Signed-off-by: Chuck Lever <[email protected]>
---
doc/man/fedfs-get-nsdb-params.8 | 125 +++++++---------------
src/fedfsc/fedfs-get-nsdb-params.c | 207 ++++++++++++++++++++----------------
2 files changed, 153 insertions(+), 179 deletions(-)
diff --git a/doc/man/fedfs-get-nsdb-params.8 b/doc/man/fedfs-get-nsdb-params.8
index fb14df3..1f8826d 100644
--- a/doc/man/fedfs-get-nsdb-params.8
+++ b/doc/man/fedfs-get-nsdb-params.8
@@ -5,7 +5,7 @@
.\"
.\"
-.\" Copyright 2011 Oracle. All rights reserved.
+.\" Copyright 2011, 2013 Oracle. All rights reserved.
.\"
.\" This file is part of fedfs-utils.
.\"
@@ -39,6 +39,8 @@ fedfs-get-nsdb-params \- send a FEDFS_GET_NSDB_PARAMS ADMIN
protocol request
.IR nsdbname ]
.RB [ \-r
.IR nsdbport ]
+.RB [ \-s
+.IR security ]
.SH INTRODUCTION
RFC 5716 introduces the Federated File System (FedFS, for short).
FedFS is an extensible standardized mechanism
@@ -119,90 +121,21 @@ Specifies the IP port of the NSDB to insert into the new
FedFS junction.
If this option is not specified,
the value of the FEDFS_NSDB_PORT environment variable is consulted.
The default value if the variable is not set is 389.
-.SH EXIT CODES
-The remote administration service returns a value that reflects the
-success of the requested operation.
-.TP
-.B FEDFS_OK
-The operation succeeded.
-.TP
-.B FEDFS_ERR_ACCESS
-The caller does not have permission to perform the requested operation
-on the remote server.
-.TP
-.B FEDFS_ERR_BADCHAR
-The NSDB hostname contains a character which is not
-supported by the remote server.
-.TP
-.B FEDFS_ERR_BADXDR
-The remote server encountered an XDR decoding error while
-processing the request.
-.TP
-.B FEDFS_ERR_INVAL
-One of the arguments was not valid.
-.TP
-.B FEDFS_ERR_IO
-A hard error occurred on the remote server.
-.TP
-.B FEDFS_ERR_PERM
-The operation was not allowed because the caller is
-either not a privileged user or not the owner of an object that
-would be modified by the operation.
-.TP
-.B FEDFS_ERR_SVRFAULT
-An unanticipated non-protocol error occurred on the remote server.
-.TP
-.B FEDFS_ERR_NSDB_ROUTE
-The remote server was unable to find a route to the NSDB.
-.TP
-.B FEDFS_ERR_NSDB_DOWN
-The remote server determined that the NSDB was down.
-.TP
-.B FEDFS_ERR_NSDB_CONN
-The remote server was unable to establish a connection with the NSDB.
-.TP
-.B FEDFS_ERR_NSDB_AUTH
-The remote server was unable to authenticate
-and establish a secure connection with the NSDB.
-.TP
-.B FEDFS_ERR_NSDB_LDAP
-An LDAP error occurred on the connection between the remote server and NSDB.
-.TP
-.B FEDFS_ERR_NSDB_LDAP_VAL
-Indicates the same error as FEDFS_ERR_NSDB_LDAP,
-and allows an LDAP protocol error value to be returned to the client.
-.TP
-.B FEDFS_ERR_NSDB_RESPONSE
-The remote server received a malformed response from the NSDB.
-This includes situations when an NSDB entry (e.g. FSN or FSL)
-is missing a required attribute.
-.TP
-.B FEDFS_ERR_NSDB_FAULT
-An unanticipated error related to the NSDB occurred.
-.TP
-.B FEDFS_ERR_NSDB_PARAMS
-The remote server does not have any connection
-parameters on record for the specified NSDB.
