summaryrefslogtreecommitdiffstats
path: root/xlators/protocol
diff options
context:
space:
mode:
authorXie Changlong <xiechanglong@cmss.chinamobile.com>2018-12-03 19:02:32 +0800
committerAmar Tumballi <amarts@redhat.com>2018-12-05 21:45:49 +0000
commitad446dabb88439ba83e2092021b09894351e8e71 (patch)
treee6c9185465db7ea058d1f3fbc46fd16624edd81f /xlators/protocol
parent7f7716f8194e06754d0417f27bcc40638c9f9f83 (diff)
protocol/server: support server.all-squash
We still use gnfs on our side, so do a little work to support server.all-squash. Just like server.root-squash, it's also a volume wide option. Also see bz#1285126 $ gluster volume set <VOLNAME> server.all-squash on Note: If you enable server.root-squash and server.all-squash at the same time, only server.all-squash works. Please refer to following table +---------------+-----------------+---------------------------+ | |all_squash | no_all_squash | +-------------------------------------------------------------+ | | |anonuid/anongid for root | |root_squash |anonuid/anongid |useruid/usergid for no-root| +-------------------------------------------------------------+ |no_root_squash |anonuid/anongid |useruid/usergid | +-------------------------------------------------------------+ Updates bz#1285126 Signed-off-by: Xie Changlong <xiechanglong@cmss.chinamobile.com> Signed-off-by: Xue Chuanyu <xuechuanyu@cmss.chinamobile.com> Change-Id: Iea043318fe6e9a75fa92b396737985062a26b47e
Diffstat (limited to 'xlators/protocol')
-rw-r--r--xlators/protocol/server/src/server-helpers.c41
-rw-r--r--xlators/protocol/server/src/server.c13
2 files changed, 35 insertions, 19 deletions
diff --git a/xlators/protocol/server/src/server-helpers.c b/xlators/protocol/server/src/server-helpers.c
index 18dc7cb169d..b1c80b62d53 100644
--- a/xlators/protocol/server/src/server-helpers.c
+++ b/xlators/protocol/server/src/server-helpers.c
@@ -501,44 +501,51 @@ get_frame_from_request(rpcsvc_request_t *req)
would not have been set. So for non trusted clients
(i.e clients not from the same machine as the brick,
and clients from outside the storage pool)
- do the root-squashing.
+ do the root-squashing and all-squashing.
TODO: If any client within the storage pool (i.e
mounting within a machine from the pool but using
other machine's ip/hostname from the same pool)
is present treat it as a trusted client
*/
- if (!client->auth.username && req->pid != NFS_PID)
+ if (!client->auth.username && req->pid != NFS_PID) {
RPC_AUTH_ROOT_SQUASH(req);
+ RPC_AUTH_ALL_SQUASH(req);
+ }
/* Problem: If we just check whether the client is
- trusted client and do not do root squashing for
- them, then for smb clients and UFO clients root
- squashing will never happen as they use the fuse
- mounts done within the trusted pool (i.e they are
- trusted clients).
- Solution: To fix it, do root squashing for trusted
- clients also. If one wants to have a client within
- the storage pool for which root-squashing does not
- happen, then the client has to be mounted with
+ trusted client and do not do root squashing and
+ all squashing for them, then for smb clients and
+ UFO clients root squashing and all squashing will
+ never happen as they use the fuse mounts done within
+ the trusted pool (i.e they are trusted clients).
+ Solution: To fix it, do root squashing and all squashing
+ for trusted clients also. If one wants to have a client
+ within the storage pool for which root-squashing does
+ not happen, then the client has to be mounted with
--no-root-squash option. But for defrag client and
- gsyncd client do not do root-squashing.
+ gsyncd client do not do root-squashing and all-squashing.
*/
if (client->auth.username &&
req->pid != GF_CLIENT_PID_NO_ROOT_SQUASH &&
req->pid != GF_CLIENT_PID_GSYNCD &&
req->pid != GF_CLIENT_PID_DEFRAG &&
req->pid != GF_CLIENT_PID_SELF_HEALD &&
- req->pid != GF_CLIENT_PID_QUOTA_MOUNT)
+ req->pid != GF_CLIENT_PID_QUOTA_MOUNT) {
RPC_AUTH_ROOT_SQUASH(req);
+ RPC_AUTH_ALL_SQUASH(req);
+ }
/* For nfs clients the server processes will be running
within the trusted storage pool machines. So if we
- do not do root-squashing for nfs servers, thinking
- that its a trusted client, then root-squashing won't
- work for nfs clients.
+ do not do root-squashing and all-squashing for nfs
+ servers, thinking that its a trusted client, then
+ root-squashing and all-squashing won't work for nfs
+ clients.
*/
- if (req->pid == NFS_PID)
+ if (req->pid == NFS_PID) {
RPC_AUTH_ROOT_SQUASH(req);
+ RPC_AUTH_ALL_SQUASH(req);
+ }
}
}
diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c
index 737e8e0907c..a8908166c76 100644
--- a/xlators/protocol/server/src/server.c
+++ b/xlators/protocol/server/src/server.c
@@ -1748,13 +1748,22 @@ struct volume_options server_options[] = {
"as user bin or group staff.",
.op_version = {2},
.flags = OPT_FLAG_SETTABLE | OPT_FLAG_DOC},
+ {.key = {"all-squash"},
+ .type = GF_OPTION_TYPE_BOOL,
+ .default_value = "off",
+ .description = "Map requests from any uid/gid to the anonymous "
+ "uid/gid. Note that this does not apply to any other "
+ "uids or gids that might be equally sensitive, such "
+ "as user bin or group staff.",
+ .op_version = {GD_OP_VERSION_6_0},
+ .flags = OPT_FLAG_SETTABLE | OPT_FLAG_DOC},
{.key = {"anonuid"},
.type = GF_OPTION_TYPE_INT,
.default_value = "65534", /* RPC_NOBODY_UID */
.min = 0,
.max = (uint32_t)-1,
.description = "value of the uid used for the anonymous "
- "user/nfsnobody when root-squash is enabled.",
+ "user/nfsnobody when root-squash/all-squash is enabled.",
.op_version = {3},
.flags = OPT_FLAG_SETTABLE | OPT_FLAG_DOC},
{.key = {"anongid"},
@@ -1763,7 +1772,7 @@ struct volume_options server_options[] = {
.min = 0,
.max = (uint32_t)-1,
.description = "value of the gid used for the anonymous "
- "user/nfsnobody when root-squash is enabled.",
+ "user/nfsnobody when root-squash/all-squash is enabled.",
.op_version = {3},
.flags = OPT_FLAG_SETTABLE | OPT_FLAG_DOC},
{.key = {"statedump-path"},