land b_hd_sec_client_oss onto HEAD.

author ericm <ericm>

Wed, 15 Jun 2005 20:24:42 +0000 (20:24 +0000)

committer ericm <ericm>

Wed, 15 Jun 2005 20:24:42 +0000 (20:24 +0000)
author ericm <ericm>
Wed, 15 Jun 2005 20:24:42 +0000 (20:24 +0000)
committer ericm <ericm>
Wed, 15 Jun 2005 20:24:42 +0000 (20:24 +0000)
diff --git a/lustre/include/linux/lustre_cfg.h b/lustre/include/linux/lustre_cfg.h

index ffa86c0..b1cb5f2 100644 (file)
--- a/lustre/include/linux/lustre_cfg.h
+++ b/lustre/include/linux/lustre_cfg.h
@@ -245,7 +245,8 @@ struct lustre_mount_data {
          uint64_t lmd_remote_flag;
          uint32_t lmd_nllu;
          uint32_t lmd_nllg;
          uint64_t lmd_remote_flag;
          uint32_t lmd_nllu;
          uint32_t lmd_nllg;
-        char     lmd_security[16];
+        char     lmd_mds_security[16];
+        char     lmd_oss_security[16];
          char     lmd_mds[64];
          char     lmd_profile[64];
  };
          char     lmd_mds[64];
          char     lmd_profile[64];
  };
diff --git a/lustre/include/linux/lustre_sec.h b/lustre/include/linux/lustre_sec.h

index 94028b4..34efde0 100644 (file)
--- a/lustre/include/linux/lustre_sec.h
+++ b/lustre/include/linux/lustre_sec.h
@@ -37,6 +37,11 @@ typedef struct ptlrpcs_flavor_s {
          __u32   subflavor;
  } ptlrpcs_flavor_t;
  
          __u32   subflavor;
  } ptlrpcs_flavor_t;
  
+typedef struct {
+        struct list_head        list;
+        ptlrpcs_flavor_t        sec;
+} deny_sec_t;
+
  enum ptlrpcs_security_type {
          PTLRPC_SEC_TYPE_NONE    = 0,    /* no security */
          PTLRPC_SEC_TYPE_AUTH    = 1,    /* authentication */
  enum ptlrpcs_security_type {
          PTLRPC_SEC_TYPE_NONE    = 0,    /* no security */
          PTLRPC_SEC_TYPE_AUTH    = 1,    /* authentication */
@@ -286,6 +291,39 @@ static inline int ptlrpcs_est_rep_payload(struct ptlrpc_sec *sec,
                  return 0;
  }
  
                  return 0;
  }
  
+static inline int add_deny_security(char *sec, struct list_head *head)
+{
+        int rc = 0;
+        deny_sec_t      *p_deny_sec = NULL;
+
+        LASSERT(sec != NULL);
+
+        OBD_ALLOC(p_deny_sec, sizeof(*p_deny_sec));
+        if (p_deny_sec == NULL) return -ENOMEM;
+
+        if (strcmp(sec, "null") == 0) {
+                p_deny_sec->sec.flavor = PTLRPC_SEC_NULL;
+                p_deny_sec->sec.subflavor = PTLRPC_SEC_NULL;
+        }else if (strcmp(sec, "krb5i") == 0) {
+               p_deny_sec->sec.flavor = PTLRPC_SEC_GSS;
+               p_deny_sec->sec.subflavor = PTLRPC_SEC_GSS_KRB5I;
+        }else if (strcmp(sec, "krb5p") == 0) {
+               p_deny_sec->sec.flavor = PTLRPC_SEC_GSS;
+               p_deny_sec->sec.subflavor = PTLRPC_SEC_GSS_KRB5P;
+        }else{
+               CERROR("unrecognized security type %s\n", (char*) sec);
+               GOTO(out, rc = -EINVAL);
+        }
+
+        list_add_tail(&p_deny_sec->list, head);
+out:
+        if (rc) {
+                if (p_deny_sec)
+                        OBD_FREE(p_deny_sec, sizeof(*p_deny_sec));
+        }
+        return rc;
+}
+
  int ptlrpcs_cli_wrap_request(struct ptlrpc_request *req);
  int ptlrpcs_cli_unwrap_reply(struct ptlrpc_request *req);
  int ptlrpcs_cli_alloc_reqbuf(struct ptlrpc_request *req, int msgsize);
  int ptlrpcs_cli_wrap_request(struct ptlrpc_request *req);
  int ptlrpcs_cli_unwrap_reply(struct ptlrpc_request *req);
  int ptlrpcs_cli_alloc_reqbuf(struct ptlrpc_request *req, int msgsize);
@@ -340,6 +378,37 @@ struct ptlrpc_svcsec {
  #define SVC_LOGIN       4
  #define SVC_LOGOUT      5
  
  #define SVC_LOGIN       4
  #define SVC_LOGOUT      5
  
+/* FIXME
+ * this should be a gss internal structure. fix these when we
+ * sort out the flavor issues.
+ */
+
+typedef struct rawobj_s {
+        __u32           len;
+        __u8           *data;
+} rawobj_t;
+
+/* on-the-wire gss cred: */
+struct rpc_gss_wire_cred {
+        __u32                   gc_v;           /* version */
+        __u32                   gc_proc;        /* control procedure */
+        __u32                   gc_seq;         /* sequence number */
+        __u32                   gc_svc;         /* service */
+        rawobj_t                gc_ctx;         /* context handle */
+};
+
+struct gss_svc_data {
+        __u32                           subflavor; /* XXX */
+        /* decoded gss client cred: */
+        struct rpc_gss_wire_cred        clcred;
+        /* internal used status */
+        unsigned int                    is_init:1,
+                                        is_init_continue:1,
+                                        is_err_notify:1,
+                                        is_fini:1;
+        int                             reserve_len;
+};
+
  int svcsec_register(struct ptlrpc_svcsec *ss);
  int svcsec_unregister(struct ptlrpc_svcsec *ss);
  int svcsec_accept(struct ptlrpc_request *req, enum ptlrpcs_error *res);
  int svcsec_register(struct ptlrpc_svcsec *ss);
  int svcsec_unregister(struct ptlrpc_svcsec *ss);
  int svcsec_accept(struct ptlrpc_request *req, enum ptlrpcs_error *res);
diff --git a/lustre/include/linux/obd.h b/lustre/include/linux/obd.h

index f264325..60a18f9 100644 (file)
--- a/lustre/include/linux/obd.h
+++ b/lustre/include/linux/obd.h
@@ -255,6 +255,11 @@ struct filter_obd {
  
          struct list_head         fo_llog_list;
          spinlock_t               fo_llog_list_lock;
  
          struct list_head         fo_llog_list;
          spinlock_t               fo_llog_list_lock;
+
+        /* which secure flavor from remote is denied */
+        spinlock_t              fo_denylist_lock;
+        struct list_head        fo_denylist;
+
  };
  
  struct mds_server_data;
  };
  
  struct mds_server_data;
@@ -399,6 +404,9 @@ struct mds_obd {
          /* security related */
          char                            *mds_mds_sec;
          char                            *mds_ost_sec;
          /* security related */
          char                            *mds_mds_sec;
          char                            *mds_ost_sec;
+        /* which secure flavor from remote to this mds is denied */
+        spinlock_t                      mds_denylist_lock;
+        struct list_head                mds_denylist;
  };
  
  struct echo_obd {
  };
  
  struct echo_obd {
diff --git a/lustre/ldlm/ldlm_lib.c b/lustre/ldlm/ldlm_lib.c

index 5130243..a01334f 100644 (file)
--- a/lustre/ldlm/ldlm_lib.c
+++ b/lustre/ldlm/ldlm_lib.c
@@ -536,6 +536,54 @@ static inline int ptlrpc_peer_is_local(struct ptlrpc_peer *peer)
          return (memcmp(&peer->peer_id, &myid, sizeof(myid)) == 0);
  }
  
          return (memcmp(&peer->peer_id, &myid, sizeof(myid)) == 0);
  }
  
+/* To check whether the p_flavor is in deny list or not
+ * rc:
+ *      0           not found, pass
+ *      EPERM       found, refuse
+ */
+
+static int check_deny_list(struct list_head *head, ptlrpcs_flavor_t *p_flavor)
+{
+        deny_sec_t *p_deny_sec = NULL;
+        deny_sec_t *n_deny_sec = NULL;
+
+        list_for_each_entry_safe(p_deny_sec, n_deny_sec, head, list) {
+                if ((p_deny_sec->sec.flavor == p_flavor->flavor) &&
+                    (p_deny_sec->sec.subflavor == p_flavor->subflavor))
+                        return -EPERM;
+        }
+        return 0;
+}
+
+int target_check_deny_sec(struct obd_device *target, struct ptlrpc_request *req)
+{
+        struct gss_svc_data *svcdata;
+        ptlrpcs_flavor_t flavor;
+        int rc = 0;
+
+        /* XXX hacking */
+        svcdata = (struct gss_svc_data *) req->rq_sec_svcdata;
+        if (svcdata == NULL) {
+                flavor.flavor = PTLRPC_SEC_NULL;
+                flavor.subflavor = 0;
+        } else {
+                flavor.flavor = PTLRPC_SEC_GSS;
+                flavor.subflavor = svcdata->subflavor;
+        }
+
+        if (!strcmp(target->obd_type->typ_name, LUSTRE_MDS_NAME)) {
+                spin_lock(&target->u.mds.mds_denylist_lock);
+                rc = check_deny_list(&target->u.mds.mds_denylist, &flavor);
+                spin_unlock(&target->u.mds.mds_denylist_lock);
+        } else if (!strcmp(target->obd_type->typ_name, "obdfilter")) {
+                spin_lock(&target->u.filter.fo_denylist_lock);
+                rc = check_deny_list(&target->u.filter.fo_denylist, &flavor);
+                spin_unlock(&target->u.filter.fo_denylist_lock);
+        }
+
+        return rc;
+}
+
  int target_handle_connect(struct ptlrpc_request *req)
  {
          unsigned long connect_flags = 0, *cfp;
  int target_handle_connect(struct ptlrpc_request *req)
  {
          unsigned long connect_flags = 0, *cfp;
@@ -578,6 +626,11 @@ int target_handle_connect(struct ptlrpc_request *req)
                  GOTO(out, rc = -ENODEV);
          }
  
