From: ericm Date: Wed, 15 Jun 2005 20:24:42 +0000 (+0000) Subject: land b_hd_sec_client_oss onto HEAD. X-Git-Tag: v1_7_100~1185 X-Git-Url: https://git.whamcloud.com/?p=fs%2Flustre-release.git;a=commitdiff_plain;h=27991cb0ca98c5e2e172ec241efbc168354831a5 land b_hd_sec_client_oss onto HEAD. --- diff --git a/lustre/include/linux/lustre_cfg.h b/lustre/include/linux/lustre_cfg.h index ffa86c05..b1cb5f2 100644 --- a/lustre/include/linux/lustre_cfg.h +++ b/lustre/include/linux/lustre_cfg.h @@ -245,7 +245,8 @@ struct lustre_mount_data { uint64_t lmd_remote_flag; uint32_t lmd_nllu; uint32_t lmd_nllg; - char lmd_security[16]; + char lmd_mds_security[16]; + char lmd_oss_security[16]; char lmd_mds[64]; char lmd_profile[64]; }; diff --git a/lustre/include/linux/lustre_sec.h b/lustre/include/linux/lustre_sec.h index 94028b4..34efde0 100644 --- a/lustre/include/linux/lustre_sec.h +++ b/lustre/include/linux/lustre_sec.h @@ -37,6 +37,11 @@ typedef struct ptlrpcs_flavor_s { __u32 subflavor; } ptlrpcs_flavor_t; +typedef struct { + struct list_head list; + ptlrpcs_flavor_t sec; +} deny_sec_t; + enum ptlrpcs_security_type { PTLRPC_SEC_TYPE_NONE = 0, /* no security */ PTLRPC_SEC_TYPE_AUTH = 1, /* authentication */ @@ -286,6 +291,39 @@ static inline int ptlrpcs_est_rep_payload(struct ptlrpc_sec *sec, return 0; } +static inline int add_deny_security(char *sec, struct list_head *head) +{ + int rc = 0; + deny_sec_t *p_deny_sec = NULL; + + LASSERT(sec != NULL); + + OBD_ALLOC(p_deny_sec, sizeof(*p_deny_sec)); + if (p_deny_sec == NULL) return -ENOMEM; + + if (strcmp(sec, "null") == 0) { + p_deny_sec->sec.flavor = PTLRPC_SEC_NULL; + p_deny_sec->sec.subflavor = PTLRPC_SEC_NULL; + }else if (strcmp(sec, "krb5i") == 0) { + p_deny_sec->sec.flavor = PTLRPC_SEC_GSS; + p_deny_sec->sec.subflavor = PTLRPC_SEC_GSS_KRB5I; + }else if (strcmp(sec, "krb5p") == 0) { + p_deny_sec->sec.flavor = PTLRPC_SEC_GSS; + p_deny_sec->sec.subflavor = PTLRPC_SEC_GSS_KRB5P; + }else{ + CERROR("unrecognized security type %s\n", (char*) sec); + GOTO(out, rc = -EINVAL); + } + + list_add_tail(&p_deny_sec->list, head); +out: + if (rc) { + if (p_deny_sec) + OBD_FREE(p_deny_sec, sizeof(*p_deny_sec)); + } + return rc; +} + int ptlrpcs_cli_wrap_request(struct ptlrpc_request *req); int ptlrpcs_cli_unwrap_reply(struct ptlrpc_request *req); int ptlrpcs_cli_alloc_reqbuf(struct ptlrpc_request *req, int msgsize); @@ -340,6 +378,37 @@ struct ptlrpc_svcsec { #define SVC_LOGIN 4 #define SVC_LOGOUT 5 +/* FIXME + * this should be a gss internal structure. fix these when we + * sort out the flavor issues. + */ + +typedef struct rawobj_s { + __u32 len; + __u8 *data; +} rawobj_t; + +/* on-the-wire gss cred: */ +struct rpc_gss_wire_cred { + __u32 gc_v; /* version */ + __u32 gc_proc; /* control procedure */ + __u32 gc_seq; /* sequence number */ + __u32 gc_svc; /* service */ + rawobj_t gc_ctx; /* context handle */ +}; + +struct gss_svc_data { + __u32 subflavor; /* XXX */ + /* decoded gss client cred: */ + struct rpc_gss_wire_cred clcred; + /* internal used status */ + unsigned int is_init:1, + is_init_continue:1, + is_err_notify:1, + is_fini:1; + int reserve_len; +}; + int svcsec_register(struct ptlrpc_svcsec *ss); int svcsec_unregister(struct ptlrpc_svcsec *ss); int svcsec_accept(struct ptlrpc_request *req, enum ptlrpcs_error *res); diff --git a/lustre/include/linux/obd.h b/lustre/include/linux/obd.h index f264325..60a18f9 100644 --- a/lustre/include/linux/obd.h +++ b/lustre/include/linux/obd.h @@ -255,6 +255,11 @@ struct filter_obd { struct list_head fo_llog_list; spinlock_t fo_llog_list_lock; + + /* which secure flavor from remote is denied */ + spinlock_t fo_denylist_lock; + struct list_head fo_denylist; + }; struct mds_server_data; @@ -399,6 +404,9 @@ struct mds_obd { /* security related */ char *mds_mds_sec; char *mds_ost_sec; + /* which secure flavor from remote to this mds is denied */ + spinlock_t mds_denylist_lock; + struct list_head mds_denylist; }; struct echo_obd { diff --git a/lustre/ldlm/ldlm_lib.c b/lustre/ldlm/ldlm_lib.c index 5130243..a01334f 100644 --- a/lustre/ldlm/ldlm_lib.c +++ b/lustre/ldlm/ldlm_lib.c @@ -536,6 +536,54 @@ static inline int ptlrpc_peer_is_local(struct ptlrpc_peer *peer) return (memcmp(&peer->peer_id, &myid, sizeof(myid)) == 0); } +/* To check whether the p_flavor is in deny list or not + * rc: + * 0 not found, pass + * EPERM found, refuse + */ + +static int check_deny_list(struct list_head *head, ptlrpcs_flavor_t *p_flavor) +{ + deny_sec_t *p_deny_sec = NULL; + deny_sec_t *n_deny_sec = NULL; + + list_for_each_entry_safe(p_deny_sec, n_deny_sec, head, list) { + if ((p_deny_sec->sec.flavor == p_flavor->flavor) && + (p_deny_sec->sec.subflavor == p_flavor->subflavor)) + return -EPERM; + } + return 0; +} + +int target_check_deny_sec(struct obd_device *target, struct ptlrpc_request *req) +{ + struct gss_svc_data *svcdata; + ptlrpcs_flavor_t flavor; + int rc = 0; + + /* XXX hacking */ + svcdata = (struct gss_svc_data *) req->rq_sec_svcdata; + if (svcdata == NULL) { + flavor.flavor = PTLRPC_SEC_NULL; + flavor.subflavor = 0; + } else { + flavor.flavor = PTLRPC_SEC_GSS; + flavor.subflavor = svcdata->subflavor; + } + + if (!strcmp(target->obd_type->typ_name, LUSTRE_MDS_NAME)) { + spin_lock(&target->u.mds.mds_denylist_lock); + rc = check_deny_list(&target->u.mds.mds_denylist, &flavor); + spin_unlock(&target->u.mds.mds_denylist_lock); + } else if (!strcmp(target->obd_type->typ_name, "obdfilter")) { + spin_lock(&target->u.filter.fo_denylist_lock); + rc = check_deny_list(&target->u.filter.fo_denylist, &flavor); + spin_unlock(&target->u.filter.fo_denylist_lock); + } + + return rc; +} + int target_handle_connect(struct ptlrpc_request *req) { unsigned long connect_flags = 0, *cfp; @@ -578,6 +626,11 @@ int target_handle_connect(struct ptlrpc_request *req) GOTO(out, rc = -ENODEV); } + /* check the secure deny list of mds/ost */ + rc = target_check_deny_sec(target, req); + if (rc != 0) + GOTO(out, rc); + LASSERT_REQSWAB (req, offset + 1); str = lustre_msg_string(req->rq_reqmsg, offset + 1, sizeof(cluuid) - 1); if (str == NULL) { diff --git a/lustre/llite/llite_internal.h b/lustre/llite/llite_internal.h index d552db6..673b763 100644 --- a/lustre/llite/llite_internal.h +++ b/lustre/llite/llite_internal.h @@ -301,8 +301,8 @@ extern struct super_operations lustre_super_operations; char *ll_read_opt(const char *opt, char *data); int ll_set_opt(const char *opt, char *data, int fl); -void ll_options(char *options, char **ost, char **mds, char **sec, - int *async, int *flags); +void ll_options(char *options, char **ost, char **mds, char **mds_sec, + char **oss_sec, int *async, int *flags); void ll_lli_init(struct ll_inode_info *lli); int ll_fill_super(struct super_block *sb, void *data, int silent); int lustre_fill_super(struct super_block *sb, void *data, int silent); diff --git a/lustre/llite/llite_lib.c b/lustre/llite/llite_lib.c index bf40365..5ce6640 100644 --- a/lustre/llite/llite_lib.c +++ b/lustre/llite/llite_lib.c @@ -129,8 +129,8 @@ int lustre_init_dt_desc(struct ll_sb_info *sbi) extern struct dentry_operations ll_d_ops; int lustre_common_fill_super(struct super_block *sb, char *lmv, char *lov, - int async, char *security, __u32 *nllu, - __u64 *remote) + int async, char *mds_security, char *oss_security, + __u32 *nllu, __u64 *remote) { struct ll_sb_info *sbi = ll_s2sbi(sb); struct ptlrpc_request *request = NULL; @@ -168,14 +168,14 @@ int lustre_common_fill_super(struct super_block *sb, char *lmv, char *lov, OBD_CONNECT_REMOTE); memcpy(data->ocd_nllu, nllu, sizeof(data->ocd_nllu)); - if (security == NULL) - security = "null"; + if (mds_security == NULL) + mds_security = "null"; err = obd_set_info(obd->obd_self_export, strlen("sec"), "sec", - strlen(security), security); + strlen(mds_security), mds_security); if (err) { CERROR("LMV %s: failed to set security %s, err %d\n", - lmv, security, err); + lmv, mds_security, err); OBD_FREE(data, sizeof(*data)); RETURN(err); } @@ -237,6 +237,18 @@ int lustre_common_fill_super(struct super_block *sb, char *lmv, char *lov, obd_set_info(obd->obd_self_export, strlen("async"), "async", sizeof(async), &async); + if (oss_security == NULL) + oss_security = "null"; + + err = obd_set_info(obd->obd_self_export, strlen("sec"), "sec", + strlen(oss_security), oss_security); + if (err) { + CERROR("LOV %s: failed to set security %s, err %d\n", + lov, oss_security, err); + OBD_FREE(data, sizeof(*data)); + RETURN(err); + } + err = obd_connect(&dt_conn, obd, &sbi->ll_sb_uuid, data, OBD_OPT_REAL_CLIENT); if (err == -EBUSY) { @@ -407,8 +419,8 @@ int ll_set_opt(const char *opt, char *data, int fl) RETURN(fl); } -void ll_options(char *options, char **lov, char **lmv, char **sec, - int *async, int *flags) +void ll_options(char *options, char **lov, char **lmv, char **mds_sec, + char **oss_sec, int *async, int *flags) { char *this_char; #if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,5,0)) @@ -438,7 +450,9 @@ void ll_options(char *options, char **lov, char **lmv, char **sec, *async = 1; continue; } - if (!*sec && (*sec = ll_read_opt("sec", this_char))) + if (!*mds_sec && (*mds_sec = ll_read_opt("mds_sec", this_char))) + continue; + if (!*oss_sec && (*oss_sec = ll_read_opt("oss_sec", this_char))) continue; if (!(*flags & LL_SBI_NOLCK) && ((*flags) = (*flags) | @@ -473,8 +487,9 @@ int ll_fill_super(struct super_block *sb, void *data, int silent) struct ll_sb_info *sbi; char *lov = NULL; char *lmv = NULL; + char *mds_sec = NULL; + char *oss_sec = NULL; int async, err; - char *sec = NULL; __u32 nllu[2] = { NOBODY_UID, NOBODY_GID }; __u64 remote_flag = 0; ENTRY; @@ -486,7 +501,8 @@ int ll_fill_super(struct super_block *sb, void *data, int silent) RETURN(-ENOMEM); sbi->ll_flags |= LL_SBI_READAHEAD; - ll_options(data, &lov, &lmv, &sec, &async, &sbi->ll_flags); + ll_options(data, &lov, &lmv, &mds_sec, &oss_sec, + &async, &sbi->ll_flags); if (!lov) { CERROR("no osc\n"); @@ -498,19 +514,22 @@ int ll_fill_super(struct super_block *sb, void *data, int silent) GOTO(out, err = -EINVAL); } - err = lustre_common_fill_super(sb, lmv, lov, async, sec, + err = lustre_common_fill_super(sb, lmv, lov, async, mds_sec, oss_sec, nllu, &remote_flag); EXIT; out: if (err) lustre_free_sbi(sb); - if (sec) - OBD_FREE(sec, strlen(sec) + 1); if (lmv) OBD_FREE(lmv, strlen(lmv) + 1); if (lov) OBD_FREE(lov, strlen(lov) + 1); + if (mds_sec) + OBD_FREE(mds_sec, strlen(mds_sec) + 1); + if (oss_sec) + OBD_FREE(oss_sec, strlen(oss_sec) + 1); + return err; } /* ll_read_super */ @@ -598,7 +617,7 @@ static int lustre_process_log(struct lustre_mount_data *lmd, char *profile, GOTO(out_cleanup, rc = -EINVAL); rc = obd_set_info(obd->obd_self_export, strlen("sec"), "sec", - strlen(lmd->lmd_security), lmd->lmd_security); + strlen(lmd->lmd_mds_security), lmd->lmd_mds_security); if (rc) GOTO(out_cleanup, rc); @@ -731,7 +750,8 @@ int lustre_fill_super(struct super_block *sb, void *data, int silent) CERROR("no mds name\n"); GOTO(out_free, err = -EINVAL); } - lmd->lmd_security[sizeof(lmd->lmd_security) - 1] = 