uint64_t lmd_remote_flag;
uint32_t lmd_nllu;
uint32_t lmd_nllg;
- char lmd_security[16];
+ char lmd_mds_security[16];
+ char lmd_oss_security[16];
char lmd_mds[64];
char lmd_profile[64];
};
__u32 subflavor;
} ptlrpcs_flavor_t;
+typedef struct {
+ struct list_head list;
+ ptlrpcs_flavor_t sec;
+} deny_sec_t;
+
enum ptlrpcs_security_type {
PTLRPC_SEC_TYPE_NONE = 0, /* no security */
PTLRPC_SEC_TYPE_AUTH = 1, /* authentication */
return 0;
}
+static inline int add_deny_security(char *sec, struct list_head *head)
+{
+ int rc = 0;
+ deny_sec_t *p_deny_sec = NULL;
+
+ LASSERT(sec != NULL);
+
+ OBD_ALLOC(p_deny_sec, sizeof(*p_deny_sec));
+ if (p_deny_sec == NULL) return -ENOMEM;
+
+ if (strcmp(sec, "null") == 0) {
+ p_deny_sec->sec.flavor = PTLRPC_SEC_NULL;
+ p_deny_sec->sec.subflavor = PTLRPC_SEC_NULL;
+ }else if (strcmp(sec, "krb5i") == 0) {
+ p_deny_sec->sec.flavor = PTLRPC_SEC_GSS;
+ p_deny_sec->sec.subflavor = PTLRPC_SEC_GSS_KRB5I;
+ }else if (strcmp(sec, "krb5p") == 0) {
+ p_deny_sec->sec.flavor = PTLRPC_SEC_GSS;
+ p_deny_sec->sec.subflavor = PTLRPC_SEC_GSS_KRB5P;
+ }else{
+ CERROR("unrecognized security type %s\n", (char*) sec);
+ GOTO(out, rc = -EINVAL);
+ }
+
+ list_add_tail(&p_deny_sec->list, head);
+out:
+ if (rc) {
+ if (p_deny_sec)
+ OBD_FREE(p_deny_sec, sizeof(*p_deny_sec));
+ }
+ return rc;
+}
+
int ptlrpcs_cli_wrap_request(struct ptlrpc_request *req);
int ptlrpcs_cli_unwrap_reply(struct ptlrpc_request *req);
int ptlrpcs_cli_alloc_reqbuf(struct ptlrpc_request *req, int msgsize);
#define SVC_LOGIN 4
#define SVC_LOGOUT 5
+/* FIXME
+ * this should be a gss internal structure. fix these when we
+ * sort out the flavor issues.
+ */
+
+typedef struct rawobj_s {
+ __u32 len;
+ __u8 *data;
+} rawobj_t;
+
+/* on-the-wire gss cred: */
+struct rpc_gss_wire_cred {
+ __u32 gc_v; /* version */
+ __u32 gc_proc; /* control procedure */
+ __u32 gc_seq; /* sequence number */
+ __u32 gc_svc; /* service */
+ rawobj_t gc_ctx; /* context handle */
+};
+
+struct gss_svc_data {
+ __u32 subflavor; /* XXX */
+ /* decoded gss client cred: */
+ struct rpc_gss_wire_cred clcred;
+ /* internal used status */
+ unsigned int is_init:1,
+ is_init_continue:1,
+ is_err_notify:1,
+ is_fini:1;
+ int reserve_len;
+};
+
int svcsec_register(struct ptlrpc_svcsec *ss);
int svcsec_unregister(struct ptlrpc_svcsec *ss);
int svcsec_accept(struct ptlrpc_request *req, enum ptlrpcs_error *res);
struct list_head fo_llog_list;
spinlock_t fo_llog_list_lock;
+
+ /* which secure flavor from remote is denied */
+ spinlock_t fo_denylist_lock;
+ struct list_head fo_denylist;
+
};
struct mds_server_data;
/* security related */
char *mds_mds_sec;
char *mds_ost_sec;
+ /* which secure flavor from remote to this mds is denied */
+ spinlock_t mds_denylist_lock;
+ struct list_head mds_denylist;
};
struct echo_obd {
return (memcmp(&peer->peer_id, &myid, sizeof(myid)) == 0);
}
+/* To check whether the p_flavor is in deny list or not
+ * rc:
+ * 0 not found, pass
+ * EPERM found, refuse
+ */
+
+static int check_deny_list(struct list_head *head, ptlrpcs_flavor_t *p_flavor)
+{
+ deny_sec_t *p_deny_sec = NULL;
+ deny_sec_t *n_deny_sec = NULL;
+
+ list_for_each_entry_safe(p_deny_sec, n_deny_sec, head, list) {
+ if ((p_deny_sec->sec.flavor == p_flavor->flavor) &&
+ (p_deny_sec->sec.subflavor == p_flavor->subflavor))
+ return -EPERM;
+ }
+ return 0;
+}
+
+int target_check_deny_sec(struct obd_device *target, struct ptlrpc_request *req)
+{
+ struct gss_svc_data *svcdata;
+ ptlrpcs_flavor_t flavor;
+ int rc = 0;
+
+ /* XXX hacking */
+ svcdata = (struct gss_svc_data *) req->rq_sec_svcdata;
+ if (svcdata == NULL) {
+ flavor.flavor = PTLRPC_SEC_NULL;
+ flavor.subflavor = 0;
+ } else {
+ flavor.flavor = PTLRPC_SEC_GSS;
+ flavor.subflavor = svcdata->subflavor;
+ }
+
+ if (!strcmp(target->obd_type->typ_name, LUSTRE_MDS_NAME)) {
+ spin_lock(&target->u.mds.mds_denylist_lock);
+ rc = check_deny_list(&target->u.mds.mds_denylist, &flavor);
+ spin_unlock(&target->u.mds.mds_denylist_lock);
+ } else if (!strcmp(target->obd_type->typ_name, "obdfilter")) {
+ spin_lock(&target->u.filter.fo_denylist_lock);
+ rc = check_deny_list(&target->u.filter.fo_denylist, &flavor);