                  GOTO(out, rc = -ENODEV);
          }
  
+        /* check the secure deny list of mds/ost */
+        rc = target_check_deny_sec(target, req);
+        if (rc != 0)
+                GOTO(out, rc);
+
          LASSERT_REQSWAB (req, offset + 1);
          str = lustre_msg_string(req->rq_reqmsg, offset + 1, sizeof(cluuid) - 1);
          if (str == NULL) {
          LASSERT_REQSWAB (req, offset + 1);
          str = lustre_msg_string(req->rq_reqmsg, offset + 1, sizeof(cluuid) - 1);
          if (str == NULL) {
diff --git a/lustre/llite/llite_internal.h b/lustre/llite/llite_internal.h

index d552db6..673b763 100644 (file)
--- a/lustre/llite/llite_internal.h
+++ b/lustre/llite/llite_internal.h
@@ -301,8 +301,8 @@ extern struct super_operations lustre_super_operations;
  
  char *ll_read_opt(const char *opt, char *data);
  int ll_set_opt(const char *opt, char *data, int fl);
  
  char *ll_read_opt(const char *opt, char *data);
  int ll_set_opt(const char *opt, char *data, int fl);
-void ll_options(char *options, char **ost, char **mds, char **sec, 
-                int *async, int *flags);
+void ll_options(char *options, char **ost, char **mds, char **mds_sec,
+                char **oss_sec, int *async, int *flags);
  void ll_lli_init(struct ll_inode_info *lli);
  int ll_fill_super(struct super_block *sb, void *data, int silent);
  int lustre_fill_super(struct super_block *sb, void *data, int silent);
  void ll_lli_init(struct ll_inode_info *lli);
  int ll_fill_super(struct super_block *sb, void *data, int silent);
  int lustre_fill_super(struct super_block *sb, void *data, int silent);
diff --git a/lustre/llite/llite_lib.c b/lustre/llite/llite_lib.c

index bf40365..5ce6640 100644 (file)
--- a/lustre/llite/llite_lib.c
+++ b/lustre/llite/llite_lib.c
@@ -129,8 +129,8 @@ int lustre_init_dt_desc(struct ll_sb_info *sbi)
  extern struct dentry_operations ll_d_ops;
  
  int lustre_common_fill_super(struct super_block *sb, char *lmv, char *lov,
  extern struct dentry_operations ll_d_ops;
  
  int lustre_common_fill_super(struct super_block *sb, char *lmv, char *lov,
-                             int async, char *security, __u32 *nllu,
-                             __u64 *remote)
+                             int async,  char *mds_security,  char *oss_security,
+                             __u32 *nllu, __u64 *remote)
  {
          struct ll_sb_info *sbi = ll_s2sbi(sb);
          struct ptlrpc_request *request = NULL;
  {
          struct ll_sb_info *sbi = ll_s2sbi(sb);
          struct ptlrpc_request *request = NULL;
@@ -168,14 +168,14 @@ int lustre_common_fill_super(struct super_block *sb, char *lmv, char *lov,
                                                OBD_CONNECT_REMOTE);
          memcpy(data->ocd_nllu, nllu, sizeof(data->ocd_nllu));
  
                                                OBD_CONNECT_REMOTE);
          memcpy(data->ocd_nllu, nllu, sizeof(data->ocd_nllu));
  
-        if (security == NULL)
-                security = "null";
+        if (mds_security == NULL)
+                mds_security = "null";
  
          err = obd_set_info(obd->obd_self_export, strlen("sec"), "sec",
  
          err = obd_set_info(obd->obd_self_export, strlen("sec"), "sec",
-                           strlen(security), security);
+                           strlen(mds_security), mds_security);
          if (err) {
                  CERROR("LMV %s: failed to set security %s, err %d\n",
          if (err) {
                  CERROR("LMV %s: failed to set security %s, err %d\n",
-                        lmv, security, err);
+                        lmv, mds_security, err);
                  OBD_FREE(data, sizeof(*data));
                  RETURN(err);
          }
                  OBD_FREE(data, sizeof(*data));
                  RETURN(err);
          }
@@ -237,6 +237,18 @@ int lustre_common_fill_super(struct super_block *sb, char *lmv, char *lov,
          obd_set_info(obd->obd_self_export, strlen("async"), "async",
                       sizeof(async), &async);
  
          obd_set_info(obd->obd_self_export, strlen("async"), "async",
                       sizeof(async), &async);
  
+       if (oss_security == NULL)
+                oss_security = "null";
+
+        err = obd_set_info(obd->obd_self_export, strlen("sec"), "sec",
+                           strlen(oss_security), oss_security);
+        if (err) {
+                CERROR("LOV %s: failed to set security %s, err %d\n",
+                        lov, oss_security, err);
+                OBD_FREE(data, sizeof(*data));
+                RETURN(err);
+        }
+
          err = obd_connect(&dt_conn, obd, &sbi->ll_sb_uuid, data,
                            OBD_OPT_REAL_CLIENT);
          if (err == -EBUSY) {
          err = obd_connect(&dt_conn, obd, &sbi->ll_sb_uuid, data,
                            OBD_OPT_REAL_CLIENT);
          if (err == -EBUSY) {
@@ -407,8 +419,8 @@ int ll_set_opt(const char *opt, char *data, int fl)
                  RETURN(fl);
  }
  
                  RETURN(fl);
  }
  
-void ll_options(char *options, char **lov, char **lmv, char **sec, 
-                int *async, int *flags)
+void ll_options(char *options, char **lov, char **lmv, char **mds_sec,
+                char **oss_sec, int *async, int *flags)
  {
          char *this_char;
  #if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,5,0))
  {
          char *this_char;
  #if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,5,0))
@@ -438,7 +450,9 @@ void ll_options(char *options, char **lov, char **lmv, char **sec,
                          *async = 1;
                          continue;
                  }
                          *async = 1;
                          continue;
                  }
-                if (!*sec && (*sec = ll_read_opt("sec", this_char)))
+                if (!*mds_sec && (*mds_sec = ll_read_opt("mds_sec", this_char)))
+                        continue;
+                if (!*oss_sec && (*oss_sec = ll_read_opt("oss_sec", this_char)))
                          continue;
                  if (!(*flags & LL_SBI_NOLCK) &&
                      ((*flags) = (*flags) |
                          continue;
                  if (!(*flags & LL_SBI_NOLCK) &&
                      ((*flags) = (*flags) |
@@ -473,8 +487,9 @@ int ll_fill_super(struct super_block *sb, void *data, int silent)
          struct ll_sb_info *sbi;
          char *lov = NULL;
          char *lmv = NULL;
          struct ll_sb_info *sbi;
          char *lov = NULL;
          char *lmv = NULL;
+        char *mds_sec = NULL;
+        char *oss_sec = NULL;
          int async, err;
          int async, err;
-        char *sec = NULL;
          __u32 nllu[2] = { NOBODY_UID, NOBODY_GID };
          __u64 remote_flag = 0;    
          ENTRY;
          __u32 nllu[2] = { NOBODY_UID, NOBODY_GID };
          __u64 remote_flag = 0;    
          ENTRY;
@@ -486,7 +501,8 @@ int ll_fill_super(struct super_block *sb, void *data, int silent)
                  RETURN(-ENOMEM);
  
          sbi->ll_flags |= LL_SBI_READAHEAD;
                  RETURN(-ENOMEM);
  
          sbi->ll_flags |= LL_SBI_READAHEAD;
-        ll_options(data, &lov, &lmv, &sec, &async, &sbi->ll_flags);
+        ll_options(data, &lov, &lmv, &mds_sec, &oss_sec,
+                   &async, &sbi->ll_flags);
  
          if (!lov) {
                  CERROR("no osc\n");
  
          if (!lov) {
                  CERROR("no osc\n");
@@ -498,19 +514,22 @@ int ll_fill_super(struct super_block *sb, void *data, int silent)
                  GOTO(out, err = -EINVAL);
          }
          
                  GOTO(out, err = -EINVAL);
          }
          
-        err = lustre_common_fill_super(sb, lmv, lov, async, sec,
+        err = lustre_common_fill_super(sb, lmv, lov, async, mds_sec, oss_sec,
                                         nllu, &remote_flag);
          EXIT;
  out:
          if (err)
                  lustre_free_sbi(sb);
  
                                         nllu, &remote_flag);
          EXIT;
  out:
          if (err)
                  lustre_free_sbi(sb);
  
-        if (sec)
-                OBD_FREE(sec, strlen(sec) + 1);
          if (lmv)
                  OBD_FREE(lmv, strlen(lmv) + 1);
          if (lov)
                  OBD_FREE(lov, strlen(lov) + 1);
          if (lmv)
                  OBD_FREE(lmv, strlen(lmv) + 1);
          if (lov)
                  OBD_FREE(lov, strlen(lov) + 1);
+        if (mds_sec)
+                OBD_FREE(mds_sec, strlen(mds_sec) + 1);
+        if (oss_sec)
+                OBD_FREE(oss_sec, strlen(oss_sec) + 1);
+
          return err;
  } /* ll_read_super */
  
          return err;
  } /* ll_read_super */
  
@@ -598,7 +617,7 @@ static int lustre_process_log(struct lustre_mount_data *lmd, char *profile,
                  GOTO(out_cleanup, rc = -EINVAL);
  
          rc = obd_set_info(obd->obd_self_export, strlen("sec"), "sec",
                  GOTO(out_cleanup, rc = -EINVAL);
  
          rc = obd_set_info(obd->obd_self_export, strlen("sec"), "sec",
-                          strlen(lmd->lmd_security), lmd->lmd_security);
+                          strlen(lmd->lmd_mds_security), lmd->lmd_mds_security);
          if (rc)
                  GOTO(out_cleanup, rc);
  
          if (rc)
                  GOTO(out_cleanup, rc);
  
@@ -731,7 +750,8 @@ int lustre_fill_super(struct super_block *sb, void *data, int silent)
                          CERROR("no mds name\n");
                          GOTO(out_free, err = -EINVAL);
                  }
                          CERROR("no mds name\n");
                          GOTO(out_free, err = -EINVAL);
                  }
-                lmd->lmd_security[sizeof(lmd->lmd_security) - 1] = 0;
+                lmd->lmd_mds_security[sizeof(lmd->lmd_mds_security) - 1] = 0;
+                lmd->lmd_oss_security[sizeof(lmd->lmd_oss_security) - 1] = 0;
  
                  OBD_ALLOC(sbi->ll_lmd, sizeof(*sbi->ll_lmd));
                  if (sbi->ll_lmd == NULL)
  
