From 881e4d68346be5623c4045dad0d6a50d4954f6fb Mon Sep 17 00:00:00 2001
From: "John L. Hammond" <john.hammond@intel.com>
Date: Mon, 16 May 2016 13:00:25 +0800
Subject: [PATCH] LU-8298 sec: remove obsolete sec_level parameter

Remove the obsolete sec_level parameter and supporting code.

Signed-off-by: John L. Hammond <john.hammond@intel.com>
Change-Id: I073e8093f4a7f0c5faf19112a5f84076016361de
Reviewed-on: http://review.whamcloud.com/20879
Tested-by: Jenkins
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: Fan Yong <fan.yong@intel.com>
Reviewed-by: Sebastien Buisson <sbuisson@ddn.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>
---
 lustre/include/lu_target.h     |  1 -
 lustre/include/lustre_sec.h    |  7 ----
 lustre/mdt/mdt_lproc.c         | 41 -------------------
 lustre/obdclass/obd_config.c   |  5 +++
 lustre/target/tgt_handler.c    | 89 ------------------------------------------
 lustre/tests/sanity-sec.sh     |  1 -
 lustre/tests/test-framework.sh |  2 -
 7 files changed, 5 insertions(+), 141 deletions(-)

diff --git a/lustre/include/lu_target.h b/lustre/include/lu_target.h
index a08bd45..10b045b 100644
--- a/lustre/include/lu_target.h
+++ b/lustre/include/lu_target.h
@@ -131,7 +131,6 @@ struct lu_target {
 	rwlock_t		 lut_sptlrpc_lock;
 	struct sptlrpc_rule_set	 lut_sptlrpc_rset;
 	spinlock_t		 lut_flags_lock;
-	int			 lut_sec_level;
 	unsigned int		 lut_syncjournal:1,
 				 lut_sync_lock_cancel:2,
 				 /* e.g. OST node */
diff --git a/lustre/include/lustre_sec.h b/lustre/include/lustre_sec.h
index 306215a..47dd3a8 100644
--- a/lustre/include/lustre_sec.h
+++ b/lustre/include/lustre_sec.h
@@ -1199,13 +1199,6 @@ int sptlrpc_unpack_user_desc(struct lustre_msg *req, int offset, int swabbed);
 #define CFS_CAP_CHOWN_MASK (1 << CFS_CAP_CHOWN)
 #define CFS_CAP_SYS_RESOURCE_MASK (1 << CFS_CAP_SYS_RESOURCE)
 
-enum {
-        LUSTRE_SEC_NONE         = 0,
-        LUSTRE_SEC_REMOTE       = 1,
-        LUSTRE_SEC_SPECIFY      = 2,
-        LUSTRE_SEC_ALL          = 3
-};
-
 /** @} sptlrpc */
 
 #endif /* _LUSTRE_SEC_H_ */
diff --git a/lustre/mdt/mdt_lproc.c b/lustre/mdt/mdt_lproc.c
index 4b288ed..38bc9ab 100644
--- a/lustre/mdt/mdt_lproc.c
+++ b/lustre/mdt/mdt_lproc.c
@@ -514,45 +514,6 @@ mdt_evict_tgt_nids_seq_write(struct file *file, const char __user *buffer,
 }
 LPROC_SEQ_FOPS(mdt_evict_tgt_nids);
 