+ spin_unlock(&target->u.filter.fo_denylist_lock);
+ }
+
+ return rc;
+}
+
int target_handle_connect(struct ptlrpc_request *req)
{
unsigned long connect_flags = 0, *cfp;
GOTO(out, rc = -ENODEV);
}
+ /* check the secure deny list of mds/ost */
+ rc = target_check_deny_sec(target, req);
+ if (rc != 0)
+ GOTO(out, rc);
+
LASSERT_REQSWAB (req, offset + 1);
str = lustre_msg_string(req->rq_reqmsg, offset + 1, sizeof(cluuid) - 1);
if (str == NULL) {
char *ll_read_opt(const char *opt, char *data);
int ll_set_opt(const char *opt, char *data, int fl);
-void ll_options(char *options, char **ost, char **mds, char **sec,
- int *async, int *flags);
+void ll_options(char *options, char **ost, char **mds, char **mds_sec,
+ char **oss_sec, int *async, int *flags);
void ll_lli_init(struct ll_inode_info *lli);
int ll_fill_super(struct super_block *sb, void *data, int silent);
int lustre_fill_super(struct super_block *sb, void *data, int silent);
extern struct dentry_operations ll_d_ops;
int lustre_common_fill_super(struct super_block *sb, char *lmv, char *lov,
- int async, char *security, __u32 *nllu,
- __u64 *remote)
+ int async, char *mds_security, char *oss_security,
+ __u32 *nllu, __u64 *remote)
{
struct ll_sb_info *sbi = ll_s2sbi(sb);
struct ptlrpc_request *request = NULL;
OBD_CONNECT_REMOTE);
memcpy(data->ocd_nllu, nllu, sizeof(data->ocd_nllu));
- if (security == NULL)
- security = "null";
+ if (mds_security == NULL)
+ mds_security = "null";
err = obd_set_info(obd->obd_self_export, strlen("sec"), "sec",
- strlen(security), security);
+ strlen(mds_security), mds_security);
if (err) {
CERROR("LMV %s: failed to set security %s, err %d\n",
- lmv, security, err);
+ lmv, mds_security, err);
OBD_FREE(data, sizeof(*data));
RETURN(err);
}
obd_set_info(obd->obd_self_export, strlen("async"), "async",
sizeof(async), &async);
+ if (oss_security == NULL)
+ oss_security = "null";
+
+ err = obd_set_info(obd->obd_self_export, strlen("sec"), "sec",
+ strlen(oss_security), oss_security);
+ if (err) {
+ CERROR("LOV %s: failed to set security %s, err %d\n",
+ lov, oss_security, err);
+ OBD_FREE(data, sizeof(*data));
+ RETURN(err);
+ }
+
err = obd_connect(&dt_conn, obd, &sbi->ll_sb_uuid, data,
OBD_OPT_REAL_CLIENT);
if (err == -EBUSY) {
RETURN(fl);
}
-void ll_options(char *options, char **lov, char **lmv, char **sec,
- int *async, int *flags)
+void ll_options(char *options, char **lov, char **lmv, char **mds_sec,
+ char **oss_sec, int *async, int *flags)
{
char *this_char;
#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,5,0))
*async = 1;
continue;
}
- if (!*sec && (*sec = ll_read_opt("sec", this_char)))
+ if (!*mds_sec && (*mds_sec = ll_read_opt("mds_sec", this_char)))
+ continue;
+ if (!*oss_sec && (*oss_sec = ll_read_opt("oss_sec", this_char)))
continue;
if (!(*flags & LL_SBI_NOLCK) &&
((*flags) = (*flags) |
struct ll_sb_info *sbi;
char *lov = NULL;
char *lmv = NULL;
+ char *mds_sec = NULL;
+ char *oss_sec = NULL;
int async, err;
- char *sec = NULL;
__u32 nllu[2] = { NOBODY_UID, NOBODY_GID };
__u64 remote_flag = 0;
ENTRY;
RETURN(-ENOMEM);
sbi->ll_flags |= LL_SBI_READAHEAD;
- ll_options(data, &lov, &lmv, &sec, &async, &sbi->ll_flags);
+ ll_options(data, &lov, &lmv, &mds_sec, &oss_sec,
+ &async, &sbi->ll_flags);
if (!lov) {
CERROR("no osc\n");
GOTO(out, err = -EINVAL);
}
- err = lustre_common_fill_super(sb, lmv, lov, async, sec,
+ err = lustre_common_fill_super(sb, lmv, lov, async, mds_sec, oss_sec,
nllu, &remote_flag);
EXIT;
out:
if (err)
lustre_free_sbi(sb);
- if (sec)
- OBD_FREE(sec, strlen(sec) + 1);
if (lmv)
OBD_FREE(lmv, strlen(lmv) + 1);
if (lov)
OBD_FREE(lov, strlen(lov) + 1);
+ if (mds_sec)
+ OBD_FREE(mds_sec, strlen(mds_sec) + 1);
+ if (oss_sec)
+ OBD_FREE(oss_sec, strlen(oss_sec) + 1);
+
return err;
} /* ll_read_super */
GOTO(out_cleanup, rc = -EINVAL);
rc = obd_set_info(obd->obd_self_export, strlen("sec"), "sec",
- strlen(lmd->lmd_security), lmd->lmd_security);
+ strlen(lmd->lmd_mds_security), lmd->lmd_mds_security);
if (rc)
GOTO(out_cleanup, rc);
CERROR("no mds name\n");
GOTO(out_free, err = -EINVAL);
}
- lmd->lmd_security[sizeof(lmd->lmd_security) - 1] = 0;
+ lmd->lmd_mds_security[sizeof(lmd->lmd_mds_security) - 1] = 0;
