Hi Praveen,
Would something like the attached patch work for you?
I have minimally tested it on my setups and it seems to work.
You need to add something (optional) like the following to your fs.conf file
under
the <FileSystem> context tags
<ExportOptions>
ReadOnly yes --> if you want readonly f.s
RootSquash yes --> if you want root squash. Unfortunately
this will root squash all clients :(. No selective squashing. Currently
root will squash to a default uid for nobody,gid for nobody.
AllSquash yes --> all users will get squashed to nobody..
AnonUID <uid> --> override the anonuid value to something..
AnonGID <gid> --> override the anongid value to something..
</ExportOptions>
Exporting a sub-tree to specific clients is not addressed by this patch.
It requires far more work..
Thanks,
Murali
On Tue, 6 Dec 2005, Praveen KJ wrote:
> Hi,
>
> I have a particular pvfs2 client, where the root user is to have least
> possible privelege.
> The least I need is that the root be unable to delete other user files.
> Is there a way to construct a pvfs2 setup so that nfs equivalent of
> root_squash is supported ?
>
> Another alternative could be to export only a sub-tree ( or
> sub-directory) of the pvfs2 root tree to this particular client.
> The root user on the client will thus be limited in scope. It can
> perform actions only on that sub-directory.
>
>
> Thanks,
> Praveen
> _______________________________________________
> PVFS2-users mailing list
> [email protected]
> http://www.beowulf-underground.org/mailman/listinfo/pvfs2-users
>
>Index: src/common/misc/server-config.c
===================================================================
RCS file: /anoncvs/pvfs2/src/common/misc/server-config.c,v
retrieving revision 1.76
diff -u -r1.76 server-config.c
--- src/common/misc/server-config.c 11 Nov 2005 21:31:02 -0000 1.76
+++ src/common/misc/server-config.c 8 Dec 2005 07:35:21 -0000
@@ -41,6 +41,8 @@
static DOTCONF_CB(exit_filesystem_context);
static DOTCONF_CB(enter_storage_hints_context);
static DOTCONF_CB(exit_storage_hints_context);
+static DOTCONF_CB(enter_export_options_context);
+static DOTCONF_CB(exit_export_options_context);
static DOTCONF_CB(enter_mhranges_context);
static DOTCONF_CB(exit_mhranges_context);
static DOTCONF_CB(enter_dhranges_context);
@@ -62,6 +64,13 @@
static DOTCONF_CB(get_range_list);
static DOTCONF_CB(get_bmi_module_list);
static DOTCONF_CB(get_flow_module_list);
+
+static DOTCONF_CB(get_root_squash);
+static DOTCONF_CB(get_read_only);
+static DOTCONF_CB(get_all_squash);
+static DOTCONF_CB(get_anon_gid);
+static DOTCONF_CB(get_anon_uid);
+
static DOTCONF_CB(get_handle_recycle_timeout_seconds);
static DOTCONF_CB(get_attr_cache_keywords_list);
static DOTCONF_CB(get_attr_cache_size);
@@ -238,6 +247,19 @@
{"</FileSystem>",ARG_NONE, exit_filesystem_context,NULL,CTX_FILESYSTEM,
NULL},
+ /* Specifies the beginning of a ExportOptions context.
+ * This groups options specific to a filesystem and related to the behavior
+ * of how it gets exported to various clients. Most of these options
+ * will affect things like what uids get translated to and so on..
+ */
+ {"<ExportOptions>",ARG_NONE, enter_export_options_context, NULL,
+ CTX_FILESYSTEM, NULL},
+
+ /* Specifies the end-tag of the ExportOptions context.
+ */
+ {"</ExportOptions>",ARG_NONE, exit_export_options_context, NULL,
+ CTX_EXPORT, NULL},
+
/* Specifies the beginning of a StorageHints context. This groups
* options specific to a filesystem and related to the behavior of the
* storage system. Mostly these options are passed directly to the
@@ -280,7 +302,7 @@
*/
{"</DataHandleRanges>",ARG_NONE, exit_dhranges_context,NULL,
CTX_DATAHANDLERANGES,NULL},
-
+
/* Provides a context for defining the filesystem's default
* distribution to use and the parameters to be set for that distribution.
