From 63de9170d13d63187b03c48271a72ac7b27e54ba Mon Sep 17 00:00:00 2001 From: Sebastien Buisson Date: Fri, 3 Apr 2015 15:01:25 +0200 Subject: [PATCH] LU-6356 mgs: fix security flavor setting for connection to mgs Security flavor setting for connections to MGS is done with special target '_mgs'. If set, only allow connections to MGS with the given flavor. If not set, all flavors must be allowed. Signed-off-by: Sebastien Buisson Change-Id: Id47aae25f6d5591870656d9926a64e52ab789c56 Reviewed-on: http://review.whamcloud.com/14349 Tested-by: Jenkins Tested-by: Maloo Reviewed-by: Dmitry Eremin Reviewed-by: Jeremy Filizetti Reviewed-by: Oleg Drokin --- lustre/mgs/mgs_handler.c | 4 ++++ lustre/mgs/mgs_internal.h | 2 ++ lustre/mgs/mgs_llog.c | 17 +++++++++++++++++ lustre/target/tgt_handler.c | 10 ++++++++++ 4 files changed, 33 insertions(+) diff --git a/lustre/mgs/mgs_handler.c b/lustre/mgs/mgs_handler.c index a77c1cf..2fc88bf 100644 --- a/lustre/mgs/mgs_handler.c +++ b/lustre/mgs/mgs_handler.c @@ -1084,6 +1084,7 @@ static int mgs_init0(const struct lu_env *env, struct mgs_device *mgs, struct lustre_mount_info *lmi; struct llog_ctxt *ctxt; struct fs_db *fsdb = NULL; + struct fs_db *fsdb_srpc = NULL; int rc; ENTRY; @@ -1164,6 +1165,9 @@ static int mgs_init0(const struct lu_env *env, struct mgs_device *mgs, CERROR("%s: %s fsdb and log setup failed: rc = %d\n", obd->obd_name, PARAMS_FILENAME, rc); + /* Setup _mgs fsdb, useful for srpc */ + mgs__mgs_fsdb_setup(env, mgs, fsdb_srpc); + ptlrpc_init_client(LDLM_CB_REQUEST_PORTAL, LDLM_CB_REPLY_PORTAL, "mgs_ldlm_client", &obd->obd_ldlm_client); diff --git a/lustre/mgs/mgs_internal.h b/lustre/mgs/mgs_internal.h index bf38873..489f0bc 100644 --- a/lustre/mgs/mgs_internal.h +++ b/lustre/mgs/mgs_internal.h @@ -189,6 +189,8 @@ struct mgs_object { int mgs_init_fsdb_list(struct mgs_device *mgs); int mgs_cleanup_fsdb_list(struct mgs_device *mgs); +int mgs__mgs_fsdb_setup(const struct lu_env *env, struct mgs_device *mgs, + struct fs_db *fsdb); int mgs_params_fsdb_setup(const struct lu_env *env, struct mgs_device *mgs, struct fs_db *fsdb); int mgs_params_fsdb_cleanup(const struct lu_env *env, struct mgs_device *mgs); diff --git a/lustre/mgs/mgs_llog.c b/lustre/mgs/mgs_llog.c index b835aa5..7252ee5 100644 --- a/lustre/mgs/mgs_llog.c +++ b/lustre/mgs/mgs_llog.c @@ -348,6 +348,7 @@ static struct fs_db *mgs_new_fsdb(const struct lu_env *env, if (strcmp(fsname, MGSSELF_NAME) == 0) { set_bit(FSDB_MGS_SELF, &fsdb->fsdb_flags); + fsdb->fsdb_mgs = mgs; } else { OBD_ALLOC(fsdb->fsdb_ost_index_map, INDEX_MAP_SIZE); OBD_ALLOC(fsdb->fsdb_mdt_index_map, INDEX_MAP_SIZE); @@ -3072,6 +3073,9 @@ static int mgs_srpc_set_param_mem(struct fs_db *fsdb, } rset = &tgtconf->mtsc_rset; + } else if (strcmp(svname, MGSSELF_NAME) == 0) { + /* put _mgs related srpc rule directly in mgs ruleset */ + rset = &fsdb->fsdb_mgs->mgs_lut.lut_sptlrpc_rset; } else { rset = &fsdb->fsdb_srpc_gen; } @@ -3831,6 +3835,19 @@ static void print_lustre_cfg(struct lustre_cfg *lcfg) EXIT; } +/* Setup _mgs fsdb and log + */ +int mgs__mgs_fsdb_setup(const struct lu_env *env, struct mgs_device *mgs, + struct fs_db *fsdb) +{ + int rc; + ENTRY; + + rc = mgs_find_or_make_fsdb(env, mgs, MGSSELF_NAME, &fsdb); + + RETURN(rc); +} + /* Setup params fsdb and log */ int mgs_params_fsdb_setup(const struct lu_env *env, struct mgs_device *mgs, diff --git a/lustre/target/tgt_handler.c b/lustre/target/tgt_handler.c index 2e369a6..d28c242 100644 --- a/lustre/target/tgt_handler.c +++ b/lustre/target/tgt_handler.c @@ -931,6 +931,16 @@ int tgt_connect_check_sptlrpc(struct ptlrpc_request *req, struct obd_export *exp spin_lock(&exp->exp_lock); exp->exp_sp_peer = req->rq_sp_from; exp->exp_flvr = flvr; + + /* when on mgs, if no restriction is set, or if client + * is loopback, allow any flavor */ + if ((strcmp(exp->exp_obd->obd_type->typ_name, + LUSTRE_MGS_NAME) == 0) && + (exp->exp_flvr.sf_rpc == SPTLRPC_FLVR_NULL || + LNET_NETTYP(LNET_NIDNET(exp->exp_connection->c_peer.nid)) + == LOLND)) + exp->exp_flvr.sf_rpc = SPTLRPC_FLVR_ANY; + if (exp->exp_flvr.sf_rpc != SPTLRPC_FLVR_ANY && exp->exp_flvr.sf_rpc != req->rq_flvr.sf_rpc) { CERROR("%s: unauthorized rpc flavor %x from %s, " -- 1.8.3.1