-.TP
-.B FEDFS_ERR_NSDB_LDAP_REFERRAL
-The remote server received an LDAP referral that it was unable to follow.
-.TP
-.B FEDFS_ERR_NSDB_LDAP_REFERRAL_VAL
-Indicates the same error as FEDFS_ERR_NSDB_LDAP_REFERRAL,
-and allows an LDAP protocol error value to be returned back to the client.
-.TP
-.B FEDFS_ERR_NSDB_LDAP_REFERRAL_NOTFOLLOWED
-The remote server received an LDAP referral that it chose not to follow,
-either because the remote server does not support following LDAP referrals
-or LDAP referral following is disabled.
-.TP
-.B FEDFS_ERR_NSDB_PARAMS_LDAP_REFERRAL
-The remote server received an LDAP referral that it chose not to follow
-because the remote server had no NSDB parameters for the NSDB
-targeted by the LDAP referral.
-.TP
-.B FEDFS_ERR_NOTSUPP
-The remote server does not support the specified procedure.
+.IP "\fB\-s, \-\-security=\fIflavor\fP"
+Specifies the security flavor to use
+when contacting the remote FedFS ADMIN service.
+Valid flavors are
+.BR sys ,
+.BR unix ,
+.BR krb5 ,
+.BR krb5i ", and"
+.BR krb5p .
+If this option is not specified, the
+.B unix
+flavor is used.
+See the
+.B SECURITY
+section of this man page for details.
.SH EXAMPLES
Suppose you are the FedFS administrator of the
.I example.net
@@ -224,13 +157,33 @@ The remote server knows about
.I nsdb.example.net
and does not use TLS when querying it to resolve junctions.
.SH SECURITY
-RPCSEC GSSAPI authentication has not yet been implemented for this command.
+By default, or if the
+.B sys
+and
+.B unix
+flavors are specified with the
+.BI \-\-security= flavor
+option, the
+.BR fedfs-create-junction (8)
+command uses AUTH_SYS security for the Remote Procedure Call.
+AUTH_SYS has known weaknesses and should be avoided on untrusted networks.
+.P
+The RPC client uses the Kerberos v5 GSS mechanism
+if a Kerberos security flavor is specified.
+When specifying a Kerberos security flavor,
+the user must first obtain a valid Kerberos ticket using
+.BR kinit (1)
+before running
+.BR fedfs-create-junction (8).
+.P
+The AUTH_NONE security flavor is no longer supported by this implementation.
.SH "SEE ALSO"
.BR fedfs (7),
.BR nsdb-parameters (7),
.BR rpc.fedfsd (8),
.BR fedfs-get-nsdb-limited-params (8),
.BR nsdbparams (8),
+.BR kinit (1),
.BR rpc (3t)
.sp
RFC 5716 for FedFS requirements and overview
diff --git a/src/fedfsc/fedfs-get-nsdb-params.c
b/src/fedfsc/fedfs-get-nsdb-params.c
index a77cf88..4132cd0 100644
--- a/src/fedfsc/fedfs-get-nsdb-params.c
+++ b/src/fedfsc/fedfs-get-nsdb-params.c
@@ -4,7 +4,7 @@
*/
/*
- * Copyright 2010 Oracle. All rights reserved.
+ * Copyright 2010, 2013 Oracle. All rights reserved.
*
* This file is part of fedfs-utils.
