From b2557a95f7fd405c5ad4f876704bab6a52ecce70 Mon Sep 17 00:00:00 2001 From: fanyong Date: Sat, 30 Sep 2006 10:15:38 +0000 Subject: [PATCH] make getidentity upcall can be enable/disable by hand. --- lustre/mdd/mdd_handler.c | 3 ++- lustre/mdt/mdt_handler.c | 2 +- lustre/mdt/mdt_idmap.c | 5 +++++ lustre/mdt/mdt_internal.h | 5 +++++ lustre/mdt/mdt_lib.c | 40 ++++++++++++++++++++++++++++++---------- 5 files changed, 43 insertions(+), 12 deletions(-) diff --git a/lustre/mdd/mdd_handler.c b/lustre/mdd/mdd_handler.c index 7cf8db2..c181b25 100644 --- a/lustre/mdd/mdd_handler.c +++ b/lustre/mdd/mdd_handler.c @@ -328,7 +328,8 @@ static int mdd_in_group_p(struct md_ucred *uc, gid_t grp) if (grp != uc->mu_fsgid) { struct group_info *group_info = NULL; - if (uc->mu_ginfo || (uc->mu_valid == UCRED_OLD)) + if (uc->mu_ginfo || (uc->mu_valid == UCRED_OLD) || + (!uc->mu_ginfo && !uc->mu_identity)) if ((grp == uc->mu_suppgids[0]) || (grp == uc->mu_suppgids[1])) return 1; diff --git a/lustre/mdt/mdt_handler.c b/lustre/mdt/mdt_handler.c index 87ccd0b..76cde0d 100644 --- a/lustre/mdt/mdt_handler.c +++ b/lustre/mdt/mdt_handler.c @@ -3239,7 +3239,7 @@ static int mdt_init0(const struct lu_env *env, struct mdt_device *m, obd->obd_namespace = m->mdt_namespace; m->mdt_identity_cache = upcall_cache_init(obd->obd_name, - MDT_IDENTITY_UPCALL_PATH, + "NONE", &mdt_identity_upcall_cache_ops); if (IS_ERR(m->mdt_identity_cache)) { rc = PTR_ERR(m->mdt_identity_cache); diff --git a/lustre/mdt/mdt_idmap.c b/lustre/mdt/mdt_idmap.c index 8a7d8fe..808787c 100644 --- a/lustre/mdt/mdt_idmap.c +++ b/lustre/mdt/mdt_idmap.c @@ -412,6 +412,11 @@ int mdt_handle_idmap(struct mdt_thread_info *info) RETURN(-EACCES); } + if (is_identity_get_disabled(mdt->mdt_identity_cache)) { + CERROR("remote client must run with identity_get enabled!\n"); + RETURN(-EACCES); + } + identity = mdt_identity_get(mdt->mdt_identity_cache, req->rq_auth_mapped_uid); if (!identity) { diff --git a/lustre/mdt/mdt_internal.h b/lustre/mdt/mdt_internal.h index ca6ff65..447019a 100644 --- a/lustre/mdt/mdt_internal.h +++ b/lustre/mdt/mdt_internal.h @@ -594,5 +594,10 @@ static inline struct lustre_capa_key *red_capa_key(struct mdt_device *mdt) return &mdt->mdt_capa_keys[1]; } +static inline int is_identity_get_disabled(struct upcall_cache *cache) +{ + return cache ? (strcmp(cache->uc_upcall, "NONE") == 0) : 1; +} + #endif /* __KERNEL__ */ #endif /* _MDT_H */ diff --git a/lustre/mdt/mdt_lib.c b/lustre/mdt/mdt_lib.c index b039b1f..95f3c1b 100644 --- a/lustre/mdt/mdt_lib.c +++ b/lustre/mdt/mdt_lib.c @@ -126,11 +126,15 @@ static int old_init_ucred(struct mdt_thread_info *info, uc->mu_valid = UCRED_INVALID; - /* get identity info of this user */ - identity = mdt_identity_get(mdt->mdt_identity_cache, body->fsuid); - if (!identity) { - CERROR("Deny access without identity: uid %d\n", body->fsuid); - RETURN(-EACCES); + if (!is_identity_get_disabled(mdt->mdt_identity_cache)) { + /* get identity info of this user */ + identity = mdt_identity_get(mdt->mdt_identity_cache, + body->fsuid); + if (!identity) { + CERROR("Deny access without identity: uid %d\n", + body->fsuid); + RETURN(-EACCES); + } } uc->mu_valid = UCRED_OLD; @@ -157,11 +161,15 @@ static int old_init_ucred_reint(struct mdt_thread_info *info) uc->mu_valid = UCRED_INVALID; - /* get identity info of this user */ - identity = mdt_identity_get(mdt->mdt_identity_cache, uc->mu_fsuid); - if (!identity) { - CERROR("Deny access without identity: uid %d\n", uc->mu_fsuid); - RETURN(-EACCES); + if (!is_identity_get_disabled(mdt->mdt_identity_cache)) { + /* get identity info of this user */ + identity = mdt_identity_get(mdt->mdt_identity_cache, + uc->mu_fsuid); + if (!identity) { + CERROR("Deny access without identity: uid %d\n", + uc->mu_fsuid); + RETURN(-EACCES); + } } uc->mu_valid = UCRED_OLD; @@ -326,6 +334,17 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type, } } + if (is_identity_get_disabled(mdt->mdt_identity_cache)) { + if (med->med_rmtclient) { + CERROR("remote client must run with identity_get " + "enabled!\n"); + RETURN(-EACCES); + } else { + setxid_perm |= LUSTRE_SETGRP_PERM; + goto check_squash; + } + } + identity = mdt_identity_get(mdt->mdt_identity_cache, pud->pud_uid); if (!identity) { CERROR("Deny access without identity: uid %d\n", @@ -358,6 +377,7 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type, GOTO(out, rc = -EACCES); } +check_squash: /* FIXME: The exact behavior of root_squash is not defined. */ root_squashed = mdt_squash_root(mdt, ucred, pud, peernid); if (!root_squashed) { -- 1.8.3.1