-
-static int mdt_sec_level_seq_show(struct seq_file *m, void *data)
-{
-	struct obd_device *obd = m->private;
-	struct mdt_device *mdt = mdt_dev(obd->obd_lu_dev);
-
-	seq_printf(m, "%d\n", mdt->mdt_lut.lut_sec_level);
-	return 0;
-}
-
-static ssize_t
-mdt_sec_level_seq_write(struct file *file, const char __user *buffer,
-			size_t count, loff_t *off)
-{
-	struct seq_file	  *m = file->private_data;
-	struct obd_device *obd = m->private;
-	struct mdt_device *mdt = mdt_dev(obd->obd_lu_dev);
-	int rc;
-	__s64 val;
-
-	rc = lprocfs_str_to_s64(buffer, count, &val);
-	if (rc)
-		return rc;
-
-	if (val > LUSTRE_SEC_ALL || val < LUSTRE_SEC_NONE)
-		return -EINVAL;
-
-	if (val == LUSTRE_SEC_SPECIFY) {
-		CWARN("security level %d will be supported in future.\n",
-		      LUSTRE_SEC_SPECIFY);
-		return -EINVAL;
-	}
-
-	mdt->mdt_lut.lut_sec_level = val;
-
-	return count;
-}
-LPROC_SEQ_FOPS(mdt_sec_level);
-
 static int mdt_cos_seq_show(struct seq_file *m, void *data)
 {
 	struct obd_device *obd = m->private;
@@ -845,8 +806,6 @@ static struct lprocfs_vars lprocfs_mdt_obd_vars[] = {
 	  .fops =	&mdt_evict_tgt_nids_fops		},
 	{ .name =	"hash_stats",
 	  .fops =	&mdt_hash_fops				},
-	{ .name =	"sec_level",
-	  .fops =	&mdt_sec_level_fops			},
 	{ .name =	"commit_on_sharing",
 	  .fops =	&mdt_cos_fops				},
 	{ .name =	"root_squash",
diff --git a/lustre/obdclass/obd_config.c b/lustre/obdclass/obd_config.c
index 7ad0129..898cfe7 100644
--- a/lustre/obdclass/obd_config.c
+++ b/lustre/obdclass/obd_config.c
@@ -1382,6 +1382,11 @@ int class_process_proc_param(char *prefix, struct lprocfs_vars *lvars,
 			j++;
 		}
 		if (!matched) {
+			/* It was upgraded from old MDT/OST device,
+			 * ignore the obsolete "sec_level" parameter. */
+			if (strncmp("sec_level", key, keylen) == 0)
+				continue;
+
 			CERROR("%.*s: %s unknown param %s\n",
 			       (int)strlen(prefix) - 1, prefix,
 			       (char *)lustre_cfg_string(lcfg, 0), key);
diff --git a/lustre/target/tgt_handler.c b/lustre/target/tgt_handler.c
index d274d6b..00f6bf8 100644
--- a/lustre/target/tgt_handler.c
+++ b/lustre/target/tgt_handler.c
@@ -830,91 +830,6 @@ EXPORT_SYMBOL(tgt_counter_incr);
  * Unified target generic handlers.
  */
 
-/*
- * Security functions
- */
-static inline void tgt_init_sec_none(struct obd_connect_data *reply)
-{
-}
-
-static int tgt_init_sec_level(struct ptlrpc_request *req)
-{
-	struct lu_target	*tgt = class_exp2tgt(req->rq_export);
-	char			*client;
-	struct obd_connect_data	*data, *reply;
-	int			 rc = 0;
-	ENTRY;
-
-	data = req_capsule_client_get(&req->rq_pill, &RMF_CONNECT_DATA);
-	reply = req_capsule_server_get(&req->rq_pill, &RMF_CONNECT_DATA);
-	if (data == NULL || reply == NULL)
-		RETURN(-EFAULT);
-
-	/* connection from MDT is always trusted */
-	if (req->rq_auth_usr_mdt) {
-		tgt_init_sec_none(reply);
-		RETURN(0);
-	}
-
-	if (unlikely(tgt == NULL)) {
-		DEBUG_REQ(D_ERROR, req, "%s: No target for connected export\n",
-			  class_exp2obd(req->rq_export)->obd_name);
-		RETURN(-EINVAL);
-	}
-
-	client = libcfs_nid2str(req->rq_peer.nid);
-	/* no GSS support case */
-	if (!req->rq_auth_gss) {
-		if (tgt->lut_sec_level > LUSTRE_SEC_NONE) {
-			CWARN("client %s -> target %s does not use GSS, "
-			      "can not run under security level %d.\n",
-			      client, tgt_name(tgt), tgt->lut_sec_level);
-			RETURN(-EACCES);
-		} else {
-			tgt_init_sec_none(reply);
-			RETURN(0);
-		}
-	}
-
-	/* old version case */
-	if (unlikely(!(data->ocd_connect_flags & OBD_CONNECT_MDS_CAPA) ||
-		     !(data->ocd_connect_flags & OBD_CONNECT_OSS_CAPA))) {
-		if (tgt->lut_sec_level > LUSTRE_SEC_NONE) {
-			CWARN("client %s -> target %s uses old version, "
-			      "can not run under security level %d.\n",
-			      client, tgt_name(tgt), tgt->lut_sec_level);
-			RETURN(-EACCES);
-		} else {
-			CWARN("client %s -> target %s uses old version, "
-			      "run under security level %d.\n",
-			      client, tgt_name(tgt), tgt->lut_sec_level);
-			tgt_init_sec_none(reply);
-			RETURN(0);
-		}
-	}
-
-	if (!uid_valid(make_kuid(&init_user_ns, req->rq_auth_uid))) {
-		CDEBUG(D_SEC, "client %s -> target %s: user is not "
-		       "authenticated!\n", client, tgt_name(tgt));
-		RETURN(-EACCES);
-	}
-
-	switch (tgt->lut_sec_level) {
-	case LUSTRE_SEC_NONE:
-	case LUSTRE_SEC_REMOTE:
-		tgt_init_sec_none(reply);
-		break;
-	case LUSTRE_SEC_ALL:
-		reply->ocd_connect_flags &= ~OBD_CONNECT_OSS_CAPA;
-		reply->ocd_connect_flags &= ~OBD_CONNECT_MDS_CAPA;
-		break;
-	default:
-		RETURN(-EINVAL);
-	}
-
-	RETURN(rc);
-}
-
 int tgt_connect_check_sptlrpc(struct ptlrpc_request *req, struct obd_export *exp)
 {
 	struct lu_target	*tgt = class_exp2tgt(exp);
@@ -1015,10 +930,6 @@ int tgt_connect(struct tgt_session_info *tsi)
 