*
@@ -28,31 +28,25 @@
#include <string.h>
#include <stdbool.h>
+#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>
#include <getopt.h>
#include <locale.h>
-#include <rpc/clnt.h>
-#include <ldap.h>
-
#include "fedfs.h"
#include "fedfs_admin.h"
+#include "admin.h"
#include "nsdb.h"
#include "junction.h"
#include "xlog.h"
#include "gpl-boiler.h"
/**
- * Default RPC request timeout
- */
-static struct timeval fedfs_get_nsdb_params_timeout = { 25, 0 };
-
-/**
* Short form command line options
*/
-static const char fedfs_get_nsdb_params_opts[] = "?df:h:l:n:r:";
+static const char fedfs_get_nsdb_params_opts[] = "?df:h:l:n:r:s:";
/**
* Long form command line options
@@ -65,6 +59,7 @@ static const struct option fedfs_get_nsdb_params_longopts[] =
{
{ "nsdbname", 1, NULL, 'l', },
{ "nettype", 1, NULL, 'n', },
{ "nsdbport", 1, NULL, 'r', },
+ { "security", 1, NULL, 's', },
{ NULL, 0, NULL, 0, },
};
@@ -72,8 +67,9 @@ static const struct option fedfs_get_nsdb_params_longopts[] =
{
* Display program synopsis
*
* @param progname NUL-terminated C string containing name of program
+ * @return program exit status
*/
-static void
+static int
fedfs_get_nsdb_params_usage(const char *progname)
{
fprintf(stderr, "\n%s version " VERSION "\n", progname);
@@ -88,34 +84,25 @@ fedfs_get_nsdb_params_usage(const char *progname)
fprintf(stderr, "\t-h, --hostname ADMIN server hostname (default:
'localhost')\n");
fprintf(stderr, "\t-l, --nsdbname NSDB hostname\n");
fprintf(stderr, "\t-r, --nsdbport NSDB port\n");
+ fprintf(stderr, "\t-s, --security RPC security level\n");
fprintf(stderr, "%s", fedfs_gpl_boilerplate);
- exit((int)FEDFS_ERR_INVAL);
+ return EXIT_FAILURE;
}
/**
* Display NSDB information
*
- * @param result NSDB information to display
+ * @param sectype NSDB connection security type to display
+ * @param cert struct admin_cert to display
* @param certfile NUL-terminated UTF-8 string containing pathname of file to
write security data to
*/
static void
-fedfs_get_nsdb_params_print_result(FedFsGetNsdbParamsRes result,
- const char *certfile)
+fedfs_get_nsdb_params_print_result(FedFsConnectionSec sectype,
+ struct admin_cert *cert, const char *certfile)
{
- FedFsNsdbParams *params = &result.FedFsGetNsdbParamsRes_u.params;
-
- if (result.status == FEDFS_ERR_NSDB_PARAMS) {
- printf("No connection parameters found\n");
- return;
- }
-
- nsdb_print_fedfsstatus(result.status);
- if (result.status != FEDFS_OK)
- return;
-
- switch (params->secType) {
+ switch (sectype) {
case FEDFS_SEC_NONE:
printf("ConnectionSec: FEDFS_SEC_NONE\n");
break;
@@ -123,66 +110,106 @@ fedfs_get_nsdb_params_print_result(FedFsGetNsdbParamsRes
result,
printf("ConnectionSec: FEDFS_SEC_TLS\n");
if (certfile != NULL)
(void)nsdb_connsec_write_pem_file(certfile,
- params->FedFsNsdbParams_u.secData.secData_val,
- params->FedFsNsdbParams_u.secData.secData_len);
+ cert->ac_data,
+ cert->ac_len);
break;
default:
printf("Unrecognized FedFsConnectionSec value: %u\n",
- params->secType);
+ sectype);
}
}
/**
* Retrieve NSDB information from a remote fileserver
*
- * @param hostname NUL-terminated UTF-8 string containing ADMIN server's
hostname
- * @param nettype NUL-terminated C string containing nettype to use for
