP_MODE;
+	} else if (strcmp("audit_mode", param) == 0) {
+		cmd = LCFG_NODEMAP_AUDIT_MODE;
 	} else {
 		fprintf(stderr, "error: %s: nodemap_modify invalid "
 				"subcommand: %s\n",
-- 
1.8.3.1