                  OBD_ALLOC(sbi->ll_lmd, sizeof(*sbi->ll_lmd));
                  if (sbi->ll_lmd == NULL)
@@ -784,8 +804,9 @@ int lustre_fill_super(struct super_block *sb, void *data, int silent)
          }
  
          err = lustre_common_fill_super(sb, lmv, lov, lmd->lmd_async,
          }
  
          err = lustre_common_fill_super(sb, lmv, lov, lmd->lmd_async,
-                                       lmd->lmd_security, &lmd->lmd_nllu,
-                                       &lmd->lmd_remote_flag);
+                                       lmd->lmd_mds_security,
+                                       lmd->lmd_oss_security,
+                                       &lmd->lmd_nllu, &lmd->lmd_remote_flag);
  
          if (err)
                  GOTO(out_free, err);
  
          if (err)
                  GOTO(out_free, err);
diff --git a/lustre/mdc/mdc_request.c b/lustre/mdc/mdc_request.c

index 5b78b51..f62cd99 100644 (file)
--- a/lustre/mdc/mdc_request.c
+++ b/lustre/mdc/mdc_request.c
@@ -833,7 +833,8 @@ int mdc_set_info(struct obd_export *exp, obd_count keylen,
                         exp->exp_obd->obd_name,
                         imp->imp_initial_recov);
                  RETURN(0);
                         exp->exp_obd->obd_name,
                         imp->imp_initial_recov);
                  RETURN(0);
-        } else if (keylen >= strlen("mds_type") && strcmp(key, "mds_type") == 0) {
+        } else if (keylen >= strlen("mds_type") &&
+                   strcmp(key, "mds_type") == 0) {
                  struct ptlrpc_request *req;
                  char *bufs[2] = {key, val};
                  int rc, size[2] = {keylen, vallen};
                  struct ptlrpc_request *req;
                  char *bufs[2] = {key, val};
                  int rc, size[2] = {keylen, vallen};
@@ -852,7 +853,8 @@ int mdc_set_info(struct obd_export *exp, obd_count keylen,
                  imp->imp_server_timeout = 1;
                  CDEBUG(D_OTHER, "%s: timeout / 2\n", exp->exp_obd->obd_name);
                  RETURN(0);
                  imp->imp_server_timeout = 1;
                  CDEBUG(D_OTHER, "%s: timeout / 2\n", exp->exp_obd->obd_name);
                  RETURN(0);
-        } else if (keylen == strlen("sec") && memcmp(key, "sec", keylen) == 0) {
+        } else if (keylen == strlen("sec") &&
+                   memcmp(key, "sec", keylen) == 0) {
                  struct client_obd *cli = &exp->exp_obd->u.cli;
  
                  if (vallen == strlen("null") &&
                  struct client_obd *cli = &exp->exp_obd->u.cli;
  
                  if (vallen == strlen("null") &&
diff --git a/lustre/mds/handler.c b/lustre/mds/handler.c

index 1384ed6..72ccf1c 100644 (file)
--- a/lustre/mds/handler.c
+++ b/lustre/mds/handler.c
@@ -57,6 +57,7 @@
  #include <linux/lustre_commit_confd.h>
  #include <linux/lustre_acl.h>
  #include "mds_internal.h"
  #include <linux/lustre_commit_confd.h>
  #include <linux/lustre_acl.h>
  #include "mds_internal.h"
+#include <linux/lustre_sec.h>
  
  static int mds_intent_policy(struct ldlm_namespace *ns,
                               struct ldlm_lock **lockp, void *req_cookie,
  
  static int mds_intent_policy(struct ldlm_namespace *ns,
                               struct ldlm_lock **lockp, void *req_cookie,
@@ -3265,7 +3266,7 @@ static int mds_setup(struct obd_device *obd, obd_count len, void *buf)
          sema_init(&mds->mds_md_sem, 1);
          mds->mds_md_connected = 0;
          mds->mds_md_name = NULL;
          sema_init(&mds->mds_md_sem, 1);
          mds->mds_md_connected = 0;
          mds->mds_md_name = NULL;
-        
+
          if (LUSTRE_CFG_BUFLEN(lcfg, 5) > 0 && lustre_cfg_buf(lcfg, 5) &&
              strncmp(lustre_cfg_string(lcfg, 5), "dumb", LUSTRE_CFG_BUFLEN(lcfg, 5))) {
                  class_uuid_t uuid;
          if (LUSTRE_CFG_BUFLEN(lcfg, 5) > 0 && lustre_cfg_buf(lcfg, 5) &&
              strncmp(lustre_cfg_string(lcfg, 5), "dumb", LUSTRE_CFG_BUFLEN(lcfg, 5))) {
                  class_uuid_t uuid;
@@ -3289,7 +3290,7 @@ static int mds_setup(struct obd_device *obd, obd_count len, void *buf)
                          GOTO(err_ops, rc);
                  }
          }
                          GOTO(err_ops, rc);
                  }
          }
-        
+
          mds->mds_obd_type = MDS_MASTER_OBD;
  
          if (LUSTRE_CFG_BUFLEN(lcfg, 6) > 0 && lustre_cfg_buf(lcfg, 6) &&
          mds->mds_obd_type = MDS_MASTER_OBD;
  
          if (LUSTRE_CFG_BUFLEN(lcfg, 6) > 0 && lustre_cfg_buf(lcfg, 6) &&
@@ -3343,7 +3344,7 @@ static int mds_setup(struct obd_device *obd, obd_count len, void *buf)
                         obd->obd_name, rc);
                  GOTO(err_ns, rc);
          }
                         obd->obd_name, rc);
                  GOTO(err_ns, rc);
          }
-        
+
          rc = llog_start_commit_thread();
          if (rc < 0)
  
          rc = llog_start_commit_thread();
          if (rc < 0)
  
@@ -3631,6 +3632,20 @@ static int mds_cleanup(struct obd_device *obd, int flags)
          /* XXX */
          lgss_svc_cache_purge_all();
  #endif
          /* XXX */
          lgss_svc_cache_purge_all();
  #endif
+
+        spin_lock(&mds->mds_denylist_lock);
+        while (!list_empty( &mds->mds_denylist ) ) {
+                deny_sec_t *p_deny_sec = list_entry(mds->mds_denylist.next,
+                                                    deny_sec_t, list);
+                list_del(&p_deny_sec->list);
+                OBD_FREE(p_deny_sec, sizeof(*p_deny_sec));
+        }
+        spin_unlock(&mds->mds_denylist_lock);
+        if(mds->mds_mds_sec)
+                OBD_FREE(mds->mds_mds_sec, strlen(mds->mds_mds_sec) + 1);
+        if(mds->mds_ost_sec)
+                OBD_FREE(mds->mds_ost_sec, strlen(mds->mds_ost_sec) + 1);
+
          RETURN(0);
  }
  
          RETURN(0);
  }
  
@@ -3638,13 +3653,14 @@ static int set_security(const char *value, char **sec)
  {
          int rc = 0;
  
  {
          int rc = 0;
  
-        if (!strcmp(value, "null"))
-                *sec = "null";
-        else if (!strcmp(value, "krb5i"))
-                *sec = "krb5i";
-        else if (!strcmp(value, "krb5p"))
-                *sec = "krb5p";
-        else {
+        if (!strcmp(value, "null") ||
+            !strcmp(value, "krb5i") ||
+            !strcmp(value, "krb5p")) {
+                OBD_ALLOC(*sec, strlen(value) + 1);
+                if(!*sec)
+                        RETURN(-ENOMEM);
+                memcpy(*sec, value, strlen(value) + 1);
+        } else {
                  CERROR("Unrecognized value, force use NULL\n");
                  rc = -EINVAL;
          }
                  CERROR("Unrecognized value, force use NULL\n");
                  rc = -EINVAL;
          }
@@ -3661,16 +3677,22 @@ static int mds_process_config(struct obd_device *obd, obd_count len, void *buf)
  
          switch(lcfg->lcfg_command) {
          case LCFG_SET_SECURITY: {
  
          switch(lcfg->lcfg_command) {
          case LCFG_SET_SECURITY: {
-                if (LUSTRE_CFG_BUFLEN(lcfg, 1) || LUSTRE_CFG_BUFLEN(lcfg, 2))
+                if ((LUSTRE_CFG_BUFLEN(lcfg, 1) == 0) ||
+                    (LUSTRE_CFG_BUFLEN(lcfg, 2) == 0))
                          GOTO(out, rc = -EINVAL);
  
                          GOTO(out, rc = -EINVAL);
  
-                if (!strcmp(lustre_cfg_string(lcfg, 1), "mds_mds_sec"))
+                if (!strcmp(lustre_cfg_string(lcfg, 1), "mds_sec"))
                          rc = set_security(lustre_cfg_string(lcfg, 2),
                                            &mds->mds_mds_sec);
                          rc = set_security(lustre_cfg_string(lcfg, 2),
                                            &mds->mds_mds_sec);
-                else if (!strcmp(lustre_cfg_string(lcfg, 2), "mds_ost_sec"))
+                else if (!strcmp(lustre_cfg_string(lcfg, 1), "oss_sec"))
                          rc = set_security(lustre_cfg_string(lcfg, 2),
                                            &mds->mds_ost_sec);
                          rc = set_security(lustre_cfg_string(lcfg, 2),
                                            &mds->mds_ost_sec);
-                else {
+                else if (!strcmp(lustre_cfg_string(lcfg, 1), "deny_sec")){
+                        spin_lock(&mds->mds_denylist_lock);
+                        rc = add_deny_security(lustre_cfg_string(lcfg, 2),
+                                               &mds->mds_denylist);
+                        spin_unlock(&mds->mds_denylist_lock);
+                } else {
                          CERROR("Unrecognized key\n");
                          rc = -EINVAL;
                  }
                          CERROR("Unrecognized key\n");
                          rc = -EINVAL;
                  }
@@ -3943,6 +3965,10 @@ int mds_attach(struct obd_device *dev, obd_count len, void *data)
  {
          struct lprocfs_static_vars lvars;
          int rc = 0;
  {
          struct lprocfs_static_vars lvars;
          int rc = 0;
+        struct mds_obd *mds = &dev->u.mds;
+
+        spin_lock_init(&mds->mds_denylist_lock);
+        INIT_LIST_HEAD(&mds->mds_denylist);
  
          lprocfs_init_multi_vars(0, &lvars);
  
  
          lprocfs_init_multi_vars(0, &lvars);
  
diff --git a/lustre/obdfilter/filter.c b/lustre/obdfilter/filter.c

index 023bb30..f9bf6fc 100644 (file)
--- a/lustre/obdfilter/filter.c
+++ b/lustre/obdfilter/filter.c
@@ -60,6 +60,7 @@
  #include <libcfs/list.h>
  
  #include <linux/lustre_smfs.h>
  #include <libcfs/list.h>
  
  #include <linux/lustre_smfs.h>
+#include <linux/lustre_sec.h>
  #include "filter_internal.h"
  
  /* Group 0 is no longer a legal group, to catch uninitialized IDs */
  #include "filter_internal.h"
  
  /* Group 0 is no longer a legal group, to catch uninitialized IDs */
@@ -1571,8 +1572,13 @@ static int filter_detach(struct obd_device *dev)
  static int filter_setup(struct obd_device *obd, obd_count len, void *buf)
  {
          struct lustre_cfg* lcfg = buf;
  static int filter_setup(struct obd_device *obd, obd_count len, void *buf)
  {
          struct lustre_cfg* lcfg = buf;
+        struct filter_obd *filter = &obd->u.filter;
          int rc;
          ENTRY;
          int rc;
          ENTRY;
+
+        spin_lock_init(&filter->fo_denylist_lock);
+        INIT_LIST_HEAD(&filter->fo_denylist);
+
          /* all mount options including errors=remount-ro and asyncdel are passed
           * using 4th lcfg param. And it is good, finally we have got rid of
           * hardcoded fs types in the code. */
          /* all mount options including errors=remount-ro and asyncdel are passed
           * using 4th lcfg param. And it is good, finally we have got rid of
           * hardcoded fs types in the code. */
@@ -1616,6 +1622,15 @@ static int filter_cleanup(struct obd_device *obd, int flags)
          shrink_dcache_parent(filter->fo_sb->s_root);
          filter->fo_sb = 0;
  
          shrink_dcache_parent(filter->fo_sb->s_root);
          filter->fo_sb = 0;
  