connection
- * @param nsdbname NUL-terminated UTF-8 string containing name of NSDB node to
retrieve
- * @param nsdbport port number of NSDB node to retrieve
+ * @param host an initialized and opened admin_t
+ * @param nsdb an NSDB hostname and port
* @param certfile NUL-terminated UTF-8 string containing pathname of file to
write security data to
- * @return a FedFsStatus code
+ * @return program exit status
*/
-static FedFsStatus
-fedfs_get_nsdb_params_call(const char *hostname, const char *nettype,
- char *nsdbname, const unsigned short nsdbport,
+static int
+fedfs_get_nsdb_params_try(admin_t host, struct admin_nsdb *nsdb,
const char *certfile)
{
- FedFsGetNsdbParamsRes result;
- enum clnt_stat status;
- FedFsNsdbName arg;
- CLIENT *client;
-
- memset(&arg, 0, sizeof(arg));
-
- arg.hostname.utf8string_len = strlen(nsdbname);
- arg.hostname.utf8string_val = nsdbname;
- arg.port = nsdbport;
-
- client = clnt_create(hostname, FEDFS_PROG, FEDFS_V1, nettype);
- if (client == NULL) {
- clnt_pcreateerror("Failed to create FEDFS client");
- result.status = FEDFS_ERR_SVRFAULT;
+ FedFsConnectionSec sectype;
+ struct admin_cert *cert;
+ int status, err;
+
+ status = EXIT_FAILURE;
+ err = admin_get_nsdb_params(host, nsdb, §ype, &cert);
+ switch (err) {
+ case 0:
+ break;
+ case EACCES:
+ xlog(L_ERROR, "%s: access denied", admin_hostname(host));
+ xlog(D_GENERAL, "%s",
+ admin_perror(host, admin_hostname(host)));
+ goto out;
+ case EIO:
+ xlog(L_ERROR, "%s",
+ admin_perror(host, admin_hostname(host)));
+ goto out;
+ default:
+ xlog(L_ERROR, "ADMIN client: %s", strerror(err));
goto out;
}
- memset((char *)&result, 0, sizeof(result));
- status = clnt_call(client, FEDFS_GET_NSDB_PARAMS,
- (xdrproc_t)xdr_FedFsNsdbName, (caddr_t)&arg,
- (xdrproc_t)xdr_FedFsGetNsdbParamsRes,
(caddr_t)&result,
- fedfs_get_nsdb_params_timeout);
- if (status != RPC_SUCCESS) {
- clnt_perror(client, "FEDFS_GET_NSDB_PARAMS call failed");
- result.status = FEDFS_ERR_SVRFAULT;
- } else {
- fedfs_get_nsdb_params_print_result(result, certfile);
- clnt_freeres(client,
- (xdrproc_t)xdr_FedFsGetNsdbParamsRes,
- (caddr_t)&result);
+ switch (admin_status(host)) {
+ case FEDFS_OK:
+ fedfs_get_nsdb_params_print_result(sectype, cert, certfile);
+ admin_free_cert(cert);
+ status = EXIT_SUCCESS;
+ break;
+ case FEDFS_ERR_NSDB_PARAMS:
+ printf("No connection parameters found\n");
+ break;
+ default:
+ nsdb_print_fedfsstatus(admin_status(host));
}
- (void)clnt_destroy(client);
out:
- return result.status;
+ return status;
+}
+
+/**
+ * Retrieve NSDB information from a remote fileserver
+ *
+ * @param hostname NUL-terminated UTF-8 string containing ADMIN server's
hostname
+ * @param nettype NUL-terminated C string containing nettype to use for
connection
+ * @param security NUL-terminated C string containing RPC security mode
+ * @param nsdb an NSDB hostname and port
+ * @param certfile NUL-terminated UTF-8 string containing pathname of file to
write security data to
+ * @return program exit status
+ */
+static int
+fedfs_get_nsdb_params_host(const char *hostname, const char *nettype,
+ const char *security, struct admin_nsdb *nsdb,
+ const char *certfile)
