lustre/obdfilter/filter_capa.c

   1 /* -*- mode: c; c-basic-offset: 8; indent-tabs-mode: nil; -*-
   2  * vim:expandtab:shiftwidth=8:tabstop=8:
   3  *
   4  * Copyright (C) 2005 Cluster File Systems, Inc.
   5  *
   6  * Author: Lai Siyao <lsy@clusterfs.com>
   7  *
   8  *   This file is part of Lustre, http://www.lustre.org.
   9  *
  10  *   Lustre is free software; you can redistribute it and/or
  11  *   modify it under the terms of version 2 of the GNU General Public
  12  *   License as published by the Free Software Foundation.
  13  *
  14  *   Lustre is distributed in the hope that it will be useful,
  15  *   but WITHOUT ANY WARRANTY; without even the implied warranty of
  16  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17  *   GNU General Public License for more details.
  18  *
  19  *   You should have received a copy of the GNU General Public License
  20  *   along with Lustre; if not, write to the Free Software
  21  *   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22  */
  23
  24 #define DEBUG_SUBSYSTEM S_FILTER
  25
  26 #include <linux/fs.h>
  27 #include <linux/version.h>
  28 #include <asm/uaccess.h>
  29 #include <linux/file.h>
  30 #include <linux/kmod.h>
  31
  32 #include <lustre_fsfilt.h>
  33 #include <lustre_capa.h>
  34
  35 #include "filter_internal.h"
  36
  37 static inline __u32 filter_ck_keyid(struct filter_capa_key *key)
  38 {
  39         return key->k_key.lk_keyid;
  40 }
  41
  42 int filter_update_capa_key(struct obd_device *obd, struct lustre_capa_key *new)
  43 {
  44         struct filter_obd *filter = &obd->u.filter;
  45         struct filter_capa_key *k, *keys[2] = { NULL, NULL };
  46         int i;
  47
  48         spin_lock(&capa_lock);
  49         list_for_each_entry(k, &filter->fo_capa_keys, k_list) {
  50                 if (k->k_key.lk_mdsid != new->lk_mdsid)
  51                         continue;
  52
  53                 if (keys[0]) {
  54                         keys[1] = k;
  55                         if (filter_ck_keyid(keys[1]) > filter_ck_keyid(keys[0]))
  56                                 keys[1] = keys[0], keys[0] = k;
  57                 } else {
  58                         keys[0] = k;
  59                 }
  60         }
  61         spin_unlock(&capa_lock);
  62
  63         for (i = 0; i < 2; i++) {
  64                 if (!keys[i])
  65                         continue;
  66                 if (filter_ck_keyid(keys[i]) != new->lk_keyid)
  67                         continue;
  68                 /* maybe because of recovery or other reasons, MDS sent the
  69                  * the old capability key again.
  70                  */
  71                 spin_lock(&capa_lock);
  72                 keys[i]->k_key = *new;
  73                 spin_unlock(&capa_lock);
  74
  75                 RETURN(0);
  76         }
  77
  78         if (keys[1]) {
  79                 /* if OSS already have two keys, update the old one */
  80                 k = keys[1];
  81         } else {
  82                 OBD_ALLOC_PTR(k);
  83                 if (!k)
  84                         RETURN(-ENOMEM);
  85                 CFS_INIT_LIST_HEAD(&k->k_list);
  86         }
  87
  88         spin_lock(&capa_lock);
  89         k->k_key = *new;
  90         if (list_empty(&k->k_list))
  91                 list_add(&k->k_list, &filter->fo_capa_keys);
  92         spin_unlock(&capa_lock);
  93
  94         DEBUG_CAPA_KEY(D_SEC, new, "new");
  95         RETURN(0);
  96 }
  97
  98 int filter_auth_capa(struct obd_export *exp, struct lu_fid *fid, __u64 mdsid,
  99                      struct lustre_capa *capa, __u64 opc)
 100 {
 101         struct obd_device *obd = exp->exp_obd;
 102         struct filter_obd *filter = &obd->u.filter;
 103         struct filter_capa_key *k;
 104         struct lustre_capa_key key;
 105         struct obd_capa *oc;
