lustre/mdt/mdt_identity.c

   1 /*
   2  * GPL HEADER START
   3  *
   4  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   5  *
   6  * This program is free software; you can redistribute it and/or modify
   7  * it under the terms of the GNU General Public License version 2 only,
   8  * as published by the Free Software Foundation.
   9  *
  10  * This program is distributed in the hope that it will be useful, but
  11  * WITHOUT ANY WARRANTY; without even the implied warranty of
  12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  13  * General Public License version 2 for more details (a copy is included
  14  * in the LICENSE file that accompanied this code).
  15  *
  16  * You should have received a copy of the GNU General Public License
  17  * version 2 along with this program; If not, see
  18  * http://www.gnu.org/licenses/gpl-2.0.html
  19  *
  20  * GPL HEADER END
  21  */
  22 /*
  23  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
  24  * Use is subject to license terms.
  25  *
  26  * Copyright (c) 2011, 2016, Intel Corporation.
  27  */
  28 /*
  29  * This file is part of Lustre, http://www.lustre.org/
  30  *
  31  * lustre/mdt/mdt_identity.c
  32  *
  33  * Author: Lai Siyao <lsy@clusterfs.com>
  34  * Author: Fan Yong <fanyong@clusterfs.com>
  35  */
  36
  37 #define DEBUG_SUBSYSTEM S_MDS
  38
  39 #include "mdt_internal.h"
  40
  41 static void mdt_identity_entry_init(struct upcall_cache_entry *entry,
  42                                     void *unused)
  43 {
  44         entry->u.identity.mi_uc_entry = entry;
  45 }
  46
  47 static void mdt_identity_entry_free(struct upcall_cache *cache,
  48                                     struct upcall_cache_entry *entry)
  49 {
  50         struct md_identity *identity = &entry->u.identity;
  51
  52         if (identity->mi_ginfo) {
  53                 put_group_info(identity->mi_ginfo);
  54                 identity->mi_ginfo = NULL;
  55         }
  56
  57         if (identity->mi_nperms) {
  58                 LASSERT(identity->mi_perms);
  59                 OBD_FREE_PTR_ARRAY(identity->mi_perms, identity->mi_nperms);
  60                 identity->mi_nperms = 0;
  61         }
  62 }
  63
  64 static int mdt_identity_do_upcall(struct upcall_cache *cache,
  65                                   struct upcall_cache_entry *entry)
  66 {
  67         char keystr[16];
  68         char *argv[] = {
  69                 [0] = cache->uc_upcall,
  70                 [1] = cache->uc_name,
  71                 [2] = keystr,
  72                 [3] = NULL
  73         };
  74         char *envp[] = {
  75                 [0] = "HOME=/",
  76                 [1] = "PATH=/sbin:/usr/sbin",
  77                 [2] = NULL
  78         };
  79         ktime_t start, end;
  80         int rc;
  81
  82         ENTRY;
  83         /* There is race condition:
  84          * "uc_upcall" was changed just after "is_identity_get_disabled" check.
  85          */
  86         down_read(&cache->uc_upcall_rwsem);
  87         CDEBUG(D_INFO, "The upcall is: '%s'\n", cache->uc_upcall);
  88
  89         if (unlikely(!strcmp(cache->uc_upcall, "NONE"))) {
  90                 rc = -EREMCHG;
  91                 CERROR("%s: extended identity requested for user '%llu' called with 'NONE' upcall: rc = %d\n",
  92                        cache->uc_name, entry->ue_key, rc);
  93                 GOTO(out, rc);
  94         }
  95
  96         if (unlikely(cache->uc_upcall[0] == '\0')) {
  97                 rc = -EREMCHG;
  98                 CERROR("%s: extended identity requested for user '%llu' called with empty upcall: rc = %d\n",
  99                        cache->uc_name, entry->ue_key, rc);
 100                 GOTO(out, rc);
 101         }
 102
 103         argv[0] = cache->uc_upcall;
 104         snprintf(keystr, sizeof(keystr), "%llu", entry->ue_key);
 105
 106         start = ktime_get();
 107         rc = call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
 108         end = ktime_get();
 109         if (rc < 0) {
 110                 CERROR("%s: error invoking upcall %s %s %s: rc %d; check /proc/fs/lustre/mdt/%s/identity_upcall, time %ldus: rc = %d\n",
 111                        cache->uc_name, argv[0], argv[1], argv[2], rc,
 112                        cache->uc_name, (long)ktime_us_delta(end, start), rc);
 113         } else {
 114                 CDEBUG(D_HA, "%s: invoked upcall %s %s %s, time %ldus\n",
 115                        cache->uc_name, argv[0], argv[1], argv[2],
 116                        (long)ktime_us_delta(end, start));
 117                 rc = 0;
 118         }
 119         EXIT;
 120 out:
 121         up_read(&cache->uc_upcall_rwsem);
 122         return rc;
 123 }
 124
 125 static int mdt_identity_parse_downcall(struct upcall_cache *cache,
 126                                        struct upcall_cache_entry *entry,