0; + lmd->lmd_mds_security[sizeof(lmd->lmd_mds_security) - 1] = 0; + lmd->lmd_oss_security[sizeof(lmd->lmd_oss_security) - 1] = 0; OBD_ALLOC(sbi->ll_lmd, sizeof(*sbi->ll_lmd)); if (sbi->ll_lmd == NULL) @@ -784,8 +804,9 @@ int lustre_fill_super(struct super_block *sb, void *data, int silent) } err = lustre_common_fill_super(sb, lmv, lov, lmd->lmd_async, - lmd->lmd_security, &lmd->lmd_nllu, - &lmd->lmd_remote_flag); + lmd->lmd_mds_security, + lmd->lmd_oss_security, + &lmd->lmd_nllu, &lmd->lmd_remote_flag); if (err) GOTO(out_free, err); diff --git a/lustre/mdc/mdc_request.c b/lustre/mdc/mdc_request.c index 5b78b51..f62cd99 100644 --- a/lustre/mdc/mdc_request.c +++ b/lustre/mdc/mdc_request.c @@ -833,7 +833,8 @@ int mdc_set_info(struct obd_export *exp, obd_count keylen, exp->exp_obd->obd_name, imp->imp_initial_recov); RETURN(0); - } else if (keylen >= strlen("mds_type") && strcmp(key, "mds_type") == 0) { + } else if (keylen >= strlen("mds_type") && + strcmp(key, "mds_type") == 0) { struct ptlrpc_request *req; char *bufs[2] = {key, val}; int rc, size[2] = {keylen, vallen}; @@ -852,7 +853,8 @@ int mdc_set_info(struct obd_export *exp, obd_count keylen, imp->imp_server_timeout = 1; CDEBUG(D_OTHER, "%s: timeout / 2\n", exp->exp_obd->obd_name); RETURN(0); - } else if (keylen == strlen("sec") && memcmp(key, "sec", keylen) == 0) { + } else if (keylen == strlen("sec") && + memcmp(key, "sec", keylen) == 0) { struct client_obd *cli = &exp->exp_obd->u.cli; if (vallen == strlen("null") && diff --git a/lustre/mds/handler.c b/lustre/mds/handler.c index 1384ed6..72ccf1c 100644 --- a/lustre/mds/handler.c +++ b/lustre/mds/handler.c @@ -57,6 +57,7 @@ #include #include #include "mds_internal.h" +#include static int mds_intent_policy(struct ldlm_namespace *ns, struct ldlm_lock **lockp, void *req_cookie, @@ -3265,7 +3266,7 @@ static int mds_setup(struct obd_device *obd, obd_count len, void *buf) sema_init(&mds->mds_md_sem, 1); mds->mds_md_connected = 0; mds->mds_md_name = NULL; - + if (LUSTRE_CFG_BUFLEN(lcfg, 5) > 0 && lustre_cfg_buf(lcfg, 5) && strncmp(lustre_cfg_string(lcfg, 5), "dumb", LUSTRE_CFG_BUFLEN(lcfg, 5))) { class_uuid_t uuid; @@ -3289,7 +3290,7 @@ static int mds_setup(struct obd_device *obd, obd_count len, void *buf) GOTO(err_ops, rc); } } - + mds->mds_obd_type = MDS_MASTER_OBD; if (LUSTRE_CFG_BUFLEN(lcfg, 6) > 0 && lustre_cfg_buf(lcfg, 6) && @@ -3343,7 +3344,7 @@ static int mds_setup(struct obd_device *obd, obd_count len, void *buf) obd->obd_name, rc); GOTO(err_ns, rc); } - + rc = llog_start_commit_thread(); if (rc < 0) @@ -3631,6 +3632,20 @@ static int mds_cleanup(struct obd_device *obd, int flags) /* XXX */ lgss_svc_cache_purge_all(); #endif + + spin_lock(&mds->mds_denylist_lock); + while (!list_empty( &mds->mds_denylist ) ) { + deny_sec_t *p_deny_sec = list_entry(mds->mds_denylist.next, + deny_sec_t, list); + list_del(&p_deny_sec->list); + OBD_FREE(p_deny_sec, sizeof(*p_deny_sec)); + } + spin_unlock(&mds->mds_denylist_lock); + if(mds->mds_mds_sec) + OBD_FREE(mds->mds_mds_sec, strlen(mds->mds_mds_sec) + 1); + if(mds->mds_ost_sec) + OBD_FREE(mds->mds_ost_sec, strlen(mds->mds_ost_sec) + 1); + RETURN(0); } @@ -3638,13 +3653,14 @@ static int set_security(const char *value, char **sec) { int rc = 0; - if (!strcmp(value, "null")) - *sec = "null"; - else if (!strcmp(value, "krb5i")) - *sec = "krb5i"; - else if (!strcmp(value, "krb5p")) - *sec = "krb5p"; - else { + if (!strcmp(value, "null") || + !strcmp(value, "krb5i") || + !strcmp(value, "krb5p")) { + OBD_ALLOC(*sec, strlen(value) + 1); + if(!*sec) + RETURN(-ENOMEM); + memcpy(*sec, value, strlen(value) + 1); + } else { CERROR("Unrecognized value, force use NULL\n"); rc = -EINVAL; } @@ -3661,16 +3677,22 @@ static int mds_process_config(struct obd_device *obd, obd_count len, void *buf) switch(lcfg->lcfg_command) { case LCFG_SET_SECURITY: { - if (LUSTRE_CFG_BUFLEN(lcfg, 1) || LUSTRE_CFG_BUFLEN(lcfg, 2)) + if ((LUSTRE_CFG_BUFLEN(lcfg, 1) == 0) || + (LUSTRE_CFG_BUFLEN(lcfg, 2) == 0)) GOTO(out, rc = -EINVAL); - if (!strcmp(lustre_cfg_string(lcfg, 1), "mds_mds_sec")) + if (!strcmp(lustre_cfg_string(lcfg, 1), "mds_sec")) rc = set_security(lustre_cfg_string(lcfg, 2), &mds->mds_mds_sec); - else if (!strcmp(lustre_cfg_string(lcfg, 2), "mds_ost_sec")) + else if (!strcmp(lustre_cfg_string(lcfg, 1), "oss_sec")) rc = set_security(lustre_cfg_string(lcfg, 2), &mds->mds_ost_sec); - else { + else if (!strcmp(lustre_cfg_string(lcfg, 1), "deny_sec")){ + spin_lock(&mds->mds_denylist_lock); + rc = add_deny_security(lustre_cfg_string(lcfg, 2), + &mds->mds_denylist); + spin_unlock(&mds->mds_denylist_lock); + } else { CERROR("Unrecognized key\n"); rc = -EINVAL; } @@ -3943,6 +3965,10 @@ int mds_attach(struct obd_device *dev, obd_count len, void *data) { struct lprocfs_static_vars lvars; int rc = 0; + struct mds_obd *mds = &dev->u.mds; + + spin_lock_init(&mds->mds_denylist_lock); + INIT_LIST_HEAD(&mds->mds_denylist); lprocfs_init_multi_vars(0, &lvars); diff --git a/lustre/obdfilter/filter.c b/lustre/obdfilter/filter.c index 023bb30..f9bf6fc 100644 --- a/lustre/obdfilter/filter.c +++ b/lustre/obdfilter/filter.c @@ -60,6 +60,7 @@ #include #include +#include #include "filter_internal.h" /* Group 0 is no longer a legal group, to catch uninitialized IDs */ @@ -1571,8 +1572,13 @@ static int filter_detach(struct obd_device *dev) static int filter_setup(struct obd_device *obd, obd_count len, void *buf) { struct lustre_cfg* lcfg = buf; + struct filter_obd *filter = &obd->u.filter; int rc; ENTRY; + + spin_lock_init(&filter->fo_denylist_lock); + INIT_LIST_HEAD(&filter->fo_denylist); + /* all