+ lmd->lmd_oss_security[sizeof(lmd->lmd_oss_security) - 1] = 0;
OBD_ALLOC(sbi->ll_lmd, sizeof(*sbi->ll_lmd));
if (sbi->ll_lmd == NULL)
}
err = lustre_common_fill_super(sb, lmv, lov, lmd->lmd_async,
- lmd->lmd_security, &lmd->lmd_nllu,
- &lmd->lmd_remote_flag);
+ lmd->lmd_mds_security,
+ lmd->lmd_oss_security,
+ &lmd->lmd_nllu, &lmd->lmd_remote_flag);
if (err)
GOTO(out_free, err);
exp->exp_obd->obd_name,
imp->imp_initial_recov);
RETURN(0);
- } else if (keylen >= strlen("mds_type") && strcmp(key, "mds_type") == 0) {
+ } else if (keylen >= strlen("mds_type") &&
+ strcmp(key, "mds_type") == 0) {
struct ptlrpc_request *req;
char *bufs[2] = {key, val};
int rc, size[2] = {keylen, vallen};
imp->imp_server_timeout = 1;
CDEBUG(D_OTHER, "%s: timeout / 2\n", exp->exp_obd->obd_name);
RETURN(0);
- } else if (keylen == strlen("sec") && memcmp(key, "sec", keylen) == 0) {
+ } else if (keylen == strlen("sec") &&
+ memcmp(key, "sec", keylen) == 0) {
struct client_obd *cli = &exp->exp_obd->u.cli;
if (vallen == strlen("null") &&
#include <linux/lustre_commit_confd.h>
#include <linux/lustre_acl.h>
#include "mds_internal.h"
+#include <linux/lustre_sec.h>
static int mds_intent_policy(struct ldlm_namespace *ns,
struct ldlm_lock **lockp, void *req_cookie,
sema_init(&mds->mds_md_sem, 1);
mds->mds_md_connected = 0;
mds->mds_md_name = NULL;
-
+
if (LUSTRE_CFG_BUFLEN(lcfg, 5) > 0 && lustre_cfg_buf(lcfg, 5) &&
strncmp(lustre_cfg_string(lcfg, 5), "dumb", LUSTRE_CFG_BUFLEN(lcfg, 5))) {
class_uuid_t uuid;
GOTO(err_ops, rc);
}
}
-
+
mds->mds_obd_type = MDS_MASTER_OBD;
if (LUSTRE_CFG_BUFLEN(lcfg, 6) > 0 && lustre_cfg_buf(lcfg, 6) &&
obd->obd_name, rc);
GOTO(err_ns, rc);
}
-
+
rc = llog_start_commit_thread();
if (rc < 0)
/* XXX */
lgss_svc_cache_purge_all();
#endif
+
+ spin_lock(&mds->mds_denylist_lock);
+ while (!list_empty( &mds->mds_denylist ) ) {
+ deny_sec_t *p_deny_sec = list_entry(mds->mds_denylist.next,
+ deny_sec_t, list);
+ list_del(&p_deny_sec->list);
+ OBD_FREE(p_deny_sec, sizeof(*p_deny_sec));
+ }
+ spin_unlock(&mds->mds_denylist_lock);
+ if(mds->mds_mds_sec)
+ OBD_FREE(mds->mds_mds_sec, strlen(mds->mds_mds_sec) + 1);
+ if(mds->mds_ost_sec)
+ OBD_FREE(mds->mds_ost_sec, strlen(mds->mds_ost_sec) + 1);
+
RETURN(0);
}
{
int rc = 0;
- if (!strcmp(value, "null"))
- *sec = "null";
- else if (!strcmp(value, "krb5i"))
- *sec = "krb5i";
- else if (!strcmp(value, "krb5p"))
- *sec = "krb5p";
- else {
+ if (!strcmp(value, "null") ||
+ !strcmp(value, "krb5i") ||
+ !strcmp(value, "krb5p")) {
+ OBD_ALLOC(*sec, strlen(value) + 1);
+ if(!*sec)
+ RETURN(-ENOMEM);
+ memcpy(*sec, value, strlen(value) + 1);
+ } else {
CERROR("Unrecognized value, force use NULL\n");
rc = -EINVAL;
}
switch(lcfg->lcfg_command) {
case LCFG_SET_SECURITY: {
- if (LUSTRE_CFG_BUFLEN(lcfg, 1) || LUSTRE_CFG_BUFLEN(lcfg, 2))
+ if ((LUSTRE_CFG_BUFLEN(lcfg, 1) == 0) ||
+ (LUSTRE_CFG_BUFLEN(lcfg, 2) == 0))
GOTO(out, rc = -EINVAL);
- if (!strcmp(lustre_cfg_string(lcfg, 1), "mds_mds_sec"))
+ if (!strcmp(lustre_cfg_string(lcfg, 1), "mds_sec"))
rc = set_security(lustre_cfg_string(lcfg, 2),
&mds->mds_mds_sec);
- else if (!strcmp(lustre_cfg_string(lcfg, 2), "mds_ost_sec"))
+ else if (!strcmp(lustre_cfg_string(lcfg, 1), "oss_sec"))
rc = set_security(lustre_cfg_string(lcfg, 2),
&mds->mds_ost_sec);
- else {
+ else if (!strcmp(lustre_cfg_string(lcfg, 1), "deny_sec")){
+ spin_lock(&mds->mds_denylist_lock);
+ rc = add_deny_security(lustre_cfg_string(lcfg, 2),
+ &mds->mds_denylist);
+ spin_unlock(&mds->mds_denylist_lock);
+ } else {
CERROR("Unrecognized key\n");
rc = -EINVAL;
}
{
struct lprocfs_static_vars lvars;
int rc = 0;
+ struct mds_obd *mds = &dev->u.mds;
+
+ spin_lock_init(&mds->mds_denylist_lock);
+ INIT_LIST_HEAD(&mds->mds_denylist);
lprocfs_init_multi_vars(0, &lvars);
#include <libcfs/list.h>
#include <linux/lustre_smfs.h>
+#include <linux/lustre_sec.h>
#include "filter_internal.h"
/* Group 0 is no longer a legal group, to catch uninitialized IDs */
static int filter_setup(struct obd_device *obd, obd_count len, void *buf)
{
struct lustre_cfg* lcfg = buf;
+ struct filter_obd *filter = &obd->u.filter;
int rc;
ENTRY;
+
+ spin_lock_init(&filter->fo_denylist_lock);
