sanity check for user authenticate.

diff --git a/lustre/mdt/mdt_handler.c b/lustre/mdt/mdt_handler.c
index 80c6a8a..0e7ac25 100644 (file)
--- a/lustre/mdt/mdt_handler.c
+++ b/lustre/mdt/mdt_handler.c
@@ -290,6 +290,10 @@ static int mdt_getstatus(struct mdt_thread_info *info)
 
         ENTRY;
 
+        rc = mdt_check_ucred(info);
+        if (rc)
+                RETURN(err_serious(rc));
+
         if (MDT_FAIL_CHECK(OBD_FAIL_MDS_GETSTATUS_PACK))
                 RETURN(err_serious(-ENOMEM));
 
@@ -334,6 +338,9 @@ static int mdt_statfs(struct mdt_thread_info *info)
         OBD_FAIL_TIMEOUT(OBD_FAIL_MDS_STATFS_LCW_SLEEP,
                          (MDT_SERVICE_WATCHDOG_TIMEOUT / 1000) + 1);
 
+        rc = mdt_check_ucred(info);
+        if (rc)
+                RETURN(err_serious(rc));
 
         if (MDT_FAIL_CHECK(OBD_FAIL_MDS_STATFS_PACK)) {
                 rc = err_serious(-ENOMEM);
@@ -629,11 +636,12 @@ static int mdt_getattr(struct mdt_thread_info *info)
         repbody->eadatasize = 0;
         repbody->aclsize = 0;
 
-        if (reqbody->valid & OBD_MD_FLRMTPERM) {
+        if (reqbody->valid & OBD_MD_FLRMTPERM)
                 rc = mdt_init_ucred(info, reqbody);
-                if (rc)
-                        GOTO(out, rc);
-        }
+        else
+                rc = mdt_check_ucred(info);
+        if (rc)
+                GOTO(out, rc);
 
         /* don't check capability at all, because rename might
          * getattr for remote obj, and at that time no capability
@@ -1195,6 +1203,10 @@ static int mdt_readpage(struct mdt_thread_info *info)
         if (reqbody == NULL || repbody == NULL)
                 RETURN(err_serious(-EFAULT));
 
+        rc = mdt_check_ucred(info);
+        if (rc)
+                RETURN(err_serious(rc));
+
         /*
          * prepare @rdpg before calling lower layers and transfer itself. Here
          * reqbody->size contains offset of where to start to read and

diff --git a/lustre/mdt/mdt_idmap.c b/lustre/mdt/mdt_idmap.c
index c5f346e..bd1deb0 100644 (file)
--- a/lustre/mdt/mdt_idmap.c
+++ b/lustre/mdt/mdt_idmap.c
@@ -225,8 +225,10 @@ void mdt_cleanup_idmap(struct mdt_export_data *med)
 
 static inline void mdt_revoke_export_locks(struct obd_export *exp)
 {
+#if 0
         if (!exp->exp_mdt_data.med_rmtclient)
                 return;
+#endif
 
         /* don't revoke locks during recovery */
         if (exp->exp_obd->obd_recovering)

diff --git a/lustre/mdt/mdt_internal.h b/lustre/mdt/mdt_internal.h
index 58df070..79336ec 100644 (file)
--- a/lustre/mdt/mdt_internal.h
+++ b/lustre/mdt/mdt_internal.h
@@ -550,6 +550,8 @@ const struct lu_buf *mdt_buf_const(const struct lu_env *env,
 
 void mdt_dump_lmm(int level, const struct lov_mds_md *lmm);
 
+int mdt_check_ucred(struct mdt_thread_info *);
+
 int mdt_init_ucred(struct mdt_thread_info *, struct mdt_body *);
 
 int mdt_init_ucred_reint(struct mdt_thread_info *);

diff --git a/lustre/mdt/mdt_lib.c b/lustre/mdt/mdt_lib.c
index 2ec8416..39b5d75 100644 (file)
--- a/lustre/mdt/mdt_lib.c
+++ b/lustre/mdt/mdt_lib.c
@@ -354,8 +354,7 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type,
 
         identity = mdt_identity_get(mdt->mdt_identity_cache, pud->pud_uid);
         if (!identity) {
-                CERROR("Deny access without identity: uid %d\n",
-                       ucred->mu_fsuid);
+                CERROR("Deny access without identity: uid %d\n", pud->pud_uid);
                 RETURN(-EACCES);
         }
 