+        spin_lock(&filter->fo_denylist_lock);
+        while (!list_empty(&filter->fo_denylist)) {
+                deny_sec_t *p_deny_sec = list_entry(filter->fo_denylist.next,
+                                                    deny_sec_t, list);
+                list_del(&p_deny_sec->list);
+                OBD_FREE(p_deny_sec, sizeof(*p_deny_sec));
+        }
+        spin_unlock(&filter->fo_denylist_lock);
+
          unlock_kernel();
          lvfs_umount_fs(filter->fo_lvfs_ctxt);
          //destroy_buffers(filter->fo_sb->s_dev);
          unlock_kernel();
          lvfs_umount_fs(filter->fo_lvfs_ctxt);
          //destroy_buffers(filter->fo_sb->s_dev);
@@ -1628,6 +1643,40 @@ static int filter_cleanup(struct obd_device *obd, int flags)
          RETURN(0);
  }
  
          RETURN(0);
  }
  
+static int filter_process_config(struct obd_device *obd, obd_count len, void *buf)
+{
+        struct lustre_cfg *lcfg = buf;
+        struct filter_obd *filter = &obd->u.filter;
+        int rc = 0;
+        ENTRY;
+
+        switch(lcfg->lcfg_command) {
+        case LCFG_SET_SECURITY: {
+                if ((LUSTRE_CFG_BUFLEN(lcfg, 1) == 0) ||
+                    (LUSTRE_CFG_BUFLEN(lcfg, 2) == 0))
+                        GOTO(out, rc = -EINVAL);
+
+                if (!strcmp(lustre_cfg_string(lcfg, 1), "deny_sec")){
+                        spin_lock(&filter->fo_denylist_lock);
+                        rc = add_deny_security(lustre_cfg_string(lcfg, 2),
+                                               &filter->fo_denylist);
+                        spin_unlock(&filter->fo_denylist_lock);
+                }else {
+                        CERROR("Unrecognized key\n");
+                        rc = -EINVAL;
+                }
+                break;
+        }
+        default: {
+                CERROR("Unknown command: %d\n", lcfg->lcfg_command);
+                GOTO(out, rc = -EINVAL);
+
+        }
+        }
+out:
+        RETURN(rc);
+}
+
  static int filter_connect_post(struct obd_export *exp, unsigned initial,
                                 unsigned long connect_flags)
  {
  static int filter_connect_post(struct obd_export *exp, unsigned initial,
                                 unsigned long connect_flags)
  {
@@ -3040,6 +3089,7 @@ static struct obd_ops filter_obd_ops = {
          .o_setup          = filter_setup,
          .o_precleanup     = filter_precleanup,
          .o_cleanup        = filter_cleanup,
          .o_setup          = filter_setup,
          .o_precleanup     = filter_precleanup,
          .o_cleanup        = filter_cleanup,
+        .o_process_config = filter_process_config,
          .o_connect        = filter_connect,
          .o_connect_post   = filter_connect_post,
          .o_disconnect     = filter_disconnect,
          .o_connect        = filter_connect,
          .o_connect_post   = filter_connect_post,
          .o_disconnect     = filter_disconnect,
diff --git a/lustre/osc/osc_request.c b/lustre/osc/osc_request.c

index ee2dc0b..f900f5c 100644 (file)
--- a/lustre/osc/osc_request.c
+++ b/lustre/osc/osc_request.c
@@ -2913,7 +2913,8 @@ static int osc_set_info(struct obd_export *exp, obd_count keylen,
                  RETURN(0);
          }
  
                  RETURN(0);
          }
  
-        if (keylen == strlen("sec") && memcmp(key, "sec", keylen) == 0) {
+        if (keylen == strlen("sec") &&
+            memcmp(key, "sec", keylen) == 0) {
                  struct client_obd *cli = &exp->exp_obd->u.cli;
  
                  if (vallen == strlen("null") &&
                  struct client_obd *cli = &exp->exp_obd->u.cli;
  
                  if (vallen == strlen("null") &&
diff --git a/lustre/ost/ost_handler.c b/lustre/ost/ost_handler.c

index f20386c..9902402 100644 (file)
--- a/lustre/ost/ost_handler.c
+++ b/lustre/ost/ost_handler.c
@@ -44,6 +44,7 @@
  #include <linux/lprocfs_status.h>
  #include <linux/lustre_commit_confd.h>
  #include <libcfs/list.h>
  #include <linux/lprocfs_status.h>
  #include <linux/lustre_commit_confd.h>
  #include <libcfs/list.h>
+#include <linux/lustre_sec.h>
  
  void oti_init(struct obd_trans_info *oti, struct ptlrpc_request *req)
  {
  
  void oti_init(struct obd_trans_info *oti, struct ptlrpc_request *req)
  {
@@ -1030,7 +1031,7 @@ int ost_handle(struct ptlrpc_request *req)
          if (req->rq_reqmsg->opc == SEC_INIT ||
              req->rq_reqmsg->opc == SEC_INIT_CONTINUE ||
              req->rq_reqmsg->opc == SEC_FINI) {
          if (req->rq_reqmsg->opc == SEC_INIT ||
              req->rq_reqmsg->opc == SEC_INIT_CONTINUE ||
              req->rq_reqmsg->opc == SEC_FINI) {
-                RETURN(0);
+                GOTO(out_check_req, rc = 0);
          }
  
          /* XXX identical to MDS */
          }
  
          /* XXX identical to MDS */
@@ -1316,6 +1317,7 @@ out_service:
          RETURN(rc);
  }
  
          RETURN(rc);
  }
  
+extern void lgss_svc_cache_purge_all(void);
  static int ost_cleanup(struct obd_device *obd, int flags)
  {
          struct ost_obd *ost = &obd->u.ost;
  static int ost_cleanup(struct obd_device *obd, int flags)
  {
          struct ost_obd *ost = &obd->u.ost;
@@ -1335,6 +1337,10 @@ static int ost_cleanup(struct obd_device *obd, int flags)
          ptlrpc_stop_all_threads(ost->ost_create_service);
          ptlrpc_unregister_service(ost->ost_create_service);
  
          ptlrpc_stop_all_threads(ost->ost_create_service);
          ptlrpc_unregister_service(ost->ost_create_service);
  
+#ifdef ENABLE_GSS
+        /* XXX */
+        lgss_svc_cache_purge_all();
+#endif
          RETURN(err);
  }
  
          RETURN(err);
  }
  
diff --git a/lustre/sec/gss/gss_internal.h b/lustre/sec/gss/gss_internal.h

index 2475e8e..c605633 100644 (file)
--- a/lustre/sec/gss/gss_internal.h
+++ b/lustre/sec/gss/gss_internal.h
@@ -7,6 +7,7 @@
   * Author: Eric Mei <ericm@clusterfs.com>
   */
  
   * Author: Eric Mei <ericm@clusterfs.com>
   */
  
+#include <linux/lustre_sec.h>
  #ifndef __SEC_GSS_GSS_INTERNAL_H_
  #define __SEC_GSS_GSS_INTERNAL_H_
  
  #ifndef __SEC_GSS_GSS_INTERNAL_H_
  #define __SEC_GSS_GSS_INTERNAL_H_
  
@@ -88,11 +89,7 @@ crypto_tfm_alg_ivsize(struct crypto_tfm *tfm)
  struct ptlrpc_sec;
  struct ptlrpc_cred;
  
  struct ptlrpc_sec;
  struct ptlrpc_cred;
  
-typedef struct rawobj_s {
-        __u32           len;
-        __u8           *data;
-} rawobj_t;
-
+/* rawobj stuff */
  int rawobj_alloc(rawobj_t *obj, char *buf, int len);
  void rawobj_free(rawobj_t *obj);
  int rawobj_equal(rawobj_t *a, rawobj_t *b);
  int rawobj_alloc(rawobj_t *obj, char *buf, int len);
  void rawobj_free(rawobj_t *obj);
  int rawobj_equal(rawobj_t *a, rawobj_t *b);
@@ -113,6 +110,15 @@ typedef struct rawobj_buf_s {
   */
  #define GSSD_INTERFACE_VERSION  (1)
  
   */
  #define GSSD_INTERFACE_VERSION  (1)
  
+/*
+ * target of gss request
+ */
+#define LUSTRE_GSS_SVC_MDS      0
+#define LUSTRE_GSS_SVC_OSS      1
+
+/*
+ * data types in gss header
+ */
  #define MAXSEQ 0x80000000 /* maximum legal sequence number, from rfc 2203 */
  
  enum rpc_gss_proc {
  #define MAXSEQ 0x80000000 /* maximum legal sequence number, from rfc 2203 */
  
  enum rpc_gss_proc {
@@ -128,15 +134,6 @@ enum rpc_gss_svc {
          RPC_GSS_SVC_PRIVACY =           3,
  };
  
          RPC_GSS_SVC_PRIVACY =           3,
  };
  
-/* on-the-wire gss cred: */
-struct rpc_gss_wire_cred {
-        __u32                   gc_v;           /* version */
-        __u32                   gc_proc;        /* control procedure */
-        __u32                   gc_seq;         /* sequence number */
-        __u32                   gc_svc;         /* service */
-        rawobj_t                gc_ctx;         /* context handle */
-};
-
  /* on-the-wire gss verifier: */
  struct rpc_gss_wire_verf {
          __u32                   gv_flavor;
  /* on-the-wire gss verifier: */
  struct rpc_gss_wire_verf {
          __u32                   gv_flavor;
diff --git a/lustre/sec/gss/sec_gss.c b/lustre/sec/gss/sec_gss.c

index c6f7eb7..13293db 100644 (file)
--- a/lustre/sec/gss/sec_gss.c
+++ b/lustre/sec/gss/sec_gss.c
@@ -92,6 +92,7 @@ struct rpc_clnt;
  
  static int secinit_compose_request(struct obd_import *imp,
                                     char *buf, int bufsize,
  
  static int secinit_compose_request(struct obd_import *imp,
                                     char *buf, int bufsize,
+                                   int lustre_srv,
                                     uid_t uid, gid_t gid,
                                     long token_size,
                                     char __user *token)
                                     uid_t uid, gid_t gid,
                                     long token_size,
                                     char __user *token)
@@ -115,7 +116,7 @@ static int secinit_compose_request(struct obd_import *imp,
          hdr->flavor  = cpu_to_le32(PTLRPC_SEC_GSS);
          hdr->sectype = cpu_to_le32(PTLRPC_SEC_TYPE_NONE);
          hdr->msg_len = cpu_to_le32(lmsg_size);
          hdr->flavor  = cpu_to_le32(PTLRPC_SEC_GSS);
          hdr->sectype = cpu_to_le32(PTLRPC_SEC_TYPE_NONE);
          hdr->msg_len = cpu_to_le32(lmsg_size);
-        hdr->sec_len = cpu_to_le32(7 * 4 + token_size);
+        hdr->sec_len = cpu_to_le32(8 * 4 + token_size);
  
          /* lustre message & secdesc */
          lmsg = buf_to_lustre_msg(buf);
  
          /* lustre message & secdesc */
          lmsg = buf_to_lustre_msg(buf);
@@ -142,6 +143,9 @@ static int secinit_compose_request(struct obd_import *imp,
          *p++ = cpu_to_le32(PTLRPC_GSS_SVC_NONE);        /* service */
          *p++ = cpu_to_le32(0);                          /* context handle */
  
          *p++ = cpu_to_le32(PTLRPC_GSS_SVC_NONE);        /* service */
          *p++ = cpu_to_le32(0);                          /* context handle */
  
