diff options
author | Shreyas Siravara <sshreyas@fb.com> | 2016-05-24 10:51:23 -0700 |
---|---|---|
committer | Shreyas Siravara <sshreyas@fb.com> | 2017-09-03 04:17:20 +0000 |
commit | c547fc214dfe280374f23f8063a1bf0b794f4977 (patch) | |
tree | 3f0146cf80f038a44242457947e939e07e6d6985 /xlators | |
parent | 6d992b8bcb4e902a34f3618d2dfe80b1b5543112 (diff) |
nfs: Check if FQDN is authorized before unmounting clients
Summary:
- We have a thread that checks if connected clients are "still" authorized for a mount.
- This thread is currently only checking the IP (regression from the 3.4 -> 3.6 rebase, perhaps).
- This diff adds code toe check the IP *and* the FQDN before unmounting the client.
Test Plan: Tested on devserver, auth prove tests.
Reviewers: rwareing, kvigor
Reviewed By: kvigor
Change-Id: I441a4436d8df064d2f09a2539acb780ab53943f6
Reviewed-on: https://review.gluster.org/18193
Reviewed-by: Shreyas Siravara <sshreyas@fb.com>
CentOS-regression: Gluster Build System <jenkins@build.gluster.org>
Smoke: Gluster Build System <jenkins@build.gluster.org>
Diffstat (limited to 'xlators')
-rw-r--r-- | xlators/nfs/server/src/mount3.c | 46 |
1 files changed, 39 insertions, 7 deletions
diff --git a/xlators/nfs/server/src/mount3.c b/xlators/nfs/server/src/mount3.c index 1cc0b07a9a6..67c9211b915 100644 --- a/xlators/nfs/server/src/mount3.c +++ b/xlators/nfs/server/src/mount3.c @@ -3728,9 +3728,11 @@ __mnt3_mounted_exports_walk (dict_t *dict, char *key, data_t *val, void *tmp) { char *path = NULL; char *host_addr_ip = NULL; + char *host_addr_fqdn = NULL; char *keydup = NULL; char *colon = NULL; struct mnt3_auth_params *auth_params = NULL; + int ret = 0; int auth_status_code = 0; gf_msg_trace (GF_MNT, 0, "Checking if key %s is authorized.", key); @@ -3756,14 +3758,44 @@ __mnt3_mounted_exports_walk (dict_t *dict, char *key, data_t *val, void *tmp) /* Host is one character after ':' */ host_addr_ip = colon + 1; - auth_status_code = mnt3_auth_host (auth_params, host_addr_ip, NULL, - path, _gf_false, NULL); - if (auth_status_code != 0) { - gf_msg (GF_MNT, GF_LOG_ERROR, 0, NFS_MSG_AUTH_ERROR, - "%s is no longer authorized for %s", - host_addr_ip, path); - mnt3svc_umount (auth_params->ms, path, host_addr_ip); + + /* Check if the IP is authorized */ + auth_status_code = mnt3_auth_host (auth_params, host_addr_ip, + NULL, path, FALSE, NULL); + if (auth_status_code == 0) { + goto out; } + + ret = gf_get_hostname_from_ip (host_addr_ip, &host_addr_fqdn); + if (ret != 0) { + gf_msg (GF_MNT, GF_LOG_DEBUG, 0, NFS_MSG_AUTH_ERROR , + "Authorization failed for IP [%s], but name " + "resolution also failed!", host_addr_ip); + goto unmount; + } + + /* If not, check if the FQDN is authorized */ + gf_msg (GF_MNT, GF_LOG_DEBUG, 0, NFS_MSG_AUTH_ERROR, + "Authorization failed for IP [%s], attempting to" + " auth hostname [%s]...", host_addr_ip, host_addr_fqdn); + + auth_status_code = mnt3_auth_host (auth_params, host_addr_fqdn, + NULL, path, FALSE, NULL); + if (auth_status_code == 0) { + gf_msg (GF_MNT, GF_LOG_DEBUG, 0, NFS_MSG_AUTH_ERROR, + "Authorization succeeded for " + "Client [IP=%s, Hostname=%s].", + host_addr_ip, host_addr_fqdn); + goto out; + } + +unmount: + gf_msg (GF_MNT, GF_LOG_ERROR, 0, NFS_MSG_AUTH_ERROR, + "Client [IP=%s, Hostname=%s] not authorized for this mount. " + "Unmounting!", host_addr_ip, host_addr_fqdn); + mnt3svc_umount (auth_params->ms, path, host_addr_ip); +out: + GF_FREE (host_addr_fqdn); return 0; } |