*
@@ -485,6 +507,43 @@
{"FlowModules",ARG_LIST, get_flow_module_list,NULL,
CTX_DEFAULTS|CTX_GLOBAL,"flowproto_multiqueue,"},
+ /* Define options that will influence the way a file-system gets exported
+ * to the rest of the world.
+ */
+
+ /* RootSquash option specifies whether the exported file-system needs to
squash accesses
+ * by root. This is an optional parameter that needs to be specified as
part of the ExportOptions
+ * context and is a boolean yes/no.
+ */
+ {"RootSquash", ARG_STR, get_root_squash, NULL,
+ CTX_EXPORT, "no"},
+
+ /* ReadOnly option specifies whether the exported file-system needs to
disallow write accesses
+ * from clients or anything that modifies the state of the file-system.
+ * This is an optional parameter that needs to be specified as part of the
ExportOptions
+ * context and is a boolean yes or no.
+ */
+ {"ReadOnly", ARG_STR, get_read_only, NULL,
+ CTX_EXPORT, "no"},
+
+ /* AllSquash option specifies whether the exported file-system needs to
squash all accesses
+ * to the file-system to a specified uid/gid!
+ * This is an optional parameter that needs to be specified as part of the
ExportOptions
+ * context and is a boolean yes or no.
+ */
+ {"AllSquash", ARG_STR, get_all_squash, NULL,
+ CTX_EXPORT, "no"},
+
+ /* AnonUID and AnonGID are 2 integers that tell the servers to translate
the requesting clients'
+ * uid/gid to the specified ones whenever AllSquash is specified!
+ * If these are not specified and AllSquash is specified then the uid used
will be
+ * that of nobody and gid that of nobody
+ */
+ {"AnonUID", ARG_STR, get_anon_uid, NULL,
+ CTX_EXPORT, "65534"},
+ {"AnonGID", ARG_STR, get_anon_gid, NULL,
+ CTX_EXPORT, "65534"},
+
/* The TROVE storage layer has a management component that deals with
* allocating handle values for new metafiles and datafiles. The
underlying
* trove module can be given a hint to tell it how long to wait before
@@ -929,6 +988,23 @@
return NULL;
}
+DOTCONF_CB(enter_export_options_context)
+{
+ struct server_configuration_s *config_s =
+ (struct server_configuration_s *)cmd->context;
+ config_s->configuration_context = CTX_EXPORT;
+
+ return PINT_dotconf_set_defaults(
+ cmd->configfile, CTX_EXPORT);
+}
+
+DOTCONF_CB(exit_export_options_context)
+{
+ struct server_configuration_s *config_s =
+ (struct server_configuration_s *)cmd->context;
+ config_s->configuration_context = CTX_FILESYSTEM;
+ return NULL;
+}
DOTCONF_CB(enter_mhranges_context)
{
@@ -1119,6 +1195,120 @@
return NULL;
}
+DOTCONF_CB(get_root_squash)
+{
+ struct filesystem_configuration_s *fs_conf = NULL;
+ struct server_configuration_s *config_s =
+ (struct server_configuration_s *)cmd->context;
+
+ fs_conf = (struct filesystem_configuration_s *)
+ PINT_llist_head(config_s->file_systems);
+ assert(fs_conf);
+
+ if(strcasecmp(cmd->data.str, "yes") == 0)
+ {
+ fs_conf->exp_flags |= TROVE_EXP_ROOT_SQUASH;
+ }
+ else if(strcasecmp(cmd->data.str, "no") == 0)
+ {
+ fs_conf->exp_flags &= ~TROVE_EXP_ROOT_SQUASH;
+ }
+ else
+ {
+ return("RootSquash value must be 'yes' or 'no'.\n");
+ }
+ return NULL;
+}
+
+DOTCONF_CB(get_read_only)
+{