mount options including errors=remount-ro and asyncdel are passed * using 4th lcfg param. And it is good, finally we have got rid of * hardcoded fs types in the code. */ @@ -1616,6 +1622,15 @@ static int filter_cleanup(struct obd_device *obd, int flags) shrink_dcache_parent(filter->fo_sb->s_root); filter->fo_sb = 0; + spin_lock(&filter->fo_denylist_lock); + while (!list_empty(&filter->fo_denylist)) { + deny_sec_t *p_deny_sec = list_entry(filter->fo_denylist.next, + deny_sec_t, list); + list_del(&p_deny_sec->list); + OBD_FREE(p_deny_sec, sizeof(*p_deny_sec)); + } + spin_unlock(&filter->fo_denylist_lock); + unlock_kernel(); lvfs_umount_fs(filter->fo_lvfs_ctxt); //destroy_buffers(filter->fo_sb->s_dev); @@ -1628,6 +1643,40 @@ static int filter_cleanup(struct obd_device *obd, int flags) RETURN(0); } +static int filter_process_config(struct obd_device *obd, obd_count len, void *buf) +{ + struct lustre_cfg *lcfg = buf; + struct filter_obd *filter = &obd->u.filter; + int rc = 0; + ENTRY; + + switch(lcfg->lcfg_command) { + case LCFG_SET_SECURITY: { + if ((LUSTRE_CFG_BUFLEN(lcfg, 1) == 0) || + (LUSTRE_CFG_BUFLEN(lcfg, 2) == 0)) + GOTO(out, rc = -EINVAL); + + if (!strcmp(lustre_cfg_string(lcfg, 1), "deny_sec")){ + spin_lock(&filter->fo_denylist_lock); + rc = add_deny_security(lustre_cfg_string(lcfg, 2), + &filter->fo_denylist); + spin_unlock(&filter->fo_denylist_lock); + }else { + CERROR("Unrecognized key\n"); + rc = -EINVAL; + } + break; + } + default: { + CERROR("Unknown command: %d\n", lcfg->lcfg_command); + GOTO(out, rc = -EINVAL); + + } + } +out: + RETURN(rc); +} + static int filter_connect_post(struct obd_export *exp, unsigned initial, unsigned long connect_flags) { @@ -3040,6 +3089,7 @@ static struct obd_ops filter_obd_ops = { .o_setup = filter_setup, .o_precleanup = filter_precleanup, .o_cleanup = filter_cleanup, + .o_process_config = filter_process_config, .o_connect = filter_connect, .o_connect_post = filter_connect_post, .o_disconnect = filter_disconnect, diff --git a/lustre/osc/osc_request.c b/lustre/osc/osc_request.c index ee2dc0b..f900f5c 100644 --- a/lustre/osc/osc_request.c +++ b/lustre/osc/osc_request.c @@ -2913,7 +2913,8 @@ static int osc_set_info(struct obd_export *exp, obd_count keylen, RETURN(0); } - if (keylen == strlen("sec") && memcmp(key, "sec", keylen) == 0) { + if (keylen == strlen("sec") && + memcmp(key, "sec", keylen) == 0) { struct client_obd *cli = &exp->exp_obd->u.cli; if (vallen == strlen("null") && diff --git a/lustre/ost/ost_handler.c b/lustre/ost/ost_handler.c index f20386c..9902402 100644 --- a/lustre/ost/ost_handler.c +++ b/lustre/ost/ost_handler.c @@ -44,6 +44,7 @@ #include #include #include +#include void oti_init(struct obd_trans_info *oti, struct ptlrpc_request *req) { @@ -1030,7 +1031,7 @@ int ost_handle(struct ptlrpc_request *req) if (req->rq_reqmsg->opc == SEC_INIT || req->rq_reqmsg->opc == SEC_INIT_CONTINUE || req->rq_reqmsg->opc == SEC_FINI) { - RETURN(0); + GOTO(out_check_req, rc = 0); } /* XXX identical to MDS */ @@ -1316,6 +1317,7 @@ out_service: RETURN(rc); } +extern void lgss_svc_cache_purge_all(void); static int ost_cleanup(struct obd_device *obd, int flags) { struct ost_obd *ost = &obd->u.ost; @@ -1335,6 +1337,10 @@ static int ost_cleanup(struct obd_device *obd, int flags) ptlrpc_stop_all_threads(ost->ost_create_service); ptlrpc_unregister_service(ost->ost_create_service); +#ifdef ENABLE_GSS + /* XXX */ + lgss_svc_cache_purge_all(); +#endif RETURN(err); } diff --git a/lustre/sec/gss/gss_internal.h b/lustre/sec/gss/gss_internal.h index 2475e8e..c605633 100644 --- a/lustre/sec/gss/gss_internal.h +++ b/lustre/sec/gss/gss_internal.h @@ -7,6 +7,7 @@ * Author: Eric Mei */ +#include #ifndef __SEC_GSS_GSS_INTERNAL_H_ #define __SEC_GSS_GSS_INTERNAL_H_ @@ -88,11 +89,7 @@ crypto_tfm_alg_ivsize(struct crypto_tfm *tfm) struct ptlrpc_sec; struct ptlrpc_cred; -typedef struct rawobj_s { - __u32 len; - __u8 *data; -} rawobj_t; - +/* rawobj stuff */ int rawobj_alloc(rawobj_t *obj, char *buf, int len); void rawobj_free(rawobj_t *obj); int rawobj_equal(rawobj_t *a, rawobj_t *b); @@ -113,6 +110,15 @@ typedef struct rawobj_buf_s { */ #define GSSD_INTERFACE_VERSION (1) +/* + * target of gss request + */ +#define LUSTRE_GSS_SVC_MDS 0 +#define LUSTRE_GSS_SVC_OSS 1 + +/* + * data types in gss header + */ #define MAXSEQ 0x80000000 /* maximum legal sequence number, from rfc 2203 */ enum rpc_gss_proc { @@ -128,15 +134,6 @@ enum rpc_gss_svc { RPC_GSS_SVC_PRIVACY = 3, }; -/* on-the-wire gss cred: */ -struct rpc_gss_wire_cred { - __u32 gc_v; /* version */ - __u32 gc_proc; /* control procedure */ - __u32 gc_seq; /* sequence number */ - __u32 gc_svc; /* service */ - rawobj_t gc_ctx; /* context handle */ -}; - /* on-the-wire gss verifier: */ struct rpc_gss_wire_verf { __u32 gv_flavor; diff --git a/lustre/sec/gss/sec_gss.c b/lustre/sec/gss/sec_gss.c index c6f7eb7..13293db 100644 --- a/lustre/sec/gss/sec_gss.c +++ b/lustre/sec/gss/sec_gss.c @@ -92,6 +92,7 @@ struct rpc_clnt; static int secinit_compose_request(struct obd_import *imp, char *buf, int bufsize, + int lustre_srv, uid_t uid, gid_t gid, long token_size, char __user *token) @@ -115,7 +116,7 @@ static int secinit_compose_request(struct obd_import *imp, hdr->flavor = cpu_to_le32(PTLRPC_SEC_GSS); hdr->sectype = cpu_to_le32(PTLRPC_SEC_TYPE_NONE); hdr->msg_len = cpu_to_le32(lmsg_size); - hdr->sec_len = cpu_to_le32(7 * 4 + token_size); + hdr->sec_len = cpu_to_le32(8 * 4 + token_size); /* lustre message & secdesc */ lmsg = buf_to_lustre_msg(buf); @@ -142,6 +143,9 @@ static int secinit_compose_request(struct obd_import *imp, *p++ = cpu_to_le32(PTLRPC_GSS_SVC_NONE); /* service */ *p++ = cpu_to_le32(0); /* context handle */ + /* plus lustre svc type */ + *p++ = cpu_to_le32(lustre_srv); + /* now the token part */ *p++ = cpu_to_le32((__u32) token_size); LASSERT(((char *)p - buf) + token_size <= bufsize); @@ -245,6 +249,7 @@ static int secinit_parse_reply(char *repbuf, int replen, struct lgssd_ioctl_param { int version; /* in */ char *uuid; /* in */ + int lustre_svc; /* in */ uid_t uid; /* in */ gid_t gid; /* in */ long send_token_size;/* in */ @@ -269,11 +274,14 @@ static int gss_send_secinit_rpc(__user char *buffer, unsigned long count) int rc, reqlen, replen; if (count != sizeof(param)) { - CERROR("partial write\n"); + CERROR("ioctl size %lu, expect %d, please check lgssd version\n", + count, sizeof(param)); RETURN(-EINVAL); } - if (copy_from_user(¶m, buffer, sizeof(param))) + if (copy_from_user(¶m, buffer, sizeof(param))) { + CERROR("failed copy data from lgssd\n"); RETURN(-EFAULT); + } if (param.version != GSSD_INTERFACE_VERSION) { CERROR("gssd interface version %d (expect %d)\n", @@ -293,11 +301,6 @@ static int gss_send_secinit_rpc(__user char *buffer, unsigned long count) CERROR("no such obd %s\n", obdname); RETURN(-EINVAL); } - if (strcmp(obd->obd_type->typ_name, "mdc") && - strcmp(obd->obd_type->typ_name, "osc")) { - CERROR("%s not a mdc/osc device\n", obdname); - RETURN(-EINVAL); - } imp = class_import_get(obd->u.cli.cl_import); @@ -312,6 +315,7 @@ static int gss_send_secinit_rpc(__user char *buffer, unsigned long count) /* get token */ reqlen = secinit_compose_request(imp, reqbuf, reqbuf_size, + param.lustre_svc, param.uid, param.gid, param.send_token_size, param.send_token); @@ -732,9 +736,9 @@ static int gss_cred_refresh(struct ptlrpc_cred *cred) obdtype = import->imp_obd->obd_type->typ_name; if (!strcmp(obdtype, "mdc")) - gmd.gum_svc = 0; + gmd.gum_svc = LUSTRE_GSS_SVC_MDS; else if (!strcmp(obdtype, "osc")) - gmd.gum_svc = 1; + gmd.gum_svc = LUSTRE_GSS_SVC_OSS; else { CERROR("gss on %s?\n", obdtype); RETURN(-EINVAL); diff --git a/lustre/sec/gss/svcsec_gss.c b/lustre/sec/gss/svcsec_gss.c index 120348b..05f2122 100644 --- a/lustre/sec/gss/svcsec_gss.c +++ b/lustre/sec/gss/svcsec_gss.c @@ -105,10 +105,11 @@ static inline unsigned long hash_mem(char *buf, int length, int bits) struct rsi { struct cache_head h; + __u32 lustre_svc; __u32 naltype; __u32 netid; __u64 nid; - rawobj_t in_handle, in_token; + rawobj_t in_handle, in_token, in_srv_type; rawobj_t out_handle, out_token; int major_status, minor_status; }; @@ -153,11 +154,13 @@ static void rsi_request(struct cache_detail *cd, { struct rsi *rsii = container_of(h, struct rsi, h); - qword_addhex(bpp, blen, (char *)&rsii->naltype, sizeof(rsii->naltype)); - qword_addhex(bpp, blen, (char *)&rsii->netid, sizeof(rsii->netid)); - qword_addhex(bpp, blen, (char *)&rsii->nid, sizeof(rsii->nid)); - qword_addhex(bpp, blen, (char *)rsii->in_handle.data, rsii->in_handle.len); - qword_addhex(bpp, blen, (char *)rsii->in_token.data, rsii->in_token.len); + qword_addhex(bpp, blen, (char *) &rsii->lustre_svc, + sizeof(rsii->lustre_svc)); + qword_addhex(bpp, blen, (char *) &rsii->naltype, sizeof(rsii->naltype)); + qword_addhex(bpp, blen, (char *) &rsii->netid, sizeof(rsii->netid)); + qword_addhex(bpp, blen, (char *) &rsii->nid, sizeof(rsii->nid)); + qword_addhex(bpp, blen, rsii->in_handle.data, rsii->in_handle.len); + qword_addhex(bpp, blen, rsii->in_token.data, rsii->in_token.len); (*bpp)[-1] = '\n'; } @@ -644,17 +647,6 @@ gss_svc_searchbyctx(rawobj_t *handle) return found; } -struct gss_svc_data { - /* decoded gss client cred: */ - struct rpc_gss_wire_cred clcred; - /* internal used status */ - unsigned int is_init:1, - is_init_continue:1, - is_err_notify:1, - is_fini:1; - int reserve_len; -}; - /* FIXME * again hacking: only try to give the svcgssd a chance to handle * upcalls. @@ -923,10 +915,21 @@ gss_svcsec_handle_init(struct ptlrpc_request *req, } cache_init(&rsikey->h); + /* obtain lustre svc type */ + if (seclen < 4) { + CERROR("sec size %d too small\n", seclen); + GOTO(out_rsikey, rc = SVC_DROP); + } + rsikey->lustre_svc = le32_to_cpu(*secdata++); + seclen -= 4; + + /* duplicate context handle. currently always 0 */ if (rawobj_dup(&rsikey->in_handle, &gc->gc_ctx)) { CERROR("fail to dup context handle\n"); GOTO(out_rsikey, rc = SVC_DROP); } + + /* extract token */ *res = PTLRPCS_BADVERF; if (rawobj_extract(&tmpobj, &secdata, &seclen)) { CERROR("can't extract token\n"); @@ -1176,7 +1179,7 @@ gss_svcsec_accept(struct ptlrpc_request *req, enum ptlrpcs_error *res) struct gss_svc_data *svcdata; struct rpc_gss_wire_cred *gc; struct ptlrpcs_wire_hdr *sec_hdr; - __u32 seclen, *secdata, version, subflavor; + __u32 seclen, *secdata, version; int rc; ENTRY; @@ -1215,14 +1218,15 @@ gss_svcsec_accept(struct ptlrpc_request *req, enum ptlrpcs_error *res) /* Now secdata/seclen is what we want to parse */ version = le32_to_cpu(*secdata++); /* version */ - subflavor = le32_to_cpu(*secdata++); /* subflavor */ + svcdata->subflavor = le32_to_cpu(*secdata++); /* subflavor */ gc->gc_proc = le32_to_cpu(*secdata++); /* proc */ gc->gc_seq = le32_to_cpu(*secdata++); /* seq */ gc->gc_svc = le32_to_cpu(*secdata++); /* service */ seclen -= 5 * 4; CDEBUG(D_SEC, "wire gss_hdr: %u/%u/%u/%u/%u\n", - version, subflavor, gc->gc_proc, gc->gc_seq, gc->gc_svc); + version, svcdata->subflavor, gc->gc_proc, + gc->gc_seq, gc->gc_svc); if (version != PTLRPC_SEC_GSS_VERSION) { CERROR("gss version mismatch: %d - %d\n", diff --git a/lustre/tests/llmount.sh b/lustre/tests/llmount.sh index 253932f..750c94c 100755 --- a/lustre/tests/llmount.sh +++ b/lustre/tests/llmount.sh @@ -34,10 +34,10 @@ fi [ "$NODE" ] && node_opt="--node $NODE" [ "$DEBUG" ] && debug_opt="--ptldebug=$DEBUG" -${LCONF} $NOMOD --sec $SECURITY $portals_opt $lustre_opt $node_opt \ +${LCONF} $NOMOD --mds_sec $SECURITY $portals_opt $lustre_opt $node_opt \ ${REFORMAT:---reformat} $@ $conf_opt || exit 5 if [ "$MOUNT2" ]; then - $LLMOUNT -v -o sec=$SECURITY `hostname`:/mds1/client $MOUNT2 || exit 6 + $LLMOUNT -v -o mds_sec=$SECURITY `hostname`:/mds1/client $MOUNT2 || exit 6 fi diff --git a/lustre/tests/llrmount.sh b/lustre/tests/llrmount.sh index 0cc2853..a9de5e4 100755 --- a/lustre/tests/llrmount.sh +++ b/lustre/tests/llrmount.sh @@ -35,10 +35,10 @@ fi [ "$NODE" ] && node_opt="--node $NODE" -${LCONF} $NOMOD --sec $SECURITY $portals_opt $lustre_opt $node_opt \ +${LCONF} $NOMOD --mds_sec $SECURITY $portals_opt $lustre_opt $node_opt \ $@ $conf_opt || exit 5 if [ "$MOUNT2" ]; then - $LLMOUNT -v -o sec=$SECURITY `hostname`:/mds1/client $MOUNT2 || exit 6 + $LLMOUNT -v -o mds_sec=$SECURITY `hostname`:/mds1/client $MOUNT2 || exit 6 fi diff --git a/lustre/tests/test-framework.sh b/lustre/tests/test-framework.sh index c5612e9..82222ae 100644 --- a/lustre/tests/test-framework.sh +++ b/lustre/tests/test-framework.sh @@ -78,7 +78,7 @@ start() { active=`facet_active $facet` do_facet $facet $LCONF --select ${facet}_svc=${active}_facet \ --node ${active}_facet --ptldebug $PTLDEBUG --subsystem $SUBSYSTEM \ - --sec $SECURITY $@ $XMLCONFIG + --mds_sec $SECURITY $@ $XMLCONFIG } stop() { @@ -97,13 +97,13 @@ zconf_mount() { do_node $client mkdir $mnt 2> /dev/null || : if [ -x /sbin/mount.lustre ] ; then - do_node $client mount -t lustre -o sec=$SECURITY,nettype=$NETTYPE \ + do_node $client mount -t lustre -o mds_sec=$SECURITY,nettype=$NETTYPE \ `facet_active_host mds1`:/mds1_svc/client_facet $mnt || return 2 else # this is so cheating do_node $client $LCONF --nosetup --node client_facet $XMLCONFIG > /dev/null || return 2 do_node $client $LLMOUNT `facet_active_host mds1`:/mds1_svc/client_facet $mnt \ - -o sec=$SECURITY,nettype=$NETTYPE|| return 4 + -o mds_sec=$SECURITY,nettype=$NETTYPE|| return 4 fi [ -d /r ] && $LCTL modules > /r/tmp/ogdb-`hostname` diff --git a/lustre/utils/lconf b/lustre/utils/lconf index 12a766a..705fecb 100755 --- a/lustre/utils/lconf +++ b/lustre/utils/lconf @@ -628,7 +628,8 @@ class LCTLInterface: # create a new device with lctl def newdev(self, type, name, uuid, setup = ""): - self.attach(type, name, uuid); + if type != 'mds': + self.attach(type, name, uuid); try: self.setup(name, setup) except CommandError, e: @@ -1739,6 +1740,20 @@ class CONFDEV(Module): self.client_uuids = self.target.get_refs('client') self.obdtype = self.db.get_val('obdtype', '') + self.mds_sec = self.db.get_val('mds_sec', '') + self.oss_sec = self.db.get_val('oss_sec', '') + self.deny_sec = self.db.get_val('deny_sec', '') + + if config.mds_mds_sec: + self.mds_sec = config.mds_mds_sec + if config.mds_oss_sec: + self.oss_sec = config.mds_oss_sec + if config.mds_deny_sec: + if self.deny_sec: + self.deny_sec = "%s,%s" %(self.deny_sec, config.mds_deny_sec) + else: + self.deny_sec = config.mds_deny_sec + if self.obdtype == None: self.obdtype = 'dumb' @@ -1916,10 +1931,18 @@ class CONFDEV(Module): config.record = 1 lctl.clear_log(self.name, self.target.getName() + '-conf') lctl.record(self.name, self.target.getName() + '-conf') + lctl.attach("mds", self.conf_name, self.conf_uuid) + if self.mds_sec: + lctl.set_security(self.conf_name, "mds_sec", self.mds_sec) + if self.oss_sec: + lctl.set_security(self.conf_name, "oss_sec", self.oss_sec) + if self.deny_sec: + for flavor in string.split(self.deny_sec, ','): + lctl.set_security(self.conf_name, "deny_sec", flavor) lctl.newdev("mds", self.conf_name, self.conf_uuid, setup ="%s %s %s %s %s %s" %(self.realdev, self.fstype, - self.conf_name, self.mountfsoptions, - master_name, self.obdtype)) + self.conf_name, self.mountfsoptions, + master_name, self.obdtype)) lctl.end_record() config.record = 0 @@ -2122,13 +2145,6 @@ class MDSDEV(Module): if self.master != None: self.master.prepare() - lctl.attach("mds", self.name, self.uuid) - if config.mds_mds_sec: - lctl.set_security(self.name, "mds_mds_sec", config.mds_mds_sec) - if config.mds_ost_sec: - lctl.set_security(self.name, "mds_ost_sec", config.mds_ost_sec) - lctl.detach(self.name) - if not config.record: self.confobd.start() @@ -2223,6 +2239,14 @@ class OSD(Module): else: self.failover_ost = 'n' + self.deny_sec = self.db.get_val('deny_sec', '') + + if config.ost_deny_sec: + if self.deny_sec: + self.deny_sec = "%s,%s" %(self.deny_sec, config.ost_deny_sec) + else: + self.deny_sec = config.ost_deny_sec + active_uuid = get_active_target(ost) if not active_uuid: panic("No target device found:", target_uuid) @@ -2237,7 +2261,7 @@ class OSD(Module): self.uuid = target_uuid self.confobd = CONFDEV(self.db, self.name, target_uuid, self.uuid) - + def add_module(self, manager): if not self.active: return @@ -2274,6 +2298,7 @@ class OSD(Module): return run_acceptors() + if self.osdtype == 'obdecho': self.info(self.osdtype) lctl.newdev("obdecho", self.name, self.uuid) @@ -2286,6 +2311,10 @@ class OSD(Module): if not config.record: self.confobd.start() + if self.deny_sec: + for flavor in string.split(self.deny_sec, ','): + lctl.set_security(self.name, "deny_sec", flavor) + def