+ INIT_LIST_HEAD(&filter->fo_denylist);
+
/* all mount options including errors=remount-ro and asyncdel are passed
* using 4th lcfg param. And it is good, finally we have got rid of
* hardcoded fs types in the code. */
shrink_dcache_parent(filter->fo_sb->s_root);
filter->fo_sb = 0;
+ spin_lock(&filter->fo_denylist_lock);
+ while (!list_empty(&filter->fo_denylist)) {
+ deny_sec_t *p_deny_sec = list_entry(filter->fo_denylist.next,
+ deny_sec_t, list);
+ list_del(&p_deny_sec->list);
+ OBD_FREE(p_deny_sec, sizeof(*p_deny_sec));
+ }
+ spin_unlock(&filter->fo_denylist_lock);
+
unlock_kernel();
lvfs_umount_fs(filter->fo_lvfs_ctxt);
//destroy_buffers(filter->fo_sb->s_dev);
RETURN(0);
}
+static int filter_process_config(struct obd_device *obd, obd_count len, void *buf)
+{
+ struct lustre_cfg *lcfg = buf;
+ struct filter_obd *filter = &obd->u.filter;
+ int rc = 0;
+ ENTRY;
+
+ switch(lcfg->lcfg_command) {
+ case LCFG_SET_SECURITY: {
+ if ((LUSTRE_CFG_BUFLEN(lcfg, 1) == 0) ||
+ (LUSTRE_CFG_BUFLEN(lcfg, 2) == 0))
+ GOTO(out, rc = -EINVAL);
+
+ if (!strcmp(lustre_cfg_string(lcfg, 1), "deny_sec")){
+ spin_lock(&filter->fo_denylist_lock);
+ rc = add_deny_security(lustre_cfg_string(lcfg, 2),
+ &filter->fo_denylist);
+ spin_unlock(&filter->fo_denylist_lock);
+ }else {
+ CERROR("Unrecognized key\n");
+ rc = -EINVAL;
+ }
+ break;
+ }
+ default: {
+ CERROR("Unknown command: %d\n", lcfg->lcfg_command);
+ GOTO(out, rc = -EINVAL);
+
+ }
+ }
+out:
+ RETURN(rc);
+}
+
static int filter_connect_post(struct obd_export *exp, unsigned initial,
unsigned long connect_flags)
{
.o_setup = filter_setup,
.o_precleanup = filter_precleanup,
.o_cleanup = filter_cleanup,
+ .o_process_config = filter_process_config,
.o_connect = filter_connect,
.o_connect_post = filter_connect_post,
.o_disconnect = filter_disconnect,
RETURN(0);
}
- if (keylen == strlen("sec") && memcmp(key, "sec", keylen) == 0) {
+ if (keylen == strlen("sec") &&
+ memcmp(key, "sec", keylen) == 0) {
struct client_obd *cli = &exp->exp_obd->u.cli;
if (vallen == strlen("null") &&
#include <linux/lprocfs_status.h>
#include <linux/lustre_commit_confd.h>
#include <libcfs/list.h>
+#include <linux/lustre_sec.h>
void oti_init(struct obd_trans_info *oti, struct ptlrpc_request *req)
{
if (req->rq_reqmsg->opc == SEC_INIT ||
req->rq_reqmsg->opc == SEC_INIT_CONTINUE ||
req->rq_reqmsg->opc == SEC_FINI) {
- RETURN(0);
+ GOTO(out_check_req, rc = 0);
}
/* XXX identical to MDS */
RETURN(rc);
}
+extern void lgss_svc_cache_purge_all(void);
static int ost_cleanup(struct obd_device *obd, int flags)
{
struct ost_obd *ost = &obd->u.ost;
ptlrpc_stop_all_threads(ost->ost_create_service);
ptlrpc_unregister_service(ost->ost_create_service);
+#ifdef ENABLE_GSS
+ /* XXX */
+ lgss_svc_cache_purge_all();
+#endif
RETURN(err);
}
* Author: Eric Mei <ericm@clusterfs.com>
*/
+#include <linux/lustre_sec.h>
#ifndef __SEC_GSS_GSS_INTERNAL_H_
#define __SEC_GSS_GSS_INTERNAL_H_
struct ptlrpc_sec;
struct ptlrpc_cred;
-typedef struct rawobj_s {
- __u32 len;
- __u8 *data;
-} rawobj_t;
-
+/* rawobj stuff */
int rawobj_alloc(rawobj_t *obj, char *buf, int len);
void rawobj_free(rawobj_t *obj);
int rawobj_equal(rawobj_t *a, rawobj_t *b);
*/
#define GSSD_INTERFACE_VERSION (1)
+/*
+ * target of gss request
+ */
+#define LUSTRE_GSS_SVC_MDS 0
+#define LUSTRE_GSS_SVC_OSS 1
+
+/*
+ * data types in gss header
+ */
#define MAXSEQ 0x80000000 /* maximum legal sequence number, from rfc 2203 */
enum rpc_gss_proc {
RPC_GSS_SVC_PRIVACY = 3,
};
-/* on-the-wire gss cred: */
-struct rpc_gss_wire_cred {
- __u32 gc_v; /* version */
- __u32 gc_proc; /* control procedure */
- __u32 gc_seq; /* sequence number */
- __u32 gc_svc; /* service */
- rawobj_t gc_ctx; /* context handle */
-};
-
/* on-the-wire gss verifier: */
struct rpc_gss_wire_verf {
__u32 gv_flavor;
static int secinit_compose_request(struct obd_import *imp,
char *buf, int bufsize,
+ int lustre_srv,
uid_t uid, gid_t gid,
long token_size,
char __user *token)
hdr->flavor = cpu_to_le32(PTLRPC_SEC_GSS);
hdr->sectype = cpu_to_le32(PTLRPC_SEC_TYPE_NONE);
hdr->msg_len = cpu_to_le32(lmsg_size);
- hdr->sec_len = cpu_to_le32(7 * 4 + token_size);
+ hdr->sec_len = cpu_to_le32(8 * 4 + token_size);