 106         __u8 *hmac;
 107         int keys_ready = 0, key_found = 0, rc = 0;
 108         ENTRY;
 109
 110         /* capability is disabled */
 111         if (!filter->fo_fl_oss_capa)
 112                 RETURN(0);
 113
 114         if (capa == NULL) {
 115                 if (fid)
 116                         CERROR("mdsno/fid/opc "LPU64"/"DFID"/"LPX64
 117                                ": no capability has been passed\n",
 118                                mdsid, PFID(fid), opc);
 119                 else
 120                         CERROR("mdsno/opc "LPU64"/"LPX64
 121                                ": no capability has been passed\n",
 122                                mdsid, opc);
 123                 RETURN(-EACCES);
 124         }
 125
 126 #warning "enable fid check in filter_auth_capa() when fid stored in OSS object"
 127
 128         if (opc == CAPA_OPC_OSS_READ) {
 129                 if (!(capa->lc_opc & CAPA_OPC_OSS_RW))
 130                         rc = -EACCES;
 131         } else if (!capa_opc_supported(capa, opc)) {
 132                 rc = -EACCES;
 133         }
 134         if (rc) {
 135                 DEBUG_CAPA(D_ERROR, capa, "opc "LPX64" not supported by", opc);
 136                 RETURN(rc);
 137         }
 138
 139         oc = capa_lookup(filter->fo_capa_hash, capa, 0);
 140         if (oc) {
 141                 spin_lock(&oc->c_lock);
 142                 if (capa_is_expired(oc)) {
 143                         DEBUG_CAPA(D_ERROR, capa, "expired");
 144                         rc = -ESTALE;
 145                 }
 146                 spin_unlock(&oc->c_lock);
 147
 148                 capa_put(oc);
 149                 RETURN(rc);
 150         }
 151
 152         spin_lock(&capa_lock);
 153         list_for_each_entry(k, &filter->fo_capa_keys, k_list)
 154                 if (k->k_key.lk_mdsid == mdsid) {
 155                         keys_ready = 1;
 156                         if (k->k_key.lk_keyid == capa_keyid(capa)) {
 157                                 key = k->k_key;
 158                                 key_found = 1;
 159                                 break;
 160                         }
 161                 }
 162         spin_unlock(&capa_lock);
 163
 164         if (!keys_ready) {
 165                 CDEBUG(D_SEC, "MDS hasn't propagated capability keys yet, "
 166                        "ignore check!\n");
 167                 RETURN(0);
 168         }
 169
 170        if (!key_found) {
 171                 DEBUG_CAPA(D_ERROR, capa, "no matched capability key for");
 172                 RETURN(-ESTALE);
 173         }
 174
 175         OBD_ALLOC(hmac, CAPA_HMAC_MAX_LEN);
 176         if (hmac == NULL)
 177                 RETURN(-ENOMEM);
 178
 179         rc = capa_hmac(hmac, capa, key.lk_key);
 180         if (rc) {
 181                 DEBUG_CAPA(D_ERROR, capa, "HMAC failed: rc %d", rc);
 182                 OBD_FREE(hmac, CAPA_HMAC_MAX_LEN);
 183                 RETURN(rc);
 184         }
 185
 186         rc = memcmp(hmac, capa->lc_hmac, CAPA_HMAC_MAX_LEN);
 187         OBD_FREE(hmac, CAPA_HMAC_MAX_LEN);
 188         if (rc) {
 189                 DEBUG_CAPA_KEY(D_ERROR, &key, "calculate HMAC with ");
 190                 DEBUG_CAPA(D_ERROR, capa, "HMAC mismatch");
 191                 RETURN(-EACCES);
 192         }
 193
 194         /* store in capa hash */
 195         oc = capa_add(filter->fo_capa_hash, capa);
 196         capa_put(oc);
 197         RETURN(0);
 198 }
 199
 200 void filter_free_capa_keys(struct filter_obd *filter)
 201 {
 202         struct filter_capa_key *key, *n;
 203
 204         spin_lock(&capa_lock);
 205         list_for_each_entry_safe(key, n, &filter->fo_capa_keys, k_list) {
 206                 list_del_init(&key->k_list);
 207                 OBD_FREE(key, sizeof(*key));
 208         }
 209         spin_unlock(&capa_lock);
 210 }