write_conf(self): if is_prepared(self.name): return @@ -2764,6 +2793,13 @@ class Mountpoint(Module): self.obd_uuid = fs.get_first_ref('obd') client_uuid = generate_client_uuid(self.name) + self.oss_sec = self.db.get_val('oss_sec','null') + self.mds_sec = self.db.get_val('mds_sec','null') + if config.mds_sec: + self.mds_sec = config.mds_sec + if config.oss_sec: + self.oss_sec = config.oss_sec + ost = self.db.lookup(self.obd_uuid) if not ost: panic("no ost: ", self.obd_uuid) @@ -2801,11 +2837,9 @@ class Mountpoint(Module): # so replace it with Lustre async self.clientoptions = string.replace(self.clientoptions, "async", "lasync") - if not config.sec: - config.sec = "null" - cmd = "mount -t lustre_lite -o osc=%s,mdc=%s,sec=%s%s %s %s" % \ - (self.vosc.get_name(), self.vmdc.get_name(), config.sec, - self.clientoptions, config.config, self.path) + cmd = "mount -t lustre_lite -o osc=%s,mdc=%s,mds_sec=%s,oss_sec=%s%s %s %s" % \ + (self.vosc.get_name(), self.vmdc.get_name(), self.mds_sec, + self.oss_sec, self.clientoptions, config.config, self.path) run("mkdir", self.path) ret, val = run(cmd) if ret: @@ -3588,10 +3622,13 @@ lconf_options = [ ('config', "Cluster config name used for LDAP query", PARAM), ('select', "service=nodeA,service2=nodeB ", PARAMLIST), ('node', "Load config for ", PARAM), - ('sec', "security flavor of client", PARAM), - ('mds_sec', "security flavor of client", PARAM), - ('mds_mds_sec', "security flavor of inter mds's", PARAM), - ('mds_ost_sec', "security flavor of mds's-ost's", PARAM), + ('sec',"security flavor between this client with mds", PARAM), + ('mds_sec',"security flavor between this client with mds", PARAM), + ('oss_sec',"security flavor between this client with ost", PARAM), + ('mds_mds_sec',"security flavor between this mds with other mds", PARAM), + ('mds_oss_sec',"security flavor between this mds with ost", PARAM), + ('mds_deny_sec', "security flavor denied by this mds", PARAM), + ('ost_deny_sec', "security flavor denied by this ost", PARAM), ('cleanup,d', "Cleans up config. (Shutdown)"), ('force,f', "Forced unmounting and/or obd detach during cleanup", FLAG, 0), diff --git a/lustre/utils/llmount.c b/lustre/utils/llmount.c index e50df3a..b9e7a8f 100644 --- a/lustre/utils/llmount.c +++ b/lustre/utils/llmount.c @@ -124,7 +124,8 @@ init_options(struct lustre_mount_data *lmd) lmd->lmd_remote_flag = 0; lmd->lmd_nllu = NOBODY_UID; lmd->lmd_nllg = NOBODY_GID; - strncpy(lmd->lmd_security, "null", sizeof(lmd->lmd_security)); + strncpy(lmd->lmd_mds_security, "null", sizeof(lmd->lmd_mds_security)); + strncpy(lmd->lmd_oss_security, "null", sizeof(lmd->lmd_oss_security)); return 0; } @@ -135,7 +136,8 @@ print_options(struct lustre_mount_data *lmd) printf("mds: %s\n", lmd->lmd_mds); printf("profile: %s\n", lmd->lmd_profile); - printf("sec_flavor: %s\n", lmd->lmd_security); + printf("mds_sec_flavor: %s\n", lmd->lmd_mds_security); + printf("oss_sec_flavor: %s\n", lmd->lmd_oss_security); printf("server_nid: "LPX64"\n", lmd->lmd_server_nid); #ifdef CRAY_PORTALS if (lmd->lmd_nal != CRAY_KB_SSNAL) { @@ -327,9 +329,12 @@ int parse_options(char * options, struct lustre_mount_data *lmd) lmd->lmd_server_nid = nid; } else if (!strcmp(opt, "port")) { lmd->lmd_port = val; - } else if (!strcmp(opt, "sec")) { - strncpy(lmd->lmd_security, opteq + 1, - sizeof(lmd->lmd_security)); + } else if (!strcmp(opt, "mds_sec")) { + strncpy(lmd->lmd_mds_security, opteq + 1, + sizeof(lmd->lmd_mds_security)); + } else if (!strcmp(opt, "oss_sec")) { + strncpy(lmd->lmd_oss_security, opteq + 1, + sizeof(lmd->lmd_oss_security)); } else if (!strcmp(opt, "nllu")) { if (parse_nllu(lmd, opteq + 1)) { fprintf(stderr, "%s: " diff --git a/lustre/utils/lmc b/lustre/utils/lmc index 31f9210..93c13b9 100755 --- a/lustre/utils/lmc +++ b/lustre/utils/lmc @@ -99,6 +99,9 @@ Object creation command summary: --mountfsoptions options --root_squash uid:gid --no_root_squash ptl_nid + --mds_mds_sec flavor + --mds_oss_sec flavor + --mds_deny_sec flavor[,flavor[...]] --add lov --lov lov_name @@ -126,6 +129,7 @@ Object creation command summary: --mkfsoptions options --mountfsoptions options --nspath + --ost_deny_sec flavor[,flavor[...]] --delete ost --node node_name @@ -142,6 +146,8 @@ Object creation command summary: --lmv lmv_name --ost ost_name OR --lov lov_name --clientoptions options + --mds_sec flavor + --oss_sec flavor --add route --node nodename @@ -237,6 +243,10 @@ lmc_options = [ ('root_squash', "MDS squash root to appointed uid.", PARAM, ""), ('no_root_squash', "Don't squash root for appointed nid.", PARAM, ""), ('nspath', "Local mount point of server namespace.", PARAM,""), + ('mds_mds_sec', "Specify the secure flavor for connection from this mds to other mds.", PARAM, ""), + ('mds_oss_sec', "Specify the secure flavor for connection from this mds to ost.", PARAM, ""), + ('mds_deny_sec', "Specify the secure flavor which is denied from remote to this mds.", PARAM, ""), + ('ost_deny_sec', "Specify the secure flavor which is denied from remote to this ost.", PARAM, ""), ('format', ""), ('migrate', "used for offline migrate of an ost in conjunctio with add/delete"), @@ -245,6 +255,8 @@ lmc_options = [ ('path', "Specify the mountpoint for Lustre.", PARAM), ('filesystem', "Lustre filesystem name", PARAM,""), ('clientoptions', "Specify the options for Lustre, such as async.", PARAM, ""), + ('mds_sec', "Specify the secure flavor for connection from this client to mds.", PARAM, ""), + ('oss_sec', "Specify the secure flavor for connection from