/* lustre message & secdesc */
lmsg = buf_to_lustre_msg(buf);
*p++ = cpu_to_le32(PTLRPC_GSS_SVC_NONE); /* service */
*p++ = cpu_to_le32(0); /* context handle */
+ /* plus lustre svc type */
+ *p++ = cpu_to_le32(lustre_srv);
+
/* now the token part */
*p++ = cpu_to_le32((__u32) token_size);
LASSERT(((char *)p - buf) + token_size <= bufsize);
struct lgssd_ioctl_param {
int version; /* in */
char *uuid; /* in */
+ int lustre_svc; /* in */
uid_t uid; /* in */
gid_t gid; /* in */
long send_token_size;/* in */
int rc, reqlen, replen;
if (count != sizeof(param)) {
- CERROR("partial write\n");
+ CERROR("ioctl size %lu, expect %d, please check lgssd version\n",
+ count, sizeof(param));
RETURN(-EINVAL);
}
- if (copy_from_user(¶m, buffer, sizeof(param)))
+ if (copy_from_user(¶m, buffer, sizeof(param))) {
+ CERROR("failed copy data from lgssd\n");
RETURN(-EFAULT);
+ }
if (param.version != GSSD_INTERFACE_VERSION) {
CERROR("gssd interface version %d (expect %d)\n",
CERROR("no such obd %s\n", obdname);
RETURN(-EINVAL);
}
- if (strcmp(obd->obd_type->typ_name, "mdc") &&
- strcmp(obd->obd_type->typ_name, "osc")) {
- CERROR("%s not a mdc/osc device\n", obdname);
- RETURN(-EINVAL);
- }
imp = class_import_get(obd->u.cli.cl_import);
/* get token */
reqlen = secinit_compose_request(imp, reqbuf, reqbuf_size,
+ param.lustre_svc,
param.uid, param.gid,
param.send_token_size,
param.send_token);
obdtype = import->imp_obd->obd_type->typ_name;
if (!strcmp(obdtype, "mdc"))
- gmd.gum_svc = 0;
+ gmd.gum_svc = LUSTRE_GSS_SVC_MDS;
else if (!strcmp(obdtype, "osc"))
- gmd.gum_svc = 1;
+ gmd.gum_svc = LUSTRE_GSS_SVC_OSS;
else {
CERROR("gss on %s?\n", obdtype);
RETURN(-EINVAL);
struct rsi {
struct cache_head h;
+ __u32 lustre_svc;
__u32 naltype;
__u32 netid;
__u64 nid;
- rawobj_t in_handle, in_token;
+ rawobj_t in_handle, in_token, in_srv_type;
rawobj_t out_handle, out_token;
int major_status, minor_status;
};
{
struct rsi *rsii = container_of(h, struct rsi, h);
- qword_addhex(bpp, blen, (char *)&rsii->naltype, sizeof(rsii->naltype));
- qword_addhex(bpp, blen, (char *)&rsii->netid, sizeof(rsii->netid));
- qword_addhex(bpp, blen, (char *)&rsii->nid, sizeof(rsii->nid));
- qword_addhex(bpp, blen, (char *)rsii->in_handle.data, rsii->in_handle.len);
- qword_addhex(bpp, blen, (char *)rsii->in_token.data, rsii->in_token.len);
+ qword_addhex(bpp, blen, (char *) &rsii->lustre_svc,
+ sizeof(rsii->lustre_svc));
+ qword_addhex(bpp, blen, (char *) &rsii->naltype, sizeof(rsii->naltype));
+ qword_addhex(bpp, blen, (char *) &rsii->netid, sizeof(rsii->netid));
+ qword_addhex(bpp, blen, (char *) &rsii->nid, sizeof(rsii->nid));
+ qword_addhex(bpp, blen, rsii->in_handle.data, rsii->in_handle.len);
+ qword_addhex(bpp, blen, rsii->in_token.data, rsii->in_token.len);
(*bpp)[-1] = '\n';
}
return found;
}
-struct gss_svc_data {
- /* decoded gss client cred: */
- struct rpc_gss_wire_cred clcred;
- /* internal used status */
- unsigned int is_init:1,
- is_init_continue:1,
- is_err_notify:1,
- is_fini:1;
- int reserve_len;
-};
-
/* FIXME
* again hacking: only try to give the svcgssd a chance to handle
* upcalls.
}
cache_init(&rsikey->h);
+ /* obtain lustre svc type */
+ if (seclen < 4) {
+ CERROR("sec size %d too small\n", seclen);
+ GOTO(out_rsikey, rc = SVC_DROP);
+ }
+ rsikey->lustre_svc = le32_to_cpu(*secdata++);
+ seclen -= 4;
+
+ /* duplicate context handle. currently always 0 */
if (rawobj_dup(&rsikey->in_handle, &gc->gc_ctx)) {
CERROR("fail to dup context handle\n");
GOTO(out_rsikey, rc = SVC_DROP);
}
+
+ /* extract token */
*res = PTLRPCS_BADVERF;
if (rawobj_extract(&tmpobj, &secdata, &seclen)) {
CERROR("can't extract token\n");
struct gss_svc_data *svcdata;
struct rpc_gss_wire_cred *gc;
struct ptlrpcs_wire_hdr *sec_hdr;
- __u32 seclen, *secdata, version, subflavor;
+ __u32 seclen, *secdata, version;
int rc;
ENTRY;
/* Now secdata/seclen is what we want to parse
*/
version = le32_to_cpu(*secdata++); /* version */
- subflavor = le32_to_cpu(*secdata++); /* subflavor */
+ svcdata->subflavor = le32_to_cpu(*secdata++); /* subflavor */
gc->gc_proc = le32_to_cpu(*secdata++); /* proc */
gc->gc_seq = le32_to_cpu(*secdata++); /* seq */
gc->gc_svc = le32_to_cpu(*secdata++); /* service */