 	ENTRY;
 
-	rc = tgt_init_sec_level(req);
-	if (rc != 0)
-		GOTO(out, rc);
-
 	/* XXX: better to call this check right after getting new export but
 	 * before last_rcvd slot allocation to avoid server load upon insecure
 	 * connects. This is to be fixed after unifiyng all targets.
diff --git a/lustre/tests/sanity-sec.sh b/lustre/tests/sanity-sec.sh
index fba1d5c..30bfeb2 100755
--- a/lustre/tests/sanity-sec.sh
+++ b/lustre/tests/sanity-sec.sh
@@ -105,7 +105,6 @@ MDT=$(do_facet $SINGLEMDS lctl get_param -N "mdt.\*MDT0000" |
 do_facet $SINGLEMDS "mkdir -p $CONFDIR"
 IDENTITY_FLUSH=mdt.$MDT.identity_flush
 IDENTITY_UPCALL=mdt.$MDT.identity_upcall
-MDSSECLEVEL=mdt.$MDT.sec_level
 
 SAVE_PWD=$PWD
 
diff --git a/lustre/tests/test-framework.sh b/lustre/tests/test-framework.sh
index 8b76c77..4e82e08 100755
--- a/lustre/tests/test-framework.sh
+++ b/lustre/tests/test-framework.sh
@@ -3428,7 +3428,6 @@ mkfs_opts() {
 	opts+=${LDLM_TIMEOUT:+" --param=sys.ldlm_timeout=$LDLM_TIMEOUT"}
 
 	if [ $type == MDS ]; then
-		opts+=${SECLEVEL:+" --param=mdt.sec_level"}
 		opts+=${MDSCAPA:+" --param-mdt.capa=$MDSCAPA"}
 		opts+=${STRIPE_BYTES:+" --param=lov.stripesize=$STRIPE_BYTES"}
 		opts+=${STRIPES_PER_OBJ:+" --param=lov.stripecount=$STRIPES_PER_OBJ"}
@@ -3452,7 +3451,6 @@ mkfs_opts() {
 	fi
 
 	if [ $type == OST ]; then
-		opts+=${SECLEVEL:+" --param=ost.sec_level"}
 		opts+=${OSSCAPA:+" --param=ost.capa=$OSSCAPA"}
 
 		if [ $fstype == ldiskfs ]; then
-- 
1.8.3.1