diff options
author | Xie Changlong <xiechanglong@cmss.chinamobile.com> | 2018-12-03 19:02:32 +0800 |
---|---|---|
committer | Amar Tumballi <amarts@redhat.com> | 2018-12-05 21:45:49 +0000 |
commit | ad446dabb88439ba83e2092021b09894351e8e71 (patch) | |
tree | e6c9185465db7ea058d1f3fbc46fd16624edd81f /xlators | |
parent | 7f7716f8194e06754d0417f27bcc40638c9f9f83 (diff) |
protocol/server: support server.all-squash
We still use gnfs on our side, so do a little work to support
server.all-squash. Just like server.root-squash, it's also a
volume wide option. Also see bz#1285126
$ gluster volume set <VOLNAME> server.all-squash on
Note: If you enable server.root-squash and server.all-squash
at the same time, only server.all-squash works. Please refer
to following table
+---------------+-----------------+---------------------------+
| |all_squash | no_all_squash |
+-------------------------------------------------------------+
| | |anonuid/anongid for root |
|root_squash |anonuid/anongid |useruid/usergid for no-root|
+-------------------------------------------------------------+
|no_root_squash |anonuid/anongid |useruid/usergid |
+-------------------------------------------------------------+
Updates bz#1285126
Signed-off-by: Xie Changlong <xiechanglong@cmss.chinamobile.com>
Signed-off-by: Xue Chuanyu <xuechuanyu@cmss.chinamobile.com>
Change-Id: Iea043318fe6e9a75fa92b396737985062a26b47e
Diffstat (limited to 'xlators')
-rw-r--r-- | xlators/mgmt/glusterd/src/glusterd-volume-set.c | 4 | ||||
-rw-r--r-- | xlators/protocol/server/src/server-helpers.c | 41 | ||||
-rw-r--r-- | xlators/protocol/server/src/server.c | 13 |
3 files changed, 39 insertions, 19 deletions
diff --git a/xlators/mgmt/glusterd/src/glusterd-volume-set.c b/xlators/mgmt/glusterd/src/glusterd-volume-set.c index 53b7d98a386..70ee244d51b 100644 --- a/xlators/mgmt/glusterd/src/glusterd-volume-set.c +++ b/xlators/mgmt/glusterd/src/glusterd-volume-set.c @@ -1502,6 +1502,10 @@ struct volopt_map_entry glusterd_volopt_map[] = { .voltype = "protocol/server", .option = "root-squash", .op_version = 2}, + {.key = "server.all-squash", + .voltype = "protocol/server", + .option = "all-squash", + .op_version = GD_OP_VERSION_6_0}, {.key = "server.anonuid", .voltype = "protocol/server", .option = "anonuid", diff --git a/xlators/protocol/server/src/server-helpers.c b/xlators/protocol/server/src/server-helpers.c index 18dc7cb169d..b1c80b62d53 100644 --- a/xlators/protocol/server/src/server-helpers.c +++ b/xlators/protocol/server/src/server-helpers.c @@ -501,44 +501,51 @@ get_frame_from_request(rpcsvc_request_t *req) would not have been set. So for non trusted clients (i.e clients not from the same machine as the brick, and clients from outside the storage pool) - do the root-squashing. + do the root-squashing and all-squashing. TODO: If any client within the storage pool (i.e mounting within a machine from the pool but using other machine's ip/hostname from the same pool) is present treat it as a trusted client */ - if (!client->auth.username && req->pid != NFS_PID) + if (!client->auth.username && req->pid != NFS_PID) { RPC_AUTH_ROOT_SQUASH(req); + RPC_AUTH_ALL_SQUASH(req); + } /* Problem: If we just check whether the client is - trusted client and do not do root squashing for - them, then for smb clients and UFO clients root - squashing will never happen as they use the fuse - mounts done within the trusted pool (i.e they are - trusted clients). - Solution: To fix it, do root squashing for trusted - clients also. If one wants to have a client within - the storage pool for which root-squashing does not - happen, then the client has to be mounted with + trusted client and do not do root squashing and + all squashing for them, then for smb clients and + UFO clients root squashing and all squashing will + never happen as they use the fuse mounts done within + the trusted pool (i.e they are trusted clients). + Solution: To fix it, do root squashing and all squashing + for trusted clients also. If one wants to have a client + within the storage pool for which root-squashing does + not happen, then the client has to be mounted with --no-root-squash option. But for defrag client and - gsyncd client do not do root-squashing. + gsyncd client do not do root-squashing and all-squashing. */ if (client->auth.username && req->pid != GF_CLIENT_PID_NO_ROOT_SQUASH && req->pid != GF_CLIENT_PID_GSYNCD && req->pid != GF_CLIENT_PID_DEFRAG && req->pid != GF_CLIENT_PID_SELF_HEALD && - req->pid != GF_CLIENT_PID_QUOTA_MOUNT) + req->pid != GF_CLIENT_PID_QUOTA_MOUNT) { RPC_AUTH_ROOT_SQUASH(req); + RPC_AUTH_ALL_SQUASH(req); + } /* For nfs clients the server processes will be running within the trusted storage pool machines. So if we - do not do root-squashing for nfs servers, thinking - that its a trusted client, then root-squashing won't - work for nfs clients. + do not do root-squashing and all-squashing for nfs + servers, thinking that its a trusted client, then + root-squashing and all-squashing won't work for nfs + clients. */ - if (req->pid == NFS_PID) + if (req->pid == NFS_PID) { RPC_AUTH_ROOT_SQUASH(req); + RPC_AUTH_ALL_SQUASH(req); + } } } diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c index 737e8e0907c..a8908166c76 100644 --- a/xlators/protocol/server/src/server.c +++ b/xlators/protocol/server/src/server.c @@ -1748,13 +1748,22 @@ struct volume_options server_options[] = { "as user bin or group staff.", .op_version = {2}, .flags = OPT_FLAG_SETTABLE | OPT_FLAG_DOC}, + {.key = {"all-squash"}, + .type = GF_OPTION_TYPE_BOOL, + .default_value = "off", + .description = "Map requests from any uid/gid to the anonymous " + "uid/gid. Note that this does not apply to any other " + "uids or gids that might be equally sensitive, such " + "as user bin or group staff.", + .op_version = {GD_OP_VERSION_6_0}, + .flags = OPT_FLAG_SETTABLE | OPT_FLAG_DOC}, {.key = {"anonuid"}, .type = GF_OPTION_TYPE_INT, .default_value = "65534", /* RPC_NOBODY_UID */ .min = 0, .max = (uint32_t)-1, .description = "value of the uid used for the anonymous " - "user/nfsnobody when root-squash is enabled.", + "user/nfsnobody when root-squash/all-squash is enabled.", .op_version = {3}, .flags = OPT_FLAG_SETTABLE | OPT_FLAG_DOC}, {.key = {"anongid"}, @@ -1763,7 +1772,7 @@ struct volume_options server_options[] = { .min = 0, .max = (uint32_t)-1, .description = "value of the gid used for the anonymous " - "user/nfsnobody when root-squash is enabled.", + "user/nfsnobody when root-squash/all-squash is enabled.", .op_version = {3}, .flags = OPT_FLAG_SETTABLE | OPT_FLAG_DOC}, {.key = {"statedump-path"}, |