+        /* plus lustre svc type */
+        *p++ = cpu_to_le32(lustre_srv);
+
          /* now the token part */
          *p++ = cpu_to_le32((__u32) token_size);
          LASSERT(((char *)p - buf) + token_size <= bufsize);
          /* now the token part */
          *p++ = cpu_to_le32((__u32) token_size);
          LASSERT(((char *)p - buf) + token_size <= bufsize);
@@ -245,6 +249,7 @@ static int secinit_parse_reply(char *repbuf, int replen,
  struct lgssd_ioctl_param {
          int             version;        /* in   */
          char           *uuid;           /* in   */
  struct lgssd_ioctl_param {
          int             version;        /* in   */
          char           *uuid;           /* in   */
+        int             lustre_svc;     /* in   */
          uid_t           uid;            /* in   */
          gid_t           gid;            /* in   */
          long            send_token_size;/* in   */
          uid_t           uid;            /* in   */
          gid_t           gid;            /* in   */
          long            send_token_size;/* in   */
@@ -269,11 +274,14 @@ static int gss_send_secinit_rpc(__user char *buffer, unsigned long count)
          int                       rc, reqlen, replen;
  
          if (count != sizeof(param)) {
          int                       rc, reqlen, replen;
  
          if (count != sizeof(param)) {
-                CERROR("partial write\n");
+                CERROR("ioctl size %lu, expect %d, please check lgssd version\n",
+                        count, sizeof(param));
                  RETURN(-EINVAL);
          }
                  RETURN(-EINVAL);
          }
-        if (copy_from_user(&param, buffer, sizeof(param)))
+        if (copy_from_user(&param, buffer, sizeof(param))) {
+                CERROR("failed copy data from lgssd\n");
                  RETURN(-EFAULT);
                  RETURN(-EFAULT);
+        }
  
          if (param.version != GSSD_INTERFACE_VERSION) {
                  CERROR("gssd interface version %d (expect %d)\n",
  
          if (param.version != GSSD_INTERFACE_VERSION) {
                  CERROR("gssd interface version %d (expect %d)\n",
@@ -293,11 +301,6 @@ static int gss_send_secinit_rpc(__user char *buffer, unsigned long count)
                  CERROR("no such obd %s\n", obdname);
                  RETURN(-EINVAL);
          }
                  CERROR("no such obd %s\n", obdname);
                  RETURN(-EINVAL);
          }
-        if (strcmp(obd->obd_type->typ_name, "mdc") &&
-            strcmp(obd->obd_type->typ_name, "osc")) {
-                CERROR("%s not a mdc/osc device\n", obdname);
-                RETURN(-EINVAL);
-        }
  
          imp = class_import_get(obd->u.cli.cl_import);
  
  
          imp = class_import_get(obd->u.cli.cl_import);
  
@@ -312,6 +315,7 @@ static int gss_send_secinit_rpc(__user char *buffer, unsigned long count)
  
          /* get token */
          reqlen = secinit_compose_request(imp, reqbuf, reqbuf_size,
  
          /* get token */
          reqlen = secinit_compose_request(imp, reqbuf, reqbuf_size,
+                                         param.lustre_svc,
                                           param.uid, param.gid,
                                           param.send_token_size,
                                           param.send_token);
                                           param.uid, param.gid,
                                           param.send_token_size,
                                           param.send_token);
@@ -732,9 +736,9 @@ static int gss_cred_refresh(struct ptlrpc_cred *cred)
  
          obdtype = import->imp_obd->obd_type->typ_name;
          if (!strcmp(obdtype, "mdc"))
  
          obdtype = import->imp_obd->obd_type->typ_name;
          if (!strcmp(obdtype, "mdc"))
-                gmd.gum_svc = 0;
+                gmd.gum_svc = LUSTRE_GSS_SVC_MDS;
          else if (!strcmp(obdtype, "osc"))
          else if (!strcmp(obdtype, "osc"))
-                gmd.gum_svc = 1;
+                gmd.gum_svc = LUSTRE_GSS_SVC_OSS;
          else {
                  CERROR("gss on %s?\n", obdtype);
                  RETURN(-EINVAL);
          else {
                  CERROR("gss on %s?\n", obdtype);
                  RETURN(-EINVAL);
diff --git a/lustre/sec/gss/svcsec_gss.c b/lustre/sec/gss/svcsec_gss.c

index 120348b..05f2122 100644 (file)
--- a/lustre/sec/gss/svcsec_gss.c
+++ b/lustre/sec/gss/svcsec_gss.c
@@ -105,10 +105,11 @@ static inline unsigned long hash_mem(char *buf, int length, int bits)
  
  struct rsi {
          struct cache_head       h;
  
  struct rsi {
          struct cache_head       h;
+        __u32                   lustre_svc;
          __u32                   naltype;
          __u32                   netid;
          __u64                   nid;
          __u32                   naltype;
          __u32                   netid;
          __u64                   nid;
-        rawobj_t                in_handle, in_token;
+        rawobj_t                in_handle, in_token, in_srv_type;
          rawobj_t                out_handle, out_token;
          int                     major_status, minor_status;
  };
          rawobj_t                out_handle, out_token;
          int                     major_status, minor_status;
  };
@@ -153,11 +154,13 @@ static void rsi_request(struct cache_detail *cd,
  {
          struct rsi *rsii = container_of(h, struct rsi, h);
  
  {
          struct rsi *rsii = container_of(h, struct rsi, h);
  
-        qword_addhex(bpp, blen, (char *)&rsii->naltype, sizeof(rsii->naltype));
-        qword_addhex(bpp, blen, (char *)&rsii->netid, sizeof(rsii->netid));
-        qword_addhex(bpp, blen, (char *)&rsii->nid, sizeof(rsii->nid));
-        qword_addhex(bpp, blen, (char *)rsii->in_handle.data, rsii->in_handle.len);
-        qword_addhex(bpp, blen, (char *)rsii->in_token.data, rsii->in_token.len);
+        qword_addhex(bpp, blen, (char *) &rsii->lustre_svc,
+                     sizeof(rsii->lustre_svc));
+        qword_addhex(bpp, blen, (char *) &rsii->naltype, sizeof(rsii->naltype));
+        qword_addhex(bpp, blen, (char *) &rsii->netid, sizeof(rsii->netid));
+        qword_addhex(bpp, blen, (char *) &rsii->nid, sizeof(rsii->nid));
+        qword_addhex(bpp, blen, rsii->in_handle.data, rsii->in_handle.len);
+        qword_addhex(bpp, blen, rsii->in_token.data, rsii->in_token.len);
          (*bpp)[-1] = '\n';
  }
  
          (*bpp)[-1] = '\n';
  }
  
@@ -644,17 +647,6 @@ gss_svc_searchbyctx(rawobj_t *handle)
          return found;
  }
  
          return found;
  }
  
-struct gss_svc_data {
-        /* decoded gss client cred: */
-        struct rpc_gss_wire_cred        clcred;
-        /* internal used status */
-        unsigned int                    is_init:1,
-                                        is_init_continue:1,
-                                        is_err_notify:1,
-                                        is_fini:1;
-        int                             reserve_len;
-};
-
  /* FIXME
   * again hacking: only try to give the svcgssd a chance to handle
   * upcalls.
  /* FIXME
   * again hacking: only try to give the svcgssd a chance to handle
   * upcalls.
@@ -923,10 +915,21 @@ gss_svcsec_handle_init(struct ptlrpc_request *req,
          }
          cache_init(&rsikey->h);
  
          }
          cache_init(&rsikey->h);
  
+        /* obtain lustre svc type */
+        if (seclen < 4) {
+                CERROR("sec size %d too small\n", seclen);
+                GOTO(out_rsikey, rc = SVC_DROP);
+        }
+        rsikey->lustre_svc = le32_to_cpu(*secdata++);
+        seclen -= 4;
+
+        /* duplicate context handle. currently always 0 */
          if (rawobj_dup(&rsikey->in_handle, &gc->gc_ctx)) {
                  CERROR("fail to dup context handle\n");
                  GOTO(out_rsikey, rc = SVC_DROP);
          }
          if (rawobj_dup(&rsikey->in_handle, &gc->gc_ctx)) {
                  CERROR("fail to dup context handle\n");
                  GOTO(out_rsikey, rc = SVC_DROP);
          }
+
+        /* extract token */
          *res = PTLRPCS_BADVERF;
          if (rawobj_extract(&tmpobj, &secdata, &seclen)) {
                  CERROR("can't extract token\n");
          *res = PTLRPCS_BADVERF;
          if (rawobj_extract(&tmpobj, &secdata, &seclen)) {
                  CERROR("can't extract token\n");
@@ -1176,7 +1179,7 @@ gss_svcsec_accept(struct ptlrpc_request *req, enum ptlrpcs_error *res)
          struct gss_svc_data *svcdata;
          struct rpc_gss_wire_cred *gc;
          struct ptlrpcs_wire_hdr *sec_hdr;
          struct gss_svc_data *svcdata;
          struct rpc_gss_wire_cred *gc;
          struct ptlrpcs_wire_hdr *sec_hdr;
-        __u32 seclen, *secdata, version, subflavor;
+        __u32 seclen, *secdata, version;
          int rc;
          ENTRY;
  
          int rc;
          ENTRY;
  
@@ -1215,14 +1218,15 @@ gss_svcsec_accept(struct ptlrpc_request *req, enum ptlrpcs_error *res)
          /* Now secdata/seclen is what we want to parse
           */
          version = le32_to_cpu(*secdata++);      /* version */
          /* Now secdata/seclen is what we want to parse
           */
          version = le32_to_cpu(*secdata++);      /* version */
-        subflavor = le32_to_cpu(*secdata++);    /* subflavor */
+        svcdata->subflavor = le32_to_cpu(*secdata++);    /* subflavor */
          gc->gc_proc = le32_to_cpu(*secdata++);  /* proc */
          gc->gc_seq = le32_to_cpu(*secdata++);   /* seq */
          gc->gc_svc = le32_to_cpu(*secdata++);   /* service */
          seclen -= 5 * 4;
  
          CDEBUG(D_SEC, "wire gss_hdr: %u/%u/%u/%u/%u\n",
          gc->gc_proc = le32_to_cpu(*secdata++);  /* proc */
          gc->gc_seq = le32_to_cpu(*secdata++);   /* seq */
          gc->gc_svc = le32_to_cpu(*secdata++);   /* service */
          seclen -= 5 * 4;
  
          CDEBUG(D_SEC, "wire gss_hdr: %u/%u/%u/%u/%u\n",
-               version, subflavor, gc->gc_proc, gc->gc_seq, gc->gc_svc);
+               version, svcdata->subflavor, gc->gc_proc,
+               gc->gc_seq, gc->gc_svc);
  
          if (version != PTLRPC_SEC_GSS_VERSION) {
                  CERROR("gss version mismatch: %d - %d\n",
  
          if (version != PTLRPC_SEC_GSS_VERSION) {
                  CERROR("gss version mismatch: %d - %d\n",
diff --git a/lustre/tests/llmount.sh b/lustre/tests/llmount.sh

index 253932f..750c94c 100755 (executable)
--- a/lustre/tests/llmount.sh
+++ b/lustre/tests/llmount.sh
@@ -34,10 +34,10 @@ fi
  [ "$NODE" ] && node_opt="--node $NODE"
  [ "$DEBUG" ] && debug_opt="--ptldebug=$DEBUG"
  