seclen -= 5 * 4;
CDEBUG(D_SEC, "wire gss_hdr: %u/%u/%u/%u/%u\n",
- version, subflavor, gc->gc_proc, gc->gc_seq, gc->gc_svc);
+ version, svcdata->subflavor, gc->gc_proc,
+ gc->gc_seq, gc->gc_svc);
if (version != PTLRPC_SEC_GSS_VERSION) {
CERROR("gss version mismatch: %d - %d\n",
[ "$NODE" ] && node_opt="--node $NODE"
[ "$DEBUG" ] && debug_opt="--ptldebug=$DEBUG"
-${LCONF} $NOMOD --sec $SECURITY $portals_opt $lustre_opt $node_opt \
+${LCONF} $NOMOD --mds_sec $SECURITY $portals_opt $lustre_opt $node_opt \
${REFORMAT:---reformat} $@ $conf_opt || exit 5
if [ "$MOUNT2" ]; then
- $LLMOUNT -v -o sec=$SECURITY `hostname`:/mds1/client $MOUNT2 || exit 6
+ $LLMOUNT -v -o mds_sec=$SECURITY `hostname`:/mds1/client $MOUNT2 || exit 6
fi
[ "$NODE" ] && node_opt="--node $NODE"
-${LCONF} $NOMOD --sec $SECURITY $portals_opt $lustre_opt $node_opt \
+${LCONF} $NOMOD --mds_sec $SECURITY $portals_opt $lustre_opt $node_opt \
$@ $conf_opt || exit 5
if [ "$MOUNT2" ]; then
- $LLMOUNT -v -o sec=$SECURITY `hostname`:/mds1/client $MOUNT2 || exit 6
+ $LLMOUNT -v -o mds_sec=$SECURITY `hostname`:/mds1/client $MOUNT2 || exit 6
fi
active=`facet_active $facet`
do_facet $facet $LCONF --select ${facet}_svc=${active}_facet \
--node ${active}_facet --ptldebug $PTLDEBUG --subsystem $SUBSYSTEM \
- --sec $SECURITY $@ $XMLCONFIG
+ --mds_sec $SECURITY $@ $XMLCONFIG
}
stop() {
do_node $client mkdir $mnt 2> /dev/null || :
if [ -x /sbin/mount.lustre ] ; then
- do_node $client mount -t lustre -o sec=$SECURITY,nettype=$NETTYPE \
+ do_node $client mount -t lustre -o mds_sec=$SECURITY,nettype=$NETTYPE \
`facet_active_host mds1`:/mds1_svc/client_facet $mnt || return 2
else
# this is so cheating
do_node $client $LCONF --nosetup --node client_facet $XMLCONFIG > /dev/null || return 2
do_node $client $LLMOUNT `facet_active_host mds1`:/mds1_svc/client_facet $mnt \
- -o sec=$SECURITY,nettype=$NETTYPE|| return 4
+ -o mds_sec=$SECURITY,nettype=$NETTYPE|| return 4
fi
[ -d /r ] && $LCTL modules > /r/tmp/ogdb-`hostname`
# create a new device with lctl
def newdev(self, type, name, uuid, setup = ""):
- self.attach(type, name, uuid);
+ if type != 'mds':
+ self.attach(type, name, uuid);
try:
self.setup(name, setup)
except CommandError, e:
self.client_uuids = self.target.get_refs('client')
self.obdtype = self.db.get_val('obdtype', '')
+ self.mds_sec = self.db.get_val('mds_sec', '')
+ self.oss_sec = self.db.get_val('oss_sec', '')
+ self.deny_sec = self.db.get_val('deny_sec', '')
+
+ if config.mds_mds_sec:
+ self.mds_sec = config.mds_mds_sec
+ if config.mds_oss_sec:
+ self.oss_sec = config.mds_oss_sec
+ if config.mds_deny_sec:
+ if self.deny_sec:
+ self.deny_sec = "%s,%s" %(self.deny_sec, config.mds_deny_sec)
+ else:
+ self.deny_sec = config.mds_deny_sec
+
if self.obdtype == None:
self.obdtype = 'dumb'
config.record = 1
lctl.clear_log(self.name, self.target.getName() + '-conf')
lctl.record(self.name, self.target.getName() + '-conf')
+ lctl.attach("mds", self.conf_name, self.conf_uuid)
+ if self.mds_sec:
+ lctl.set_security(self.conf_name, "mds_sec", self.mds_sec)
+ if self.oss_sec:
+ lctl.set_security(self.conf_name, "oss_sec", self.oss_sec)
+ if self.deny_sec:
+ for flavor in string.split(self.deny_sec, ','):
+ lctl.set_security(self.conf_name, "deny_sec", flavor)
lctl.newdev("mds", self.conf_name, self.conf_uuid,
setup ="%s %s %s %s %s %s" %(self.realdev, self.fstype,
- self.conf_name, self.mountfsoptions,
- master_name, self.obdtype))
+ self.conf_name, self.mountfsoptions,
+ master_name, self.obdtype))
lctl.end_record()
config.record = 0
if self.master != None:
self.master.prepare()
- lctl.attach("mds", self.name, self.uuid)
- if config.mds_mds_sec:
- lctl.set_security(self.name, "mds_mds_sec", config.mds_mds_sec)
- if config.mds_ost_sec:
- lctl.set_security(self.name, "mds_ost_sec", config.mds_ost_sec)
- lctl.detach(self.name)
-
if not config.record:
self.confobd.start()
else:
self.failover_ost = 'n'
+ self.deny_sec = self.db.get_val('deny_sec', '')
+
+ if config.ost_deny_sec:
+ if self.deny_sec:
+ self.deny_sec = "%s,%s" %(self.deny_sec, config.ost_deny_sec)
+ else:
+ self.deny_sec = config.ost_deny_sec
+
active_uuid = get_active_target(ost)