+ struct filesystem_configuration_s *fs_conf = NULL;
+ struct server_configuration_s *config_s =
+ (struct server_configuration_s *)cmd->context;
+
+ fs_conf = (struct filesystem_configuration_s *)
+ PINT_llist_head(config_s->file_systems);
+ assert(fs_conf);
+
+ if(strcasecmp(cmd->data.str, "yes") == 0)
+ {
+ fs_conf->exp_flags |= TROVE_EXP_READ_ONLY;
+ }
+ else if(strcasecmp(cmd->data.str, "no") == 0)
+ {
+ fs_conf->exp_flags &= ~TROVE_EXP_READ_ONLY;
+ }
+ else
+ {
+ return("ReadOnly value must be 'yes' or 'no'.\n");
+ }
+ return NULL;
+}
+
+DOTCONF_CB(get_all_squash)
+{
+ struct filesystem_configuration_s *fs_conf = NULL;
+ struct server_configuration_s *config_s =
+ (struct server_configuration_s *)cmd->context;
+
+ fs_conf = (struct filesystem_configuration_s *)
+ PINT_llist_head(config_s->file_systems);
+ assert(fs_conf);
+
+ if(strcasecmp(cmd->data.str, "yes") == 0)
+ {
+ fs_conf->exp_flags |= TROVE_EXP_ALL_SQUASH;
+ }
+ else if(strcasecmp(cmd->data.str, "no") == 0)
+ {
+ fs_conf->exp_flags &= ~TROVE_EXP_ALL_SQUASH;
+ }
+ else
+ {
+ return("AllSquash value must be 'yes' or 'no'.\n");
+ }
+ return NULL;
+}
+
+DOTCONF_CB(get_anon_uid)
+{
+ struct filesystem_configuration_s *fs_conf = NULL;
+ unsigned int tmp_var;
+ int ret = -1;
+ struct server_configuration_s *config_s =
+ (struct server_configuration_s *)cmd->context;
+
+ fs_conf = (struct filesystem_configuration_s *)
+ PINT_llist_head(config_s->file_systems);
+ assert(fs_conf);
+ ret = sscanf(cmd->data.str, "%u", &tmp_var);
+ if(ret != 1)
+ {
+ return("AnonUID does not have a long long unsigned value.\n");
+ }
+ fs_conf->exp_anon_uid = tmp_var;
+ return NULL;
+}
+
+DOTCONF_CB(get_anon_gid)
+{
+ struct filesystem_configuration_s *fs_conf = NULL;
+ unsigned int tmp_var;
+ int ret = -1;
+ struct server_configuration_s *config_s =
+ (struct server_configuration_s *)cmd->context;
+
+ fs_conf = (struct filesystem_configuration_s *)
+ PINT_llist_head(config_s->file_systems);
+ assert(fs_conf);
+ ret = sscanf(cmd->data.str, "%u", &tmp_var);
+ if(ret != 1)
+ {
+ return("AnonGID does not have a unsigned value.\n");
+ }
+ fs_conf->exp_anon_gid = tmp_var;
+ return NULL;
+}
DOTCONF_CB(get_bmi_module_list)
{
Index: src/common/misc/server-config.h
===================================================================
RCS file: /anoncvs/pvfs2/src/common/misc/server-config.h,v
retrieving revision 1.48
diff -u -r1.48 server-config.h
--- src/common/misc/server-config.h 10 Nov 2005 01:27:02 -0000 1.48
+++ src/common/misc/server-config.h 8 Dec 2005 07:35:22 -0000
@@ -25,7 +25,8 @@
CTX_DATAHANDLERANGES = (1 << 6),
CTX_STORAGEHINTS = (1 << 7),
CTX_DISTRIBUTION = (1 << 8),
- CTX_SECURITY = (1 << 9)
+ CTX_SECURITY = (1 << 9),
+ CTX_EXPORT = (1 << 10),
};
typedef struct phys_server_desc
@@ -82,6 +83,10 @@
int trove_sync_meta;
int trove_sync_data;
+ /* Export flags bitwise OR of flags specified */
+ int exp_flags;
+ PVFS_uid exp_anon_uid;
+ PVFS_gid exp_anon_gid;
} filesystem_configuration_s;
typedef struct distribution_param_configuration_s
@@ -212,6 +217,10 @@
int PINT_config_trim_filesystems_except(
struct server_configuration_s *config_s,