this client to ost.", PARAM, ""), # lov ('lov', "Specify LOV name.", PARAM,""), @@ -437,7 +449,8 @@ class GenConfig: def osd(self, name, uuid, fstype, osdtype, devname, format, ost_uuid, node_uuid, dev_size=0, journal_size=0, inode_size=0, nspath="", - mkfsoptions="", mountfsoptions="", backfstype="", backdevname=""): + mkfsoptions="", mountfsoptions="", backfstype="", backdevname="", + deny_sec=""): osd = self.newService("osd", name, uuid) osd.setAttribute('osdtype', osdtype) osd.appendChild(self.ref("target", ost_uuid)) @@ -463,6 +476,8 @@ class GenConfig: self.addElement(osd, "mkfsoptions", mkfsoptions) if mountfsoptions: self.addElement(osd, "mountfsoptions", mountfsoptions) + if deny_sec: + self.addElement(osd, "deny_sec", deny_sec) if nspath: self.addElement(osd, "nspath", nspath) return osd @@ -531,7 +546,8 @@ class GenConfig: def mdsdev(self, name, uuid, fstype, devname, format, node_uuid, mds_uuid, dev_size=0, journal_size=0, inode_size=256, nspath="", mkfsoptions="", mountfsoptions="", backfstype="", - backdevname="",lmv_uuid="", root_squash="", no_root_squash=""): + backdevname="",lmv_uuid="", root_squash="", no_root_squash="", + mds_sec="", oss_sec="", deny_sec=""): mdd = self.newService("mdsdev", name, uuid) self.addElement(mdd, "fstype", fstype) if backfstype: @@ -556,6 +572,12 @@ class GenConfig: self.addElement(mdd, "root_squash", root_squash) if no_root_squash: self.addElement(mdd, "no_root_squash", no_root_squash) + if mds_sec: + self.addElement(mdd, "mds_sec", mds_sec) + if oss_sec: + self.addElement(mdd, "oss_sec", oss_sec) + if deny_sec: + self.addElement(mdd, "deny_sec", deny_sec) mdd.appendChild(self.ref("node", node_uuid)) mdd.appendChild(self.ref("target", mds_uuid)) @@ -576,12 +598,17 @@ class GenConfig: mgmt.appendChild(self.ref("active", mgmt_uuid)) return mgmt - def mountpoint(self, name, uuid, fs_uuid, path, clientoptions): + def mountpoint(self, name, uuid, fs_uuid, path, clientoptions, + mds_sec, oss_sec): mtpt = self.newService("mountpoint", name, uuid) mtpt.appendChild(self.ref("filesystem", fs_uuid)) self.addElement(mtpt, "path", path) if clientoptions: self.addElement(mtpt, "clientoptions", clientoptions) + if mds_sec: + self.addElement(mtpt, "mds_sec", mds_sec) + if oss_sec: + self.addElement(mtpt, "oss_sec", oss_sec) return mtpt def filesystem(self, name, uuid, mds_uuid, obd_uuid, mgmt_uuid): @@ -998,6 +1025,9 @@ def add_mds(gen, lustre, options): mountfsoptions = get_option(options, 'mountfsoptions') root_squash = get_option(options, 'root_squash') no_root_squash = get_option(options, 'no_root_squash') + mds_sec = get_option(options, 'mds_mds_sec') + oss_sec = get_option(options, 'mds_oss_sec') + deny_sec = get_option(options, 'mds_deny_sec') node_uuid = name2uuid(lustre, node_name, 'node') @@ -1014,7 +1044,7 @@ def add_mds(gen, lustre, options): get_format_flag(options), node_uuid, mds_uuid, size, journal_size, inode_size, nspath, mkfsoptions, mountfsoptions, backfstype, backdevname,lmv_uuid, - root_squash, no_root_squash) + root_squash, no_root_squash, mds_sec, oss_sec, deny_sec) lustre.appendChild(mdd) @@ -1052,6 +1082,7 @@ def add_ost(gen, lustre, options): inode_size = '' mkfsoptions = '' mountfsoptions = '' + deny_sec = '' else: devname = get_option(options, 'dev') # can be unset for bluearcs backdevname = get_option(options, 'backdev') @@ -1062,6 +1093,7 @@ def add_ost(gen, lustre, options): inode_size = get_option(options, 'inode_size') mkfsoptions = get_option(options, 'mkfsoptions') mountfsoptions = get_option(options, 'mountfsoptions') + deny_sec = get_option(options, 'ost_deny_sec') nspath = get_option(options, 'nspath') @@ -1099,7 +1131,7 @@ def add_ost(gen, lustre, options): osd = gen.osd(osdname, osd_uuid, fstype, osdtype, devname, get_format_flag(options), ost_uuid, node_uuid, size, journal_size, inode_size, nspath, mkfsoptions, - mountfsoptions, backfstype, backdevname) + mountfsoptions, backfstype, backdevname, deny_sec) node = findByName(lustre, node_name, "node") @@ -1458,6 +1490,8 @@ def add_mtpt(gen, lustre, options): path = get_option(options, 'path') clientoptions = get_option(options, "clientoptions") + mds_sec = get_option(options, "mds_sec") + oss_sec = get_option(options, "oss_sec") fs_name = get_option(options, 'filesystem') lov_name = get_option(options, 'lov') @@ -1494,7 +1528,7 @@ def add_mtpt(gen, lustre, options): error("MOUNTPOINT: ", name, " already exists.") uuid = new_uuid(name) - mtpt = gen.mountpoint(name, uuid, fs_uuid, path, clientoptions) + mtpt = gen.mountpoint(name, uuid, fs_uuid, path, clientoptions, mds_sec, oss_sec) node = findByName(lustre, node_name, "node") if not node: error('node:', node_name, "not found.") diff --git a/lustre/utils/lustre_cfg.c b/lustre/utils/lustre_cfg.c index 3d90d40..e0bc881 100644 --- a/lustre/utils/lustre_cfg.c +++ b/lustre/utils/lustre_cfg.c @@ -728,12 +728,16 @@ int jt_lcfg_set_security(int argc, char **argv) lustre_cfg_bufs_reset(&bufs, lcfg_devname); /* currently only used to set on mds */ - if (strcmp(argv[1], "mds_mds_sec") && strcmp(argv[1], "mds_ost_sec")) { + if (strcmp(argv[1], "mds_sec") && + strcmp(argv[1], "oss_sec") && + strcmp(argv[1], "deny_sec")) { fprintf(stderr, "%s: invalid security key %s\n", jt_cmdname(argv[0]), argv[1]); return -EINVAL; } - if (strcmp(argv[2], "null") && strcmp(argv[2], "krb5")) { + if (strcmp(argv[2], "null") && + strcmp(argv[2], "krb5i") && + strcmp(argv[2], "krb5p")) { fprintf(stderr, "%s: invalid security value %s\n", jt_cmdname(argv[0]), argv[2]); return -EINVAL;