@@ -431,6 +430,74 @@ out:
         RETURN(rc);
 }
 
+int mdt_check_ucred(struct mdt_thread_info *info)
+{
+        struct ptlrpc_request   *req = mdt_info_req(info);
+        struct mdt_export_data  *med = mdt_req2med(req);
+        struct mdt_device       *mdt = info->mti_mdt;
+        struct ptlrpc_user_desc *pud = req->rq_user_desc;
+        struct md_ucred         *ucred = mdt_ucred(info);
+        struct mdt_identity     *identity;
+        lnet_nid_t              peernid = req->rq_peer.nid;
+
+        ENTRY;
+
+        if ((ucred->mu_valid == UCRED_OLD) || (ucred->mu_valid == UCRED_NEW))
+                RETURN(0);
+
+        /* !rq_user_desc means null security, maybe inter-mds ops */
+        if (!req->rq_user_desc)
+                RETURN(0);
+
+        if (req->rq_auth_gss && req->rq_auth_uid == INVALID_UID) {
+                CWARN("user not authenticated, deny access!\n");
+                RETURN(-EACCES);
+        }
+
+        /* sanity check: if we use strong authentication, we expect the
+         * uid which client claimed is true */
+        if (req->rq_auth_gss) {
+                if (med->med_rmtclient) {
+                        if (ptlrpc_user_desc_do_idmap(req, pud))
+                                RETURN(-EACCES);
+
+                        if (req->rq_auth_mapped_uid != pud->pud_uid) {
+                                CERROR("remote client "LPU64": auth uid %u "
+                                       "while client claim %u:%u/%u:%u\n",
+                                       peernid, req->rq_auth_uid, pud->pud_uid,
+                                       pud->pud_gid, pud->pud_fsuid,
+                                       pud->pud_fsgid);
+                                RETURN(-EACCES);
+                        }
+                } else {
+                        if (req->rq_auth_uid != pud->pud_uid) {
+                                CERROR("local client "LPU64": auth uid %u "
+                                       "while client claim %u:%u/%u:%u\n",
+                                       peernid, req->rq_auth_uid, pud->pud_uid,
+                                       pud->pud_gid, pud->pud_fsuid,
+                                       pud->pud_fsgid);
+                                RETURN(-EACCES);
+                        }
+                }
+        }
+
+        if (is_identity_get_disabled(mdt->mdt_identity_cache) &&
+            med->med_rmtclient) {
+                CERROR("remote client must run with identity_get enabled!\n");
+                RETURN(-EACCES);
+        }
+
+        identity = mdt_identity_get(mdt->mdt_identity_cache, pud->pud_uid);
+        if (!identity) {
+                CERROR("Deny access without identity: uid %d\n", pud->pud_uid);
+                RETURN(-EACCES);
+        }
+
+        mdt_identity_put(mdt->mdt_identity_cache, identity);
+
+        RETURN(0);
+}
+
 int mdt_init_ucred(struct mdt_thread_info *info, struct mdt_body *body)
 {
         struct ptlrpc_request *req = mdt_info_req(info);

diff --git a/lustre/mdt/mdt_xattr.c b/lustre/mdt/mdt_xattr.c
index 1e4ed09..4f414b7 100644 (file)
--- a/lustre/mdt/mdt_xattr.c
+++ b/lustre/mdt/mdt_xattr.c
@@ -153,7 +153,7 @@ int mdt_getxattr(struct mdt_thread_info *info)
 
         rc = mdt_init_ucred(info, reqbody);
         if (rc)
-                RETURN(rc);
+                RETURN(err_serious(rc));
 
         easize = mdt_getxattr_pack_reply(info);
         if (easize < 0)
@@ -288,7 +288,7 @@ int mdt_setxattr(struct mdt_thread_info *info)
 
         rc = mdt_init_ucred(info, reqbody);
         if (rc)
-                RETURN(rc);
+                RETURN(err_serious(rc));
 
         rc = mdt_setxattr_pack_reply(info);
         if (rc < 0)