PVFS_fs_id fs_id);
+
+struct server_configuration_s *PINT_get_server_config(void);
+int PINT_translate_ids(PVFS_fs_id fsid, PVFS_uid uid, PVFS_gid gid,
+ PVFS_uid *translated_uid, PVFS_gid *translated_gid);
#ifdef __PVFS2_TROVE_SUPPORT__
int PINT_config_pvfs2_mkspace(
Index: src/io/trove/trove.h
===================================================================
RCS file: /anoncvs/pvfs2/src/io/trove/trove.h,v
retrieving revision 1.28
diff -u -r1.28 trove.h
--- src/io/trove/trove.h 1 Aug 2005 22:49:50 -0000 1.28
+++ src/io/trove/trove.h 8 Dec 2005 07:35:22 -0000
@@ -56,6 +56,13 @@
TROVE_ONLYOVERWRITE = 16, /* keyval_write and keyval_write_list */
};
+enum
+{
+ TROVE_EXP_ROOT_SQUASH = 1,
+ TROVE_EXP_READ_ONLY = 2,
+ TROVE_EXP_ALL_SQUASH = 4,
+};
+
/* get/setinfo option flags */
enum
{
Index: src/server/prelude.sm
===================================================================
RCS file: /anoncvs/pvfs2/src/server/prelude.sm,v
retrieving revision 1.57
diff -u -r1.57 prelude.sm
--- src/server/prelude.sm 11 Nov 2005 21:31:09 -0000 1.57
+++ src/server/prelude.sm 8 Dec 2005 07:35:22 -0000
@@ -156,6 +156,192 @@
return ret;
}
+static void get_fs_intent(struct PVFS_server_req *req, PVFS_fs_id *fsid, int
*read_only)
+{
+ if (req == NULL)
+ {
+ *fsid = PVFS_FS_ID_NULL;
+ *read_only = -1;
+ return;
+ }
+ switch (req->op)
+ {
+ case PVFS_SERV_CREATE:
+ *fsid = req->u.create.fs_id;
+ *read_only = 0;
+ break;
+ case PVFS_SERV_REMOVE:
+ *fsid = req->u.remove.fs_id;
+ *read_only = 0;
+ break;
+ case PVFS_SERV_IO:
+ *fsid = req->u.io.fs_id;
+ *read_only = (req->u.io.io_type == PVFS_IO_READ) ? 1 : 0;
+ break;
+ case PVFS_SERV_GETATTR:
+ *fsid = req->u.getattr.fs_id;
+ *read_only = 1;
+ break;
+ case PVFS_SERV_SETATTR:
+ *fsid = req->u.setattr.fs_id;
+ *read_only = 0;
+ break;
+ case PVFS_SERV_LOOKUP_PATH:
+ *fsid = req->u.lookup_path.fs_id;
+ *read_only = 1;
+ break;
+ case PVFS_SERV_CRDIRENT:
+ *fsid = req->u.crdirent.fs_id;
+ *read_only = 0;
+ break;
+ case PVFS_SERV_RMDIRENT:
+ *fsid = req->u.rmdirent.fs_id;
+ *read_only = 0;
+ break;
+ case PVFS_SERV_CHDIRENT:
+ *fsid = req->u.chdirent.fs_id;
+ *read_only = 0;
+ break;
+ case PVFS_SERV_TRUNCATE:
+ *fsid = req->u.truncate.fs_id;
+ *read_only = 0;
+ break;
+ case PVFS_SERV_MKDIR:
+ *fsid = req->u.mkdir.fs_id;
+ *read_only = 0;
+ break;
+ case PVFS_SERV_READDIR:
+ *fsid = req->u.readdir.fs_id;
+ *read_only = 1;
+ break;
+ case PVFS_SERV_FLUSH:
+ *fsid = req->u.flush.fs_id;
+ *read_only = 0;
+ break;
+ case PVFS_SERV_MGMT_SETPARAM:
+ *fsid = req->u.mgmt_setparam.fs_id;
+ *read_only = 0;
+ break;
+ case PVFS_SERV_STATFS:
+ *fsid = req->u.statfs.fs_id;
+ *read_only = 1;
+ break;
+ case PVFS_SERV_MGMT_ITERATE_HANDLES:
+ *fsid = req->u.mgmt_iterate_handles.fs_id;
+ *read_only = 1;
+ break;
+ case PVFS_SERV_MGMT_DSPACE_INFO_LIST:
+ *fsid = req->u.mgmt_dspace_info_list.fs_id;
+ *read_only = 1;
+ break;
+ case PVFS_SERV_MGMT_REMOVE_OBJECT:
+ *fsid = req->u.mgmt_remove_object.fs_id;
+ *read_only = 0;
+ break;
+ case PVFS_SERV_MGMT_REMOVE_DIRENT:
+ *fsid = req->u.mgmt_remove_dirent.fs_id;
+ *read_only = 0;
+ break;
+ case PVFS_SERV_MGMT_GET_DIRDATA_HANDLE:
+ *fsid = req->u.mgmt_get_dirdata_handle.fs_id;
+ *read_only = 0;
+ break;
+ case PVFS_SERV_GETEATTR:
+ *fsid = req->u.geteattr.fs_id;
+ *read_only = 1;
+ break;
+ case PVFS_SERV_SETEATTR:
+ *fsid = req->u.seteattr.fs_id;
+ *read_only = 0;
+ break;
+ case PVFS_SERV_DELEATTR:
+ *fsid = req->u.deleattr.fs_id;
+ *read_only = 0;
+ break;
+ case PVFS_SERV_LISTEATTR:
+ *fsid = req->u.listeattr.fs_id;
+ *read_only = 1;
+ break;
+ case PVFS_SERV_PROTO_ERROR:
+ case PVFS_SERV_JOB_TIMER:
+ case PVFS_SERV_MGMT_EVENT_MON:
+ case PVFS_SERV_MGMT_PERF_MON:
+ case PVFS_SERV_PERF_UPDATE:
+ case PVFS_SERV_MGMT_NOOP:
+ case PVFS_SERV_WRITE_COMPLETION:
+ case PVFS_SERV_GETCONFIG:
+ default:
+ *fsid = PVFS_FS_ID_NULL;
+ *read_only = -1;
+ break;
+ }
+ return;
+}
+
+static int get_exp_flags(PVFS_fs_id fsid)
+{
+ struct server_configuration_s *serv_config = PINT_get_server_config();
+ struct filesystem_configuration_s * fsconfig =
PINT_config_find_fs_id(serv_config, fsid);
+ return fsconfig ? fsconfig->exp_flags : -1;
+}
+
+static void get_anon_ids(PVFS_fs_id fsid, PVFS_uid *uid, PVFS_gid *gid)
+{
+ struct server_configuration_s *serv_config = PINT_get_server_config();
+ struct filesystem_configuration_s * fsconfig =
PINT_config_find_fs_id(serv_config, fsid);
+ *uid = fsconfig ? fsconfig->exp_anon_uid : -1;
+ *gid = fsconfig ? fsconfig->exp_anon_gid : -1;
+ return;
+}
+
+int PINT_translate_ids(PVFS_fs_id fsid, PVFS_uid uid, PVFS_gid gid,
+ PVFS_uid *translated_uid, PVFS_gid *translated_gid)
+{
+ int exp_flags = 0;
+ exp_flags = get_exp_flags(fsid);
+ do {
+ /* If all squash was set */
+ if (exp_flags & TROVE_EXP_ALL_SQUASH)
+ {
+ get_anon_ids(fsid, translated_uid, translated_gid);
+ break;
+ }
+ /* if only root squash was set translate uids for root alone*/
+ if (exp_flags & TROVE_EXP_ROOT_SQUASH)
+ {
+ if (uid == 0 || gid == 0)
+ {
+ get_anon_ids(fsid, translated_uid, translated_gid);
+ break;
+ }
+ }
+ /* no such translation required! */
+ *translated_uid = uid;
+ *translated_gid = gid;
+ return 0;
+ } while (0);
+ /* if for whatever reason, the get_anon_ids failed, we reset the ids */
+ if (*translated_uid == -1)
+ *translated_uid = uid;
+ if (*translated_gid == -1)
+ *translated_gid = gid;
+ gossip_debug(GOSSIP_SERVER_DEBUG, "Translated ids from <%u:%u> to
<%u:%u>\n",
+ uid, gid, *translated_uid, *translated_gid);
+ return 1;
+}
+
+static int permit_operation(PVFS_fs_id fsid, int read_only)
+{
+ int exp_flags;
+ exp_flags = get_exp_flags(fsid);
+ if ((exp_flags & TROVE_EXP_READ_ONLY) && !read_only)
+ {
+ gossip_debug(GOSSIP_SERVER_DEBUG, "Disallowing read-write operation on
a read-only exported file-system\n");
+ return -EROFS;
+ }
+ return 0;
+}
+
/* prelude_perm_check()
*
* this really just marks the spot where we would want to do
@@ -167,6 +353,10 @@
{
PVFS_object_attr *obj_attr = NULL;
PVFS_ds_attributes *ds_attr = NULL;
+ PVFS_uid translated_uid = s_op->req->credentials.uid;
+ PVFS_gid translated_gid = s_op->req->credentials.gid;
+ PVFS_fs_id fsid;
+ int rdonly = -1;
/* moved gossip server debug output to end of state, so we can report
* resulting status value.