  [ "$NODE" ] && node_opt="--node $NODE"
  [ "$DEBUG" ] && debug_opt="--ptldebug=$DEBUG"
  
-${LCONF} $NOMOD --sec $SECURITY $portals_opt $lustre_opt $node_opt \
+${LCONF} $NOMOD --mds_sec $SECURITY $portals_opt $lustre_opt $node_opt \
           ${REFORMAT:---reformat} $@ $conf_opt  || exit 5
  
  if [ "$MOUNT2" ]; then
           ${REFORMAT:---reformat} $@ $conf_opt  || exit 5
  
  if [ "$MOUNT2" ]; then
-       $LLMOUNT -v -o sec=$SECURITY `hostname`:/mds1/client $MOUNT2 || exit 6
+       $LLMOUNT -v -o mds_sec=$SECURITY `hostname`:/mds1/client $MOUNT2 || exit 6
  fi
  
  fi
  
diff --git a/lustre/tests/llrmount.sh b/lustre/tests/llrmount.sh

index 0cc2853..a9de5e4 100755 (executable)
--- a/lustre/tests/llrmount.sh
+++ b/lustre/tests/llrmount.sh
@@ -35,10 +35,10 @@ fi
  
  [ "$NODE" ] && node_opt="--node $NODE"
  
  
  [ "$NODE" ] && node_opt="--node $NODE"
  
-${LCONF} $NOMOD --sec $SECURITY $portals_opt $lustre_opt $node_opt \
+${LCONF} $NOMOD --mds_sec $SECURITY $portals_opt $lustre_opt $node_opt \
           $@ $conf_opt  || exit 5
  
  if [ "$MOUNT2" ]; then
           $@ $conf_opt  || exit 5
  
  if [ "$MOUNT2" ]; then
-       $LLMOUNT -v -o sec=$SECURITY `hostname`:/mds1/client $MOUNT2 || exit 6
+       $LLMOUNT -v -o mds_sec=$SECURITY `hostname`:/mds1/client $MOUNT2 || exit 6
  fi
  
  fi
  
diff --git a/lustre/tests/test-framework.sh b/lustre/tests/test-framework.sh

index c5612e9..82222ae 100644 (file)
--- a/lustre/tests/test-framework.sh
+++ b/lustre/tests/test-framework.sh
@@ -78,7 +78,7 @@ start() {
      active=`facet_active $facet`
      do_facet $facet $LCONF --select ${facet}_svc=${active}_facet \
          --node ${active}_facet  --ptldebug $PTLDEBUG --subsystem $SUBSYSTEM \
      active=`facet_active $facet`
      do_facet $facet $LCONF --select ${facet}_svc=${active}_facet \
          --node ${active}_facet  --ptldebug $PTLDEBUG --subsystem $SUBSYSTEM \
-        --sec $SECURITY $@ $XMLCONFIG
+        --mds_sec $SECURITY $@ $XMLCONFIG
  }
  
  stop() {
  }
  
  stop() {
@@ -97,13 +97,13 @@ zconf_mount() {
      do_node $client mkdir $mnt 2> /dev/null || :
  
      if [ -x /sbin/mount.lustre ] ; then
      do_node $client mkdir $mnt 2> /dev/null || :
  
      if [ -x /sbin/mount.lustre ] ; then
-       do_node $client mount -t lustre -o sec=$SECURITY,nettype=$NETTYPE \
+       do_node $client mount -t lustre -o mds_sec=$SECURITY,nettype=$NETTYPE \
                  `facet_active_host mds1`:/mds1_svc/client_facet $mnt || return 2
      else
         # this is so cheating
         do_node $client $LCONF --nosetup --node client_facet $XMLCONFIG  > /dev/null || return 2
         do_node $client $LLMOUNT `facet_active_host mds1`:/mds1_svc/client_facet $mnt \
                  `facet_active_host mds1`:/mds1_svc/client_facet $mnt || return 2
      else
         # this is so cheating
         do_node $client $LCONF --nosetup --node client_facet $XMLCONFIG  > /dev/null || return 2
         do_node $client $LLMOUNT `facet_active_host mds1`:/mds1_svc/client_facet $mnt \
-               -o sec=$SECURITY,nettype=$NETTYPE|| return 4
+               -o mds_sec=$SECURITY,nettype=$NETTYPE|| return 4
      fi
  
      [ -d /r ] && $LCTL modules > /r/tmp/ogdb-`hostname`
      fi
  
      [ -d /r ] && $LCTL modules > /r/tmp/ogdb-`hostname`
diff --git a/lustre/utils/lconf b/lustre/utils/lconf

index 12a766a..705fecb 100755 (executable)
--- a/lustre/utils/lconf
+++ b/lustre/utils/lconf
@@ -628,7 +628,8 @@ class LCTLInterface:
  
      # create a new device with lctl
      def newdev(self, type, name, uuid, setup = ""):
  
      # create a new device with lctl
      def newdev(self, type, name, uuid, setup = ""):
-        self.attach(type, name, uuid);
+        if type != 'mds':
+            self.attach(type, name, uuid);
          try:
              self.setup(name, setup)
          except CommandError, e:
          try:
              self.setup(name, setup)
          except CommandError, e:
@@ -1739,6 +1740,20 @@ class CONFDEV(Module):
          self.client_uuids = self.target.get_refs('client')
          self.obdtype = self.db.get_val('obdtype', '')
         
          self.client_uuids = self.target.get_refs('client')
          self.obdtype = self.db.get_val('obdtype', '')
         
+        self.mds_sec = self.db.get_val('mds_sec', '')
+        self.oss_sec = self.db.get_val('oss_sec', '')
+        self.deny_sec = self.db.get_val('deny_sec', '')
+
+        if config.mds_mds_sec:
+            self.mds_sec = config.mds_mds_sec
+        if config.mds_oss_sec:
+            self.oss_sec = config.mds_oss_sec
+        if config.mds_deny_sec:
+            if self.deny_sec:
+                self.deny_sec = "%s,%s" %(self.deny_sec, config.mds_deny_sec)
+            else:
+                self.deny_sec = config.mds_deny_sec
+
          if self.obdtype == None:
              self.obdtype = 'dumb'
         
          if self.obdtype == None:
              self.obdtype = 'dumb'
         
@@ -1916,10 +1931,18 @@ class CONFDEV(Module):
             config.record = 1
              lctl.clear_log(self.name, self.target.getName() + '-conf')
              lctl.record(self.name, self.target.getName() + '-conf')
             config.record = 1
              lctl.clear_log(self.name, self.target.getName() + '-conf')
              lctl.record(self.name, self.target.getName() + '-conf')
+            lctl.attach("mds", self.conf_name, self.conf_uuid)
+            if self.mds_sec:
+                lctl.set_security(self.conf_name, "mds_sec", self.mds_sec)
+            if self.oss_sec:
+                lctl.set_security(self.conf_name, "oss_sec", self.oss_sec)
+            if self.deny_sec:
+                for flavor in string.split(self.deny_sec, ','):
+                    lctl.set_security(self.conf_name, "deny_sec", flavor)
              lctl.newdev("mds", self.conf_name, self.conf_uuid,
                          setup ="%s %s %s %s %s %s" %(self.realdev, self.fstype,
              lctl.newdev("mds", self.conf_name, self.conf_uuid,
                          setup ="%s %s %s %s %s %s" %(self.realdev, self.fstype,
-                                                    self.conf_name, self.mountfsoptions,
-                                                    master_name, self.obdtype))
+                                                    self.conf_name, self.mountfsoptions,
+                                                    master_name, self.obdtype))
              lctl.end_record()
              config.record = 0
  
              lctl.end_record()
              config.record = 0
  
@@ -2122,13 +2145,6 @@ class MDSDEV(Module):
         if self.master != None:
               self.master.prepare()
  
         if self.master != None:
               self.master.prepare()
  
-        lctl.attach("mds", self.name, self.uuid)
-        if config.mds_mds_sec:
-           lctl.set_security(self.name, "mds_mds_sec", config.mds_mds_sec)
-        if config.mds_ost_sec:
-            lctl.set_security(self.name, "mds_ost_sec", config.mds_ost_sec)
-        lctl.detach(self.name)
-
         if not config.record:
              self.confobd.start()
         
         if not config.record:
              self.confobd.start()
         
@@ -2223,6 +2239,14 @@ class OSD(Module):
          else:
              self.failover_ost = 'n'
  
          else:
              self.failover_ost = 'n'
  
+        self.deny_sec = self.db.get_val('deny_sec', '')
+
+        if config.ost_deny_sec:
+            if self.deny_sec:
+                self.deny_sec = "%s,%s" %(self.deny_sec, config.ost_deny_sec)
+            else:
+                self.deny_sec = config.ost_deny_sec
+
          active_uuid = get_active_target(ost)
          if not active_uuid:
              panic("No target device found:", target_uuid)
          active_uuid = get_active_target(ost)
          if not active_uuid:
              panic("No target device found:", target_uuid)
@@ -2237,7 +2261,7 @@ class OSD(Module):
          self.uuid = target_uuid
          self.confobd = CONFDEV(self.db, self.name, 
                                target_uuid, self.uuid)
          self.uuid = target_uuid
          self.confobd = CONFDEV(self.db, self.name, 
                                target_uuid, self.uuid)
-    
+
      def add_module(self, manager):
          if not self.active:
             return
      def add_module(self, manager):
          if not self.active:
             return
@@ -2274,6 +2298,7 @@ class OSD(Module):
              return
  
          run_acceptors()
              return
  
          run_acceptors()
+
          if self.osdtype == 'obdecho':
              self.info(self.osdtype)
              lctl.newdev("obdecho", self.name, self.uuid)
          if self.osdtype == 'obdecho':
              self.info(self.osdtype)
              lctl.newdev("obdecho", self.name, self.uuid)
@@ -2286,6 +2311,10 @@ class OSD(Module):
             if not config.record:
                 self.confobd.start()        
  
             if not config.record:
                 self.confobd.start()        
  
+        if self.deny_sec:
+            for flavor in string.split(self.deny_sec, ','):
+                lctl.set_security(self.name, "deny_sec", flavor)
+
      def write_conf(self):
          if is_prepared(self.name):
              return
      def write_conf(self):
          if is_prepared(self.name):
              return
@@ -2764,6 +2793,13 @@ class Mountpoint(Module):
          self.obd_uuid = fs.get_first_ref('obd')
          client_uuid = generate_client_uuid(self.name)
  
          self.obd_uuid = fs.get_first_ref('obd')
          client_uuid = generate_client_uuid(self.name)
  
+        self.oss_sec = self.db.get_val('oss_sec','null')
+        self.mds_sec = self.db.get_val('mds_sec','null')
+        if config.mds_sec:
+            self.mds_sec = config.mds_sec
+        if config.oss_sec:
+            self.oss_sec = config.oss_sec
+
          ost = self.db.lookup(self.obd_uuid)
          if not ost:
              panic("no ost: ", self.obd_uuid)
          ost = self.db.lookup(self.obd_uuid)
          if not ost:
              panic("no ost: ", self.obd_uuid)
@@ -2801,11 +2837,9 @@ class Mountpoint(Module):
              # so replace it with Lustre async
              self.clientoptions = string.replace(self.clientoptions, "async", "lasync")
  