 127                                        void *args)
 128 {
 129         struct md_identity *identity = &entry->u.identity;
 130         struct identity_downcall_data *data = args;
 131         struct group_info *ginfo = NULL;
 132         struct md_perm *perms = NULL;
 133         int size, i, rc = 0;
 134
 135         ENTRY;
 136         LASSERT(data);
 137         if (data->idd_ngroups > NGROUPS_MAX) {
 138                 rc = -E2BIG;
 139                 CERROR("%s: UID %u groups %u > maximum %u: rc = %d\n",
 140                        cache->uc_name, data->idd_uid, data->idd_ngroups, NGROUPS_MAX, rc);
 141                 goto out;
 142         }
 143
 144         if (data->idd_ngroups > 0) {
 145                 ginfo = groups_alloc(data->idd_ngroups);
 146                 if (!ginfo) {
 147                         rc = -ENOMEM;
 148                         CERROR("%s: failed to alloc %d groups: rc = %d\n",
 149                                cache->uc_name, data->idd_ngroups, rc);
 150                         goto out;
 151                 }
 152
 153                 lustre_groups_from_list(ginfo, data->idd_groups);
 154                 lustre_groups_sort(ginfo);
 155         }
 156
 157         if (data->idd_nperms) {
 158                 size = data->idd_nperms * sizeof(*perms);
 159                 OBD_ALLOC(perms, size);
 160                 if (!perms) {
 161                         rc = -ENOMEM;
 162                         CERROR("%s: failed to alloc %d permissions: rc = %d\n",
 163                                cache->uc_name, data->idd_nperms, rc);
 164                         if (ginfo)
 165                                 put_group_info(ginfo);
 166                         goto out;
 167                 }
 168
 169                 for (i = 0; i < data->idd_nperms; i++) {
 170                         lnet_nid4_to_nid(data->idd_perms[i].pdd_nid,
 171                                          &perms[i].mp_nid);
 172                         perms[i].mp_perm = data->idd_perms[i].pdd_perm;
 173                 }
 174         }
 175
 176         identity->mi_uid = data->idd_uid;
 177         identity->mi_gid = data->idd_gid;
 178         identity->mi_ginfo = ginfo;
 179         identity->mi_nperms = data->idd_nperms;
 180         identity->mi_perms = perms;
 181
 182         CDEBUG(D_OTHER, "parse mdt identity@%p: %d:%d, ngroups %u, nperms %u\n",
 183                identity, identity->mi_uid, identity->mi_gid,
 184                data->idd_ngroups, data->idd_nperms);
 185
 186 out:
 187         RETURN(rc);
 188 }
 189
 190 struct md_identity *mdt_identity_get(struct upcall_cache *cache, __u32 uid)
 191 {
 192         struct upcall_cache_entry *entry;
 193
 194         if (!cache)
 195                 return ERR_PTR(-ENOENT);
 196
 197         entry = upcall_cache_get_entry(cache, (__u64)uid, NULL);
 198         if (unlikely(!entry))
 199                 return ERR_PTR(-ENOENT);
 200         if (IS_ERR(entry))
 201                 return ERR_CAST(entry);
 202
 203         return &entry->u.identity;
 204 }
 205
 206 void mdt_identity_put(struct upcall_cache *cache, struct md_identity *identity)
 207 {
 208         if (!cache)
 209                 return;
 210
 211         LASSERT(identity);
 212         upcall_cache_put_entry(cache, identity->mi_uc_entry);
 213 }
 214
 215 struct upcall_cache_ops mdt_identity_upcall_cache_ops = {
 216         .init_entry     = mdt_identity_entry_init,
 217         .free_entry     = mdt_identity_entry_free,
 218         .do_upcall      = mdt_identity_do_upcall,
 219         .parse_downcall = mdt_identity_parse_downcall,
 220 };
 221
 222 void mdt_flush_identity(struct upcall_cache *cache, int uid)
 223 {
 224         if (uid < 0)
 225                 upcall_cache_flush_idle(cache);
 226         else
 227                 upcall_cache_flush_one(cache, (__u64)uid, NULL);
 228 }
 229
 230 /*
 231  * If there is LNET_NID_ANY in perm[i].mp_nid,
 232  * it must be perm[0].mp_nid, and act as default perm.
 233  */
 234 __u32 mdt_identity_get_perm(struct md_identity *identity, struct lnet_nid *nid)
 235 {
 236         struct md_perm *perm;
 237         int i;
 238
 239         if (!identity)
 240                 return CFS_SETGRP_PERM;
 241
 242         perm = identity->mi_perms;
 243         /* check exactly matched nid first */
 244         for (i = identity->mi_nperms - 1; i > 0; i--) {
 245                 if (!nid_same(&perm[i].mp_nid, nid))
 246                         continue;
 247                 return perm[i].mp_perm;
 248         }
 249
 250         /* check LNET_NID_ANY then */
 251         if ((identity->mi_nperms > 0) &&
 252             ((nid_same(&perm[0].mp_nid, nid)) ||
 253              (LNET_NID_IS_ANY(&perm[0].mp_nid))))
 254                 return perm[0].mp_perm;
 255
 256         /* return default last */
 257         return CFS_SETGRP_PERM;
 258 }