+{
+ admin_t host;
+ int status;
+
+ status = EXIT_FAILURE;
+ switch (admin_create(hostname, nettype, security, &host)) {
+ case 0:
+ status = fedfs_get_nsdb_params_try(host, nsdb, certfile);
+ admin_release(host);
+ break;
+ case EINVAL:
+ xlog(L_ERROR, "Invalid command line parameter");
+ break;
+ case EACCES:
+ xlog(L_ERROR, "Failed to authenticate server");
+ break;
+ case EKEYEXPIRED:
+ xlog(L_ERROR, "User credentials not found");
+ break;
+ default:
+ xlog(L_ERROR, "%s",
+ admin_open_perror(admin_hostname(host)));
+ }
+
+ return status;
}
/**
@@ -195,11 +222,9 @@ out:
int
main(int argc, char **argv)
{
- char *progname, *hostname, *nettype, *nsdbname, *certfile;
- unsigned short nsdbport;
- unsigned int seconds;
- FedFsStatus status;
- int arg;
+ char *progname, *hostname, *nettype, *security, *certfile;
+ struct admin_nsdb nsdb;
+ int arg, status;
(void)setlocale(LC_ALL, "");
(void)umask(S_IRWXO);
@@ -215,10 +240,11 @@ main(int argc, char **argv)
xlog_syslog(0);
xlog_open(progname);
- nsdb_env(&nsdbname, &nsdbport, NULL, NULL);
+ nsdb_env((char **)&nsdb.an_hostname, &nsdb.an_port, NULL, NULL);
hostname = "localhost";
nettype = "netpath";
+ security = "unix";
certfile = NULL;
while ((arg = getopt_long(argc, argv, fedfs_get_nsdb_params_opts,
fedfs_get_nsdb_params_longopts, NULL)) != -1) {
switch (arg) {
@@ -235,48 +261,43 @@ main(int argc, char **argv)
if (!nsdb_is_hostname_utf8(optarg)) {
fprintf(stderr, "NSDB name %s is "
"not a UTF-8 hostname\n", optarg);
- fedfs_get_nsdb_params_usage(progname);
+ return fedfs_get_nsdb_params_usage(progname);
}
- nsdbname = optarg;
+ nsdb.an_hostname = optarg;
break;
case 'n':
nettype = optarg;
break;
case 'r':
- if (!nsdb_parse_port_string(optarg, &nsdbport)) {
+ if (!nsdb_parse_port_string(optarg, &nsdb.an_port)) {
fprintf(stderr, "Bad port number: %s\n",
optarg);
- fedfs_get_nsdb_params_usage(progname);
+ return fedfs_get_nsdb_params_usage(progname);
}
break;
+ case 's':
+ security = optarg;
+ break;
default:
fprintf(stderr, "Invalid command line argument: %c\n",
(char)arg);
case '?':
- fedfs_get_nsdb_params_usage(progname);
+ return fedfs_get_nsdb_params_usage(progname);
}
}
if (optind != argc) {
fprintf(stderr, "Unrecognized command line argument\n");
- fedfs_get_nsdb_params_usage(progname);
+ return fedfs_get_nsdb_params_usage(progname);
}
- if (nsdbname == NULL) {
+ if (nsdb.an_hostname == NULL) {
fprintf(stderr, "Missing required command line argument\n");
- fedfs_get_nsdb_params_usage(progname);
+ return fedfs_get_nsdb_params_usage(progname);
}
nsdb_connsec_crypto_startup();
- for (seconds = FEDFS_DELAY_MIN_SECS;; seconds = fedfs_delay(seconds)) {
- status = fedfs_get_nsdb_params_call(hostname, nettype,
- nsdbname, nsdbport, certfile);
- if (status != FEDFS_ERR_DELAY)
- break;
-
- xlog(D_GENERAL, "Delaying %u seconds...", seconds);
- if (sleep(seconds) != 0)
- break;
- }
+ status = fedfs_get_nsdb_params_host(hostname, nettype,
+ security, &nsdb, certfile);
nsdb_connsec_crypto_shutdown();
- return (int)status;
+ return status;
}
_______________________________________________
fedfs-utils-devel mailing list
[email protected]
https://oss.oracle.com/mailman/listinfo/fedfs-utils-devel