              # so replace it with Lustre async
              self.clientoptions = string.replace(self.clientoptions, "async", "lasync")
  
-        if not config.sec:
-            config.sec = "null"
-        cmd = "mount -t lustre_lite -o osc=%s,mdc=%s,sec=%s%s %s %s" % \
-              (self.vosc.get_name(), self.vmdc.get_name(), config.sec, 
-              self.clientoptions, config.config, self.path)
+        cmd = "mount -t lustre_lite -o osc=%s,mdc=%s,mds_sec=%s,oss_sec=%s%s %s %s" % \
+              (self.vosc.get_name(), self.vmdc.get_name(), self.mds_sec,
+              self.oss_sec, self.clientoptions, config.config, self.path)
          run("mkdir", self.path)
          ret, val = run(cmd)
          if ret:
          run("mkdir", self.path)
          ret, val = run(cmd)
          if ret:
@@ -3588,10 +3622,13 @@ lconf_options = [
      ('config', "Cluster config name used for LDAP query", PARAM),
      ('select', "service=nodeA,service2=nodeB ", PARAMLIST),
      ('node',   "Load config for <nodename>", PARAM),
      ('config', "Cluster config name used for LDAP query", PARAM),
      ('select', "service=nodeA,service2=nodeB ", PARAMLIST),
      ('node',   "Load config for <nodename>", PARAM),
-    ('sec',    "security flavor <null|krb5i|krb5p> of client", PARAM),
-    ('mds_sec',    "security flavor <null|krb5i|krb5p> of client", PARAM),
-    ('mds_mds_sec', "security flavor <null|krb5i|krb5p> of inter mds's", PARAM),
-    ('mds_ost_sec', "security flavor <null|krb5i|krb5p> of mds's-ost's", PARAM),
+    ('sec',"security flavor <null|krb5i|krb5p> between this client with mds", PARAM),
+    ('mds_sec',"security flavor <null|krb5i|krb5p> between this client with mds", PARAM),
+    ('oss_sec',"security flavor <null|krb5i|krb5p> between this client with ost", PARAM),
+    ('mds_mds_sec',"security flavor <null|krb5i|krb5p> between this mds with other mds", PARAM),
+    ('mds_oss_sec',"security flavor <null|krb5i|krb5p> between this mds with ost", PARAM),
+    ('mds_deny_sec', "security flavor <null|krb5i|krb5p> denied by this mds", PARAM),
+    ('ost_deny_sec', "security flavor <null|krb5i|krb5p> denied by this ost", PARAM),
      ('cleanup,d', "Cleans up config. (Shutdown)"),
      ('force,f', "Forced unmounting and/or obd detach during cleanup",
                 FLAG, 0),
      ('cleanup,d', "Cleans up config. (Shutdown)"),
      ('force,f', "Forced unmounting and/or obd detach during cleanup",
                 FLAG, 0),
diff --git a/lustre/utils/llmount.c b/lustre/utils/llmount.c

index e50df3a..b9e7a8f 100644 (file)
--- a/lustre/utils/llmount.c
+++ b/lustre/utils/llmount.c
@@ -124,7 +124,8 @@ init_options(struct lustre_mount_data *lmd)
          lmd->lmd_remote_flag = 0;
          lmd->lmd_nllu = NOBODY_UID;
          lmd->lmd_nllg = NOBODY_GID;
          lmd->lmd_remote_flag = 0;
          lmd->lmd_nllu = NOBODY_UID;
          lmd->lmd_nllg = NOBODY_GID;
-        strncpy(lmd->lmd_security, "null", sizeof(lmd->lmd_security));
+        strncpy(lmd->lmd_mds_security, "null", sizeof(lmd->lmd_mds_security));
+        strncpy(lmd->lmd_oss_security, "null", sizeof(lmd->lmd_oss_security));
          return 0;
  }
  
          return 0;
  }
  
@@ -135,7 +136,8 @@ print_options(struct lustre_mount_data *lmd)
  
          printf("mds:             %s\n", lmd->lmd_mds);
          printf("profile:         %s\n", lmd->lmd_profile);
  
          printf("mds:             %s\n", lmd->lmd_mds);
          printf("profile:         %s\n", lmd->lmd_profile);
-        printf("sec_flavor:      %s\n", lmd->lmd_security);
+        printf("mds_sec_flavor:      %s\n", lmd->lmd_mds_security);
+        printf("oss_sec_flavor:      %s\n", lmd->lmd_oss_security);
          printf("server_nid:      "LPX64"\n", lmd->lmd_server_nid);
  #ifdef CRAY_PORTALS
          if (lmd->lmd_nal != CRAY_KB_SSNAL) {
          printf("server_nid:      "LPX64"\n", lmd->lmd_server_nid);
  #ifdef CRAY_PORTALS
          if (lmd->lmd_nal != CRAY_KB_SSNAL) {
@@ -327,9 +329,12 @@ int parse_options(char * options, struct lustre_mount_data *lmd)
                                  lmd->lmd_server_nid = nid;
                          } else if (!strcmp(opt, "port")) {
                                  lmd->lmd_port = val;
                                  lmd->lmd_server_nid = nid;
                          } else if (!strcmp(opt, "port")) {
                                  lmd->lmd_port = val;
-                        } else if (!strcmp(opt, "sec")) {
-                                strncpy(lmd->lmd_security, opteq + 1,
-                                        sizeof(lmd->lmd_security));
+                        } else if (!strcmp(opt, "mds_sec")) {
+                                strncpy(lmd->lmd_mds_security, opteq + 1,
+                                        sizeof(lmd->lmd_mds_security));
+                        } else if (!strcmp(opt, "oss_sec")) {
+                                strncpy(lmd->lmd_oss_security, opteq + 1,
+                                        sizeof(lmd->lmd_oss_security));
                          } else if (!strcmp(opt, "nllu")) {
                                  if (parse_nllu(lmd, opteq + 1)) {
                                          fprintf(stderr, "%s: "
                          } else if (!strcmp(opt, "nllu")) {
                                  if (parse_nllu(lmd, opteq + 1)) {
                                          fprintf(stderr, "%s: "
diff --git a/lustre/utils/lmc b/lustre/utils/lmc

index 31f9210..93c13b9 100755 (executable)
--- a/lustre/utils/lmc
+++ b/lustre/utils/lmc
@@ -99,6 +99,9 @@ Object creation command summary:
    --mountfsoptions options
    --root_squash uid:gid
    --no_root_squash ptl_nid 
    --mountfsoptions options
    --root_squash uid:gid
    --no_root_squash ptl_nid 
+  --mds_mds_sec flavor
+  --mds_oss_sec flavor
+  --mds_deny_sec flavor[,flavor[...]]
  
  --add lov
    --lov lov_name
  
  --add lov
    --lov lov_name
@@ -126,6 +129,7 @@ Object creation command summary:
    --mkfsoptions options
    --mountfsoptions options
    --nspath
    --mkfsoptions options
    --mountfsoptions options
    --nspath
+  --ost_deny_sec flavor[,flavor[...]]
   
  --delete ost
    --node node_name
   
  --delete ost
    --node node_name
@@ -142,6 +146,8 @@ Object creation command summary:
    --lmv lmv_name
    --ost ost_name OR --lov lov_name
    --clientoptions options
    --lmv lmv_name
    --ost ost_name OR --lov lov_name
    --clientoptions options
+  --mds_sec flavor
+  --oss_sec flavor
  
  --add route
    --node nodename
  
  --add route
    --node nodename
@@ -237,6 +243,10 @@ lmc_options = [
      ('root_squash', "MDS squash root to appointed uid.", PARAM, ""),
      ('no_root_squash', "Don't squash root for appointed nid.", PARAM, ""),
      ('nspath', "Local mount point of server namespace.", PARAM,""),
      ('root_squash', "MDS squash root to appointed uid.", PARAM, ""),
      ('no_root_squash', "Don't squash root for appointed nid.", PARAM, ""),
      ('nspath', "Local mount point of server namespace.", PARAM,""),
+    ('mds_mds_sec', "Specify the secure flavor for connection from this mds to other mds.", PARAM, ""),
+    ('mds_oss_sec', "Specify the secure flavor for connection from this mds to ost.", PARAM, ""),
+    ('mds_deny_sec', "Specify the secure flavor which is denied from remote to this mds.", PARAM, ""),
+    ('ost_deny_sec', "Specify the secure flavor which is denied from remote to this ost.", PARAM, ""),
      ('format', ""),
      ('migrate', "used for offline migrate of an ost in conjunctio with add/delete"),
  
      ('format', ""),
      ('migrate', "used for offline migrate of an ost in conjunctio with add/delete"),
  
@@ -245,6 +255,8 @@ lmc_options = [
      ('path', "Specify the mountpoint for Lustre.", PARAM),
      ('filesystem', "Lustre filesystem name", PARAM,""),
      ('clientoptions', "Specify the options for Lustre, such as async.", PARAM, ""),
      ('path', "Specify the mountpoint for Lustre.", PARAM),
      ('filesystem', "Lustre filesystem name", PARAM,""),
      ('clientoptions', "Specify the options for Lustre, such as async.", PARAM, ""),
+    ('mds_sec', "Specify the secure flavor for connection from this client to mds.", PARAM, ""),
+    ('oss_sec', "Specify the secure flavor for connection from this client to ost.", PARAM, ""),
  