@@ -181,6 +371,8 @@
PVFS_ds_attr_to_object_attr(ds_attr, obj_attr);
s_op->attr.mask = PVFS_ATTR_COMMON_ALL;
+ get_fs_intent(s_op->req, &fsid, &rdonly);
+
/* the next thing we need to do is interpret the error code from
* reading the attributes. Normally it is an error if that step
* failed, but we have to look for the special case in which we
@@ -192,7 +384,27 @@
{
js_p->error_code = 0;
}
-
+ if (fsid != PVFS_FS_ID_NULL)
+ {
+ /*
+ * if we are exporting a volume readonly, disallow any operation that
modifies
+ * the state of the file-system.
+ */
+ if (permit_operation(fsid, rdonly) < 0)
+ {
+ js_p->error_code = -PVFS_EROFS;
+ return 1;
+ }
+ else {
+ /* Translate the uid and gid's in case we need to do some
squashing based on the export */
+ if (PINT_translate_ids(fsid, s_op->req->credentials.uid,
s_op->req->credentials.gid,
+ &translated_uid, &translated_gid) == 1)
+ {
+ s_op->req->credentials.uid = translated_uid;
+ s_op->req->credentials.gid = translated_gid;
+ }
+ }
+ }
/* anything else we treat as a real error */
if (js_p->error_code)
{
@@ -200,6 +412,7 @@
return(1);
}
+
gossip_debug(
GOSSIP_PERMISSIONS_DEBUG, "PVFS operation \"%s\" got "
"attr mask %d\n\t(attr_uid_valid? %s, attr_owner = "
@@ -207,32 +420,32 @@
"%d, credentials.gid = %d)\n",
PINT_map_server_op_to_string(s_op->req->op), s_op->attr.mask,
((s_op->attr.mask & PVFS_ATTR_COMMON_UID) ? "yes" : "no"),
- s_op->attr.owner, s_op->req->credentials.uid,
+ s_op->attr.owner, translated_uid,
((s_op->attr.mask & PVFS_ATTR_COMMON_GID) ? "yes" : "no"),
- s_op->attr.group, s_op->req->credentials.gid);
+ s_op->attr.group, translated_gid);
switch(PINT_server_req_table[s_op->req->op].perm)
{
case PINT_SERVER_CHECK_WRITE:
js_p->error_code = PINT_check_mode(
- &(s_op->attr), s_op->req->credentials.uid,
- s_op->req->credentials.gid, PINT_ACCESS_WRITABLE);
+ &(s_op->attr), translated_uid,
+ translated_gid, PINT_ACCESS_WRITABLE);
break;
case PINT_SERVER_CHECK_READ:
js_p->error_code = PINT_check_mode(
- &(s_op->attr), s_op->req->credentials.uid,
- s_op->req->credentials.gid, PINT_ACCESS_READABLE);
+ &(s_op->attr), translated_uid,
+ translated_gid, PINT_ACCESS_READABLE);
break;
case PINT_SERVER_CHECK_CRDIRENT:
/* must also check executable after writable */
js_p->error_code = PINT_check_mode(
- &(s_op->attr), s_op->req->credentials.uid,
- s_op->req->credentials.gid, PINT_ACCESS_WRITABLE);
+ &(s_op->attr), translated_uid,
+ translated_gid, PINT_ACCESS_WRITABLE);
if(js_p->error_code == 0)
{
js_p->error_code = PINT_check_mode(
- &(s_op->attr), s_op->req->credentials.uid,
- s_op->req->credentials.gid, PINT_ACCESS_EXECUTABLE);
+ &(s_op->attr), translated_uid,
+ translated_gid, PINT_ACCESS_EXECUTABLE);
}
break;
case PINT_SERVER_CHECK_ATTR:
@@ -263,11 +476,11 @@
*/
if (((s_op->attr.mask & PVFS_ATTR_COMMON_UID) &&
((s_op->attr.owner == 0) ||
