From: Andreas Dilger <andreas.dilger@intel.com>
Date: Wed, 23 Nov 2016 20:13:11 +0000 (-0700)
Subject: LU-8813 gss: limit the number of error messages in logs
X-Git-Tag: 2.9.55~61
X-Git-Url: https://git.whamcloud.com/?p=fs%2Flustre-release.git;a=commitdiff_plain;h=4ed67efd13cddd7ec41d29e853601ce862aaae9e

LU-8813 gss: limit the number of error messages in logs

Acrually LGSS_MECH_SK processing if SSK is not enabled, rather than
just printing an error message.  Distinguish between SSK being
disabled or not included in the service at all.

Rate limit the number of error messages submitted to the logs.

Test-Parameters: trivial testlist=sanity-sec
Signed-off-by: Andreas Dilger <andreas.dilger@intel.com>
Change-Id: I0190c46b94ecf668ef629c5b864c43658f3560f3
Reviewed-on: https://review.whamcloud.com/25584
Tested-by: Jenkins
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: Chris Hanna <hannac@iu.edu>
Reviewed-by: Bob Glossman <bob.glossman@intel.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>
---

diff --git a/lustre/utils/gss/svcgssd_proc.c b/lustre/utils/gss/svcgssd_proc.c
index c740236..b43978a 100644
--- a/lustre/utils/gss/svcgssd_proc.c
+++ b/lustre/utils/gss/svcgssd_proc.c
@@ -229,17 +229,17 @@ get_ids(gss_name_t client_name, gss_OID mech, struct svc_cred *cred,
 	else
 		cred->cr_mapped_uid = -1;
 
-        realm = strchr(sname, '@');
+	realm = strchr(sname, '@');
 	if (realm) {
-                *realm++ = '\0';
+		*realm++ = '\0';
 	} else {
 		printerr(0, "ERROR: %s has no realm name\n", sname);
 		goto out_free;
 	}
 
-        host = strchr(sname, '/');
-        if (host)
-                *host++ = '\0';
+	host = strchr(sname, '/');
+	if (host)
+		*host++ = '\0';
 
 	if (strcmp(sname, GSSD_SERVICE_MGS) == 0) {
 		printerr(0, "forbid %s as a user name\n", sname);
@@ -345,8 +345,8 @@ out_free:
 		printerr(1, "%s: authenticated %s%s%s@%s from %016llx\n",
 			 lustre_svc_name[lustre_svc], sname,
 			 host ? "/" : "", host ? host : "", realm, nid);
-        free(sname);
-        return res;
+	free(sname);
+	return res;
 }
 
 typedef struct gss_union_ctx_id_t {
@@ -743,32 +743,49 @@ int handle_channel_request(FILE *f)
 	switch (lustre_mech) {
 	case LGSS_MECH_KRB5:
 		if (!krb_enabled) {
-			printerr(1, "WARNING: Request for kerberos but service "
-				 "support not enabled\n");
+			static time_t next_krb;
+
+			if (time(NULL) > next_krb) {
+				printerr(1, "warning: Request for kerberos but "
+					 "service support not enabled\n");
+				next_krb = time(NULL) + 3600;
+			}
 			goto ignore;
 		}
 		snd.mech = &krb5oid;
 		break;
 	case LGSS_MECH_NULL:
 		if (!null_enabled) {
-			printerr(1, "WARNING: Request for gssnull but service "
-				 "support not enabled\n");
+			static time_t next_null;
+
+			if (time(NULL) > next_null) {
+				printerr(1, "warning: Request for gssnull but "
+					 "service support not enabled\n");
+				next_null = time(NULL) + 3600;
+			}
 			goto ignore;
 		}
 		snd.mech = &nulloid;
 		break;
 	case LGSS_MECH_SK:
-#ifdef HAVE_OPENSSL_SSK
 		if (!sk_enabled) {
-			printerr(1, "WARNING: Request for sk but service "
-				 "support not enabled\n");
+			static time_t next_ssk;
+
+			if (time(NULL) > next_ssk) {
+				printerr(1, "warning: Request for SSK but "
+					 "service support not %s\n",
+#ifdef HAVE_OPENSSL_SSK
+					 "enabled"
+#else
+					 "included"
+#endif
+					);
+				next_ssk = time(NULL) + 3600;
+			}
+
 			goto ignore;
 		}
 		snd.mech = &skoid;
-#else
-		printerr(1, "ERROR: Request for sk but service "
-			 "support not enabled\n");
-#endif
 		break;
 	default:
 		printerr(0, "WARNING: invalid mechanism recevied: %d\n",