      # lov
      ('lov', "Specify LOV name.", PARAM,""),
  
      # lov
      ('lov', "Specify LOV name.", PARAM,""),
@@ -437,7 +449,8 @@ class GenConfig:
  
      def osd(self, name, uuid, fstype, osdtype, devname, format, ost_uuid,
              node_uuid, dev_size=0, journal_size=0, inode_size=0, nspath="", 
  
      def osd(self, name, uuid, fstype, osdtype, devname, format, ost_uuid,
              node_uuid, dev_size=0, journal_size=0, inode_size=0, nspath="", 
-            mkfsoptions="", mountfsoptions="", backfstype="", backdevname=""):
+            mkfsoptions="", mountfsoptions="", backfstype="", backdevname="",
+            deny_sec=""):
          osd = self.newService("osd", name, uuid)
          osd.setAttribute('osdtype', osdtype)
          osd.appendChild(self.ref("target", ost_uuid))
          osd = self.newService("osd", name, uuid)
          osd.setAttribute('osdtype', osdtype)
          osd.appendChild(self.ref("target", ost_uuid))
@@ -463,6 +476,8 @@ class GenConfig:
                  self.addElement(osd, "mkfsoptions", mkfsoptions)
              if mountfsoptions:
                  self.addElement(osd, "mountfsoptions", mountfsoptions)
                  self.addElement(osd, "mkfsoptions", mkfsoptions)
              if mountfsoptions:
                  self.addElement(osd, "mountfsoptions", mountfsoptions)
+            if deny_sec:
+                self.addElement(osd, "deny_sec", deny_sec)
          if nspath:
              self.addElement(osd, "nspath", nspath)
          return osd
          if nspath:
              self.addElement(osd, "nspath", nspath)
          return osd
@@ -531,7 +546,8 @@ class GenConfig:
      def mdsdev(self, name, uuid, fstype, devname, format, node_uuid,
                 mds_uuid, dev_size=0, journal_size=0, inode_size=256,
                 nspath="", mkfsoptions="", mountfsoptions="", backfstype="", 
      def mdsdev(self, name, uuid, fstype, devname, format, node_uuid,
                 mds_uuid, dev_size=0, journal_size=0, inode_size=256,
                 nspath="", mkfsoptions="", mountfsoptions="", backfstype="", 
-               backdevname="",lmv_uuid="", root_squash="", no_root_squash=""):
+               backdevname="",lmv_uuid="", root_squash="", no_root_squash="",
+               mds_sec="", oss_sec="", deny_sec=""):
          mdd = self.newService("mdsdev", name, uuid)
          self.addElement(mdd, "fstype", fstype)
          if backfstype:
          mdd = self.newService("mdsdev", name, uuid)
          self.addElement(mdd, "fstype", fstype)
          if backfstype:
@@ -556,6 +572,12 @@ class GenConfig:
              self.addElement(mdd, "root_squash", root_squash)
          if no_root_squash:
              self.addElement(mdd, "no_root_squash", no_root_squash)
              self.addElement(mdd, "root_squash", root_squash)
          if no_root_squash:
              self.addElement(mdd, "no_root_squash", no_root_squash)
+        if mds_sec:
+            self.addElement(mdd, "mds_sec", mds_sec)
+        if oss_sec:
+            self.addElement(mdd, "oss_sec", oss_sec)
+        if deny_sec:
+            self.addElement(mdd, "deny_sec", deny_sec)
          mdd.appendChild(self.ref("node", node_uuid))
          mdd.appendChild(self.ref("target", mds_uuid))
         
          mdd.appendChild(self.ref("node", node_uuid))
          mdd.appendChild(self.ref("target", mds_uuid))
         
@@ -576,12 +598,17 @@ class GenConfig:
          mgmt.appendChild(self.ref("active", mgmt_uuid))
          return mgmt
  
          mgmt.appendChild(self.ref("active", mgmt_uuid))
          return mgmt
  
-    def mountpoint(self, name, uuid, fs_uuid, path, clientoptions):
+    def mountpoint(self, name, uuid, fs_uuid, path, clientoptions,
+                   mds_sec, oss_sec):
          mtpt = self.newService("mountpoint", name, uuid)
          mtpt.appendChild(self.ref("filesystem", fs_uuid))
          self.addElement(mtpt, "path", path)
          if clientoptions:
              self.addElement(mtpt, "clientoptions", clientoptions)
          mtpt = self.newService("mountpoint", name, uuid)
          mtpt.appendChild(self.ref("filesystem", fs_uuid))
          self.addElement(mtpt, "path", path)
          if clientoptions:
              self.addElement(mtpt, "clientoptions", clientoptions)
+        if mds_sec:
+            self.addElement(mtpt, "mds_sec", mds_sec)
+        if oss_sec:
+            self.addElement(mtpt, "oss_sec", oss_sec)
          return mtpt
  
      def filesystem(self, name, uuid, mds_uuid, obd_uuid, mgmt_uuid):
          return mtpt
  
      def filesystem(self, name, uuid, mds_uuid, obd_uuid, mgmt_uuid):
@@ -998,6 +1025,9 @@ def add_mds(gen, lustre, options):
      mountfsoptions = get_option(options, 'mountfsoptions')
      root_squash = get_option(options, 'root_squash')
      no_root_squash = get_option(options, 'no_root_squash')
      mountfsoptions = get_option(options, 'mountfsoptions')
      root_squash = get_option(options, 'root_squash')
      no_root_squash = get_option(options, 'no_root_squash')
+    mds_sec = get_option(options, 'mds_mds_sec')
+    oss_sec = get_option(options, 'mds_oss_sec')
+    deny_sec = get_option(options, 'mds_deny_sec')
  
      node_uuid = name2uuid(lustre, node_name, 'node')
  
  
      node_uuid = name2uuid(lustre, node_name, 'node')
  
@@ -1014,7 +1044,7 @@ def add_mds(gen, lustre, options):
                       get_format_flag(options), node_uuid, mds_uuid,
                       size, journal_size, inode_size, nspath, mkfsoptions, 
                       mountfsoptions, backfstype, backdevname,lmv_uuid, 
                       get_format_flag(options), node_uuid, mds_uuid,
                       size, journal_size, inode_size, nspath, mkfsoptions, 
                       mountfsoptions, backfstype, backdevname,lmv_uuid, 
-                    root_squash, no_root_squash)
+                    root_squash, no_root_squash, mds_sec, oss_sec, deny_sec)
      lustre.appendChild(mdd)
  
  
      lustre.appendChild(mdd)
  
  
@@ -1052,6 +1082,7 @@ def add_ost(gen, lustre, options):
          inode_size = ''
          mkfsoptions = ''
          mountfsoptions = ''
          inode_size = ''
          mkfsoptions = ''
          mountfsoptions = ''
+        deny_sec = ''
      else:
          devname = get_option(options, 'dev') # can be unset for bluearcs
          backdevname = get_option(options, 'backdev')
      else:
          devname = get_option(options, 'dev') # can be unset for bluearcs
          backdevname = get_option(options, 'backdev')
@@ -1062,6 +1093,7 @@ def add_ost(gen, lustre, options):
          inode_size = get_option(options, 'inode_size')
          mkfsoptions = get_option(options, 'mkfsoptions')
          mountfsoptions = get_option(options, 'mountfsoptions')
          inode_size = get_option(options, 'inode_size')
          mkfsoptions = get_option(options, 'mkfsoptions')
          mountfsoptions = get_option(options, 'mountfsoptions')
+        deny_sec = get_option(options, 'ost_deny_sec')
  
      nspath = get_option(options, 'nspath')
  
  
      nspath = get_option(options, 'nspath')
  
@@ -1099,7 +1131,7 @@ def add_ost(gen, lustre, options):
      osd = gen.osd(osdname, osd_uuid, fstype, osdtype, devname,
                    get_format_flag(options), ost_uuid, node_uuid, size,
                    journal_size, inode_size, nspath, mkfsoptions, 
      osd = gen.osd(osdname, osd_uuid, fstype, osdtype, devname,
                    get_format_flag(options), ost_uuid, node_uuid, size,
                    journal_size, inode_size, nspath, mkfsoptions, 
-                  mountfsoptions, backfstype, backdevname)
+                  mountfsoptions, backfstype, backdevname, deny_sec)
  
      node = findByName(lustre, node_name, "node")
  
  
      node = findByName(lustre, node_name, "node")
  
@@ -1458,6 +1490,8 @@ def add_mtpt(gen, lustre, options):
  
      path = get_option(options, 'path')
      clientoptions = get_option(options, "clientoptions")
  
      path = get_option(options, 'path')
      clientoptions = get_option(options, "clientoptions")
+    mds_sec = get_option(options, "mds_sec")
+    oss_sec = get_option(options, "oss_sec")
      fs_name = get_option(options, 'filesystem')
  
      lov_name = get_option(options, 'lov')
      fs_name = get_option(options, 'filesystem')
  
      lov_name = get_option(options, 'lov')
@@ -1494,7 +1528,7 @@ def add_mtpt(gen, lustre, options):
          error("MOUNTPOINT: ", name, " already exists.")
  
      uuid = new_uuid(name)
          error("MOUNTPOINT: ", name, " already exists.")
  
      uuid = new_uuid(name)
-    mtpt = gen.mountpoint(name, uuid, fs_uuid, path, clientoptions)
+    mtpt = gen.mountpoint(name, uuid, fs_uuid, path, clientoptions, mds_sec, oss_sec)
      node = findByName(lustre, node_name, "node")
      if not node:
          error('node:',  node_name, "not found.")
      node = findByName(lustre, node_name, "node")
      if not node:
          error('node:',  node_name, "not found.")
diff --git a/lustre/utils/lustre_cfg.c b/lustre/utils/lustre_cfg.c

index 3d90d40..e0bc881 100644 (file)
--- a/lustre/utils/lustre_cfg.c
+++ b/lustre/utils/lustre_cfg.c
@@ -728,12 +728,16 @@ int jt_lcfg_set_security(int argc, char **argv)
          lustre_cfg_bufs_reset(&bufs, lcfg_devname);
  
          /* currently only used to set on mds */
          lustre_cfg_bufs_reset(&bufs, lcfg_devname);
  
          /* currently only used to set on mds */
-        if (strcmp(argv[1], "mds_mds_sec") && strcmp(argv[1], "mds_ost_sec")) {
+        if (strcmp(argv[1], "mds_sec") &&
+            strcmp(argv[1], "oss_sec") &&
+            strcmp(argv[1], "deny_sec")) {
                  fprintf(stderr, "%s: invalid security key %s\n",
                          jt_cmdname(argv[0]), argv[1]);
                  return -EINVAL;
          }
                  fprintf(stderr, "%s: invalid security key %s\n",
                          jt_cmdname(argv[0]), argv[1]);
                  return -EINVAL;
          }
-        if (strcmp(argv[2], "null") && strcmp(argv[2], "krb5")) {
+        if (strcmp(argv[2], "null") &&
+            strcmp(argv[2], "krb5i") &&
+            strcmp(argv[2], "krb5p")) {
                  fprintf(stderr, "%s: invalid security value %s\n",
                          jt_cmdname(argv[0]), argv[2]);
                  return -EINVAL;
                  fprintf(stderr, "%s: invalid security value %s\n",
                          jt_cmdname(argv[0]), argv[2]);
                  return -EINVAL;
author	ericm <ericm>
	Wed, 15 Jun 2005 20:24:42 +0000 (20:24 +0000)
committer	ericm <ericm>
	Wed, 15 Jun 2005 20:24:42 +0000 (20:24 +0000)
lustre/include/linux/lustre_cfg.h		patch \| blob \| history
lustre/include/linux/lustre_sec.h		patch \| blob \| history
lustre/include/linux/obd.h		patch \| blob \| history
lustre/ldlm/ldlm_lib.c		patch \| blob \| history
lustre/llite/llite_internal.h		patch \| blob \| history
lustre/llite/llite_lib.c		patch \| blob \| history
lustre/mdc/mdc_request.c		patch \| blob \| history
lustre/mds/handler.c		patch \| blob \| history
lustre/obdfilter/filter.c		patch \| blob \| history
lustre/osc/osc_request.c		patch \| blob \| history
lustre/ost/ost_handler.c		patch \| blob \| history
lustre/sec/gss/gss_internal.h		patch \| blob \| history
lustre/sec/gss/sec_gss.c		patch \| blob \| history
lustre/sec/gss/svcsec_gss.c		patch \| blob \| history
lustre/tests/llmount.sh		patch \| blob \| history
lustre/tests/llrmount.sh		patch \| blob \| history
lustre/tests/test-framework.sh		patch \| blob \| history
lustre/utils/lconf		patch \| blob \| history
lustre/utils/llmount.c		patch \| blob \| history
lustre/utils/lmc		patch \| blob \| history
lustre/utils/lustre_cfg.c		patch \| blob \| history