if not active_uuid:
panic("No target device found:", target_uuid)
self.uuid = target_uuid
self.confobd = CONFDEV(self.db, self.name,
target_uuid, self.uuid)
-
+
def add_module(self, manager):
if not self.active:
return
return
run_acceptors()
+
if self.osdtype == 'obdecho':
self.info(self.osdtype)
lctl.newdev("obdecho", self.name, self.uuid)
if not config.record:
self.confobd.start()
+ if self.deny_sec:
+ for flavor in string.split(self.deny_sec, ','):
+ lctl.set_security(self.name, "deny_sec", flavor)
+
def write_conf(self):
if is_prepared(self.name):
return
self.obd_uuid = fs.get_first_ref('obd')
client_uuid = generate_client_uuid(self.name)
+ self.oss_sec = self.db.get_val('oss_sec','null')
+ self.mds_sec = self.db.get_val('mds_sec','null')
+ if config.mds_sec:
+ self.mds_sec = config.mds_sec
+ if config.oss_sec:
+ self.oss_sec = config.oss_sec
+
ost = self.db.lookup(self.obd_uuid)
if not ost:
panic("no ost: ", self.obd_uuid)
# so replace it with Lustre async
self.clientoptions = string.replace(self.clientoptions, "async", "lasync")
- if not config.sec:
- config.sec = "null"
- cmd = "mount -t lustre_lite -o osc=%s,mdc=%s,sec=%s%s %s %s" % \
- (self.vosc.get_name(), self.vmdc.get_name(), config.sec,
- self.clientoptions, config.config, self.path)
+ cmd = "mount -t lustre_lite -o osc=%s,mdc=%s,mds_sec=%s,oss_sec=%s%s %s %s" % \
+ (self.vosc.get_name(), self.vmdc.get_name(), self.mds_sec,
+ self.oss_sec, self.clientoptions, config.config, self.path)
run("mkdir", self.path)
ret, val = run(cmd)
if ret:
('config', "Cluster config name used for LDAP query", PARAM),
('select', "service=nodeA,service2=nodeB ", PARAMLIST),
('node', "Load config for <nodename>", PARAM),
- ('sec', "security flavor <null|krb5i|krb5p> of client", PARAM),
- ('mds_sec', "security flavor <null|krb5i|krb5p> of client", PARAM),
- ('mds_mds_sec', "security flavor <null|krb5i|krb5p> of inter mds's", PARAM),
- ('mds_ost_sec', "security flavor <null|krb5i|krb5p> of mds's-ost's", PARAM),
+ ('sec',"security flavor <null|krb5i|krb5p> between this client with mds", PARAM),
+ ('mds_sec',"security flavor <null|krb5i|krb5p> between this client with mds", PARAM),
+ ('oss_sec',"security flavor <null|krb5i|krb5p> between this client with ost", PARAM),
+ ('mds_mds_sec',"security flavor <null|krb5i|krb5p> between this mds with other mds", PARAM),
+ ('mds_oss_sec',"security flavor <null|krb5i|krb5p> between this mds with ost", PARAM),
+ ('mds_deny_sec', "security flavor <null|krb5i|krb5p> denied by this mds", PARAM),
+ ('ost_deny_sec', "security flavor <null|krb5i|krb5p> denied by this ost", PARAM),
('cleanup,d', "Cleans up config. (Shutdown)"),
('force,f', "Forced unmounting and/or obd detach during cleanup",
FLAG, 0),
lmd->lmd_remote_flag = 0;
lmd->lmd_nllu = NOBODY_UID;
lmd->lmd_nllg = NOBODY_GID;
- strncpy(lmd->lmd_security, "null", sizeof(lmd->lmd_security));
+ strncpy(lmd->lmd_mds_security, "null", sizeof(lmd->lmd_mds_security));
+ strncpy(lmd->lmd_oss_security, "null", sizeof(lmd->lmd_oss_security));
return 0;
}
printf("mds: %s\n", lmd->lmd_mds);
printf("profile: %s\n", lmd->lmd_profile);
- printf("sec_flavor: %s\n", lmd->lmd_security);
+ printf("mds_sec_flavor: %s\n", lmd->lmd_mds_security);
+ printf("oss_sec_flavor: %s\n", lmd->lmd_oss_security);
printf("server_nid: "LPX64"\n", lmd->lmd_server_nid);
#ifdef CRAY_PORTALS
if (lmd->lmd_nal != CRAY_KB_SSNAL) {
lmd->lmd_server_nid = nid;
} else if (!strcmp(opt, "port")) {
lmd->lmd_port = val;
- } else if (!strcmp(opt, "sec")) {
- strncpy(lmd->lmd_security, opteq + 1,
- sizeof(lmd->lmd_security));
+ } else if (!strcmp(opt, "mds_sec")) {
+ strncpy(lmd->lmd_mds_security, opteq + 1,
+ sizeof(lmd->lmd_mds_security));
+ } else if (!strcmp(opt, "oss_sec")) {
+ strncpy(lmd->lmd_oss_security, opteq + 1,
+ sizeof(lmd->lmd_oss_security));
} else if (!strcmp(opt, "nllu")) {
if (parse_nllu(lmd, opteq + 1)) {
fprintf(stderr, "%s: "
--mountfsoptions options
--root_squash uid:gid
--no_root_squash ptl_nid
+ --mds_mds_sec flavor
+ --mds_oss_sec flavor
+ --mds_deny_sec flavor[,flavor[...]]
--add lov
--lov lov_name
--mkfsoptions options
--mountfsoptions options
--nspath
+ --ost_deny_sec flavor[,flavor[...]]