- (s_op->attr.owner == s_op->req->credentials.uid))) ||
+ (s_op->attr.owner == translated_uid))) ||
(((s_op->attr.mask & PVFS_ATTR_COMMON_GID) &&
((s_op->attr.group == 0) ||
- (s_op->attr.group == s_op->req->credentials.gid)))) ||
- (s_op->req->credentials.uid == 0))
+ (s_op->attr.group == translated_gid)))) ||
+ (translated_uid == 0))
{
js_p->error_code = 0;
}
Index: src/server/pvfs2-server.c
===================================================================
RCS file: /anoncvs/pvfs2/src/server/pvfs2-server.c,v
retrieving revision 1.196
diff -u -r1.196 pvfs2-server.c
--- src/server/pvfs2-server.c 11 Nov 2005 21:31:09 -0000 1.196
+++ src/server/pvfs2-server.c 8 Dec 2005 07:35:24 -0000
@@ -334,6 +334,11 @@
&pvfs2_list_eattr_sm}
};
+struct server_configuration_s *PINT_get_server_config(void)
+{
+ return &server_config;
+}
+
int main(int argc, char **argv)
{
int ret = -1, siglevel = 0;
@@ -1062,6 +1067,14 @@
"for %s: %s\n", cur_fs->file_system_name,
((cur_fs->trove_sync_data == TROVE_SYNC) ?
"yes" : "no"));
+
+ gossip_debug(GOSSIP_SERVER_DEBUG, "Export options for "
+ "%s:\n RootSquash %s\n AllSquash %s\n ReadOnly %s\n"
+ " AnonUID %u\n AnonGID %u\n",
cur_fs->file_system_name,
+ (cur_fs->exp_flags & TROVE_EXP_ROOT_SQUASH) ? "yes" :
"no",
+ (cur_fs->exp_flags & TROVE_EXP_ALL_SQUASH) ? "yes" :
"no",
+ (cur_fs->exp_flags & TROVE_EXP_READ_ONLY) ? "yes" :
"no",
+ cur_fs->exp_anon_uid, cur_fs->exp_anon_gid);
/* format and pass sync mode to the flow implementation */
snprintf(buf, 16, "%d,%d", cur_fs->coll_id,
Index: src/server/set-attr.sm
===================================================================
RCS file: /anoncvs/pvfs2/src/server/set-attr.sm,v
retrieving revision 1.60
diff -u -r1.60 set-attr.sm
--- src/server/set-attr.sm 11 Nov 2005 21:31:09 -0000 1.60
+++ src/server/set-attr.sm 8 Dec 2005 07:35:24 -0000
@@ -108,6 +108,9 @@
PINT_server_op *s_op, job_status_s *js_p)
{
PVFS_object_attr *a_p = NULL, *req_a_p = NULL;
+ PVFS_fs_id fsid;
+ PVFS_uid translated_uid;
+ PVFS_gid translated_gid;
PINT_STATE_DEBUG("verify_attribs");
@@ -118,6 +121,14 @@
"[owner = %d, group = %d, perms = %o, type = %d]\n",
a_p->owner, a_p->group, a_p->perms, a_p->objtype);
+ /* In case the file system exported does some form of squashing, we need
to enforce it here */
+ fsid = s_op->req->u.setattr.fs_id;
+ if (PINT_translate_ids(fsid, req_a_p->owner, req_a_p->group,
&translated_uid,
+ &translated_gid) == 1)
+ {
+ req_a_p->owner = translated_uid;
+ req_a_p->group = translated_gid;
+ }
gossip_debug(GOSSIP_SETATTR_DEBUG, " attrs read from request:\n\t"
"[owner = %d, group = %d, perms = %o, type = %d]\n",
req_a_p->owner, req_a_p->group, req_a_p->perms,
_______________________________________________
PVFS2-users mailing list
[email protected]
http://www.beowulf-underground.org/mailman/listinfo/pvfs2-users