--delete ost
--node node_name
--lmv lmv_name
--ost ost_name OR --lov lov_name
--clientoptions options
+ --mds_sec flavor
+ --oss_sec flavor
--add route
--node nodename
('root_squash', "MDS squash root to appointed uid.", PARAM, ""),
('no_root_squash', "Don't squash root for appointed nid.", PARAM, ""),
('nspath', "Local mount point of server namespace.", PARAM,""),
+ ('mds_mds_sec', "Specify the secure flavor for connection from this mds to other mds.", PARAM, ""),
+ ('mds_oss_sec', "Specify the secure flavor for connection from this mds to ost.", PARAM, ""),
+ ('mds_deny_sec', "Specify the secure flavor which is denied from remote to this mds.", PARAM, ""),
+ ('ost_deny_sec', "Specify the secure flavor which is denied from remote to this ost.", PARAM, ""),
('format', ""),
('migrate', "used for offline migrate of an ost in conjunctio with add/delete"),
('path', "Specify the mountpoint for Lustre.", PARAM),
('filesystem', "Lustre filesystem name", PARAM,""),
('clientoptions', "Specify the options for Lustre, such as async.", PARAM, ""),
+ ('mds_sec', "Specify the secure flavor for connection from this client to mds.", PARAM, ""),
+ ('oss_sec', "Specify the secure flavor for connection from this client to ost.", PARAM, ""),
# lov
('lov', "Specify LOV name.", PARAM,""),
def osd(self, name, uuid, fstype, osdtype, devname, format, ost_uuid,
node_uuid, dev_size=0, journal_size=0, inode_size=0, nspath="",
- mkfsoptions="", mountfsoptions="", backfstype="", backdevname=""):
+ mkfsoptions="", mountfsoptions="", backfstype="", backdevname="",
+ deny_sec=""):
osd = self.newService("osd", name, uuid)
osd.setAttribute('osdtype', osdtype)
osd.appendChild(self.ref("target", ost_uuid))
self.addElement(osd, "mkfsoptions", mkfsoptions)
if mountfsoptions:
self.addElement(osd, "mountfsoptions", mountfsoptions)
+ if deny_sec:
+ self.addElement(osd, "deny_sec", deny_sec)
if nspath:
self.addElement(osd, "nspath", nspath)
return osd
def mdsdev(self, name, uuid, fstype, devname, format, node_uuid,
mds_uuid, dev_size=0, journal_size=0, inode_size=256,
nspath="", mkfsoptions="", mountfsoptions="", backfstype="",
- backdevname="",lmv_uuid="", root_squash="", no_root_squash=""):
+ backdevname="",lmv_uuid="", root_squash="", no_root_squash="",
+ mds_sec="", oss_sec="", deny_sec=""):
mdd = self.newService("mdsdev", name, uuid)
self.addElement(mdd, "fstype", fstype)
if backfstype:
self.addElement(mdd, "root_squash", root_squash)
if no_root_squash:
self.addElement(mdd, "no_root_squash", no_root_squash)
+ if mds_sec:
+ self.addElement(mdd, "mds_sec", mds_sec)
+ if oss_sec:
+ self.addElement(mdd, "oss_sec", oss_sec)
+ if deny_sec:
+ self.addElement(mdd, "deny_sec", deny_sec)
mdd.appendChild(self.ref("node", node_uuid))
mdd.appendChild(self.ref("target", mds_uuid))
mgmt.appendChild(self.ref("active", mgmt_uuid))
return mgmt
- def mountpoint(self, name, uuid, fs_uuid, path, clientoptions):
+ def mountpoint(self, name, uuid, fs_uuid, path, clientoptions,
+ mds_sec, oss_sec):
mtpt = self.newService("mountpoint", name, uuid)
mtpt.appendChild(self.ref("filesystem", fs_uuid))
self.addElement(mtpt, "path", path)
if clientoptions:
self.addElement(mtpt, "clientoptions", clientoptions)
+ if mds_sec:
+ self.addElement(mtpt, "mds_sec", mds_sec)
+ if oss_sec:
+ self.addElement(mtpt, "oss_sec", oss_sec)
return mtpt
def filesystem(self, name, uuid, mds_uuid, obd_uuid, mgmt_uuid):
mountfsoptions = get_option(options, 'mountfsoptions')
root_squash = get_option(options, 'root_squash')
no_root_squash = get_option(options, 'no_root_squash')
+ mds_sec = get_option(options, 'mds_mds_sec')
+ oss_sec = get_option(options, 'mds_oss_sec')
+ deny_sec = get_option(options, 'mds_deny_sec')
node_uuid = name2uuid(lustre, node_name, 'node')
get_format_flag(options), node_uuid, mds_uuid,
size, journal_size, inode_size, nspath, mkfsoptions,
mountfsoptions, backfstype, backdevname,lmv_uuid,
- root_squash, no_root_squash)
+ root_squash, no_root_squash, mds_sec, oss_sec, deny_sec)
lustre.appendChild(mdd)
inode_size = ''
mkfsoptions = ''
mountfsoptions = ''
+ deny_sec = ''
else:
devname = get_option(options, 'dev') # can be unset for bluearcs
backdevname = get_option(options, 'backdev')
inode_size = get_option(options, 'inode_size')
mkfsoptions = get_option(options, 'mkfsoptions')
mountfsoptions = get_option(options, 'mountfsoptions')
+ deny_sec = get_option(options, 'ost_deny_sec')
nspath = get_option(options, 'nspath')
osd = gen.osd(osdname, osd_uuid, fstype, osdtype, devname,
get_format_flag(options), ost_uuid, node_uuid, size,
journal_size, inode_size, nspath, mkfsoptions,
- mountfsoptions, backfstype, backdevname)
+ mountfsoptions, backfstype, backdevname, deny_sec)
node = findByName(lustre, node_name, "node")
path = get_option(options, 'path')
clientoptions = get_option(options, "clientoptions")
+ mds_sec = get_option(options, "mds_sec")
+ oss_sec = get_option(options, "oss_sec")
fs_name = get_option(options, 'filesystem')
lov_name = get_option(options, 'lov')
error("MOUNTPOINT: ", name, " already exists.")
uuid = new_uuid(name)
- mtpt = gen.mountpoint(name, uuid, fs_uuid, path, clientoptions)
+ mtpt = gen.mountpoint(name, uuid, fs_uuid, path, clientoptions, mds_sec, oss_sec)
node = findByName(lustre, node_name, "node")
if not node:
error('node:', node_name, "not found.")
lustre_cfg_bufs_reset(&bufs, lcfg_devname);
/* currently only used to set on mds */
- if (strcmp(argv[1], "mds_mds_sec") && strcmp(argv[1], "mds_ost_sec")) {
+ if (strcmp(argv[1], "mds_sec") &&
+ strcmp(argv[1], "oss_sec") &&
+ strcmp(argv[1], "deny_sec")) {
fprintf(stderr, "%s: invalid security key %s\n",
jt_cmdname(argv[0]), argv[1]);
return -EINVAL;
}
- if (strcmp(argv[2], "null") && strcmp(argv[2], "krb5")) {
+ if (strcmp(argv[2], "null") &&
+ strcmp(argv[2], "krb5i") &&
+ strcmp(argv[2], "krb5p")) {
fprintf(stderr, "%s: invalid security value %s\n",
jt_cmdname(argv[0]), argv[2]);
return -EINVAL;