NFSv4: Reintroduce machine creds
We need to try to ensure that we always use the same credentials whenever we re-establish the clientid on the server. If not, the server won't recognise that we're the same client, and so may not allow us to recover state. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
This commit is contained in:
parent
78ea323be6
commit
7c67db3a8a
|
@ -112,6 +112,7 @@ struct nfs_client_initdata {
|
||||||
static struct nfs_client *nfs_alloc_client(const struct nfs_client_initdata *cl_init)
|
static struct nfs_client *nfs_alloc_client(const struct nfs_client_initdata *cl_init)
|
||||||
{
|
{
|
||||||
struct nfs_client *clp;
|
struct nfs_client *clp;
|
||||||
|
struct rpc_cred *cred;
|
||||||
|
|
||||||
if ((clp = kzalloc(sizeof(*clp), GFP_KERNEL)) == NULL)
|
if ((clp = kzalloc(sizeof(*clp), GFP_KERNEL)) == NULL)
|
||||||
goto error_0;
|
goto error_0;
|
||||||
|
@ -150,6 +151,9 @@ static struct nfs_client *nfs_alloc_client(const struct nfs_client_initdata *cl_
|
||||||
clp->cl_boot_time = CURRENT_TIME;
|
clp->cl_boot_time = CURRENT_TIME;
|
||||||
clp->cl_state = 1 << NFS4CLNT_LEASE_EXPIRED;
|
clp->cl_state = 1 << NFS4CLNT_LEASE_EXPIRED;
|
||||||
#endif
|
#endif
|
||||||
|
cred = rpc_lookup_machine_cred();
|
||||||
|
if (!IS_ERR(cred))
|
||||||
|
clp->cl_machine_cred = cred;
|
||||||
|
|
||||||
return clp;
|
return clp;
|
||||||
|
|
||||||
|
@ -191,6 +195,9 @@ static void nfs_free_client(struct nfs_client *clp)
|
||||||
if (__test_and_clear_bit(NFS_CS_CALLBACK, &clp->cl_res_state))
|
if (__test_and_clear_bit(NFS_CS_CALLBACK, &clp->cl_res_state))
|
||||||
nfs_callback_down();
|
nfs_callback_down();
|
||||||
|
|
||||||
|
if (clp->cl_machine_cred != NULL)
|
||||||
|
put_rpccred(clp->cl_machine_cred);
|
||||||
|
|
||||||
kfree(clp->cl_hostname);
|
kfree(clp->cl_hostname);
|
||||||
kfree(clp);
|
kfree(clp);
|
||||||
|
|
||||||
|
|
|
@ -32,6 +32,8 @@ struct nfs_client {
|
||||||
const struct nfs_rpc_ops *rpc_ops; /* NFS protocol vector */
|
const struct nfs_rpc_ops *rpc_ops; /* NFS protocol vector */
|
||||||
int cl_proto; /* Network transport protocol */
|
int cl_proto; /* Network transport protocol */
|
||||||
|
|
||||||
|
struct rpc_cred *cl_machine_cred;
|
||||||
|
|
||||||
#ifdef CONFIG_NFS_V4
|
#ifdef CONFIG_NFS_V4
|
||||||
u64 cl_clientid; /* constant */
|
u64 cl_clientid; /* constant */
|
||||||
nfs4_verifier cl_confirm;
|
nfs4_verifier cl_confirm;
|
||||||
|
|
|
@ -26,6 +26,7 @@ struct auth_cred {
|
||||||
uid_t uid;
|
uid_t uid;
|
||||||
gid_t gid;
|
gid_t gid;
|
||||||
struct group_info *group_info;
|
struct group_info *group_info;
|
||||||
|
unsigned char machine_cred : 1;
|
||||||
};
|
};
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -130,6 +131,7 @@ void __exit rpcauth_remove_module(void);
|
||||||
void __exit rpc_destroy_generic_auth(void);
|
void __exit rpc_destroy_generic_auth(void);
|
||||||
|
|
||||||
struct rpc_cred * rpc_lookup_cred(void);
|
struct rpc_cred * rpc_lookup_cred(void);
|
||||||
|
struct rpc_cred * rpc_lookup_machine_cred(void);
|
||||||
int rpcauth_register(const struct rpc_authops *);
|
int rpcauth_register(const struct rpc_authops *);
|
||||||
int rpcauth_unregister(const struct rpc_authops *);
|
int rpcauth_unregister(const struct rpc_authops *);
|
||||||
struct rpc_auth * rpcauth_create(rpc_authflavor_t, struct rpc_clnt *);
|
struct rpc_auth * rpcauth_create(rpc_authflavor_t, struct rpc_clnt *);
|
||||||
|
|
|
@ -84,6 +84,7 @@ struct gss_cred {
|
||||||
enum rpc_gss_svc gc_service;
|
enum rpc_gss_svc gc_service;
|
||||||
struct gss_cl_ctx *gc_ctx;
|
struct gss_cl_ctx *gc_ctx;
|
||||||
struct gss_upcall_msg *gc_upcall;
|
struct gss_upcall_msg *gc_upcall;
|
||||||
|
unsigned char gc_machine_cred : 1;
|
||||||
};
|
};
|
||||||
|
|
||||||
#endif /* __KERNEL__ */
|
#endif /* __KERNEL__ */
|
||||||
|
|
|
@ -17,6 +17,9 @@
|
||||||
# define RPCDBG_FACILITY RPCDBG_AUTH
|
# define RPCDBG_FACILITY RPCDBG_AUTH
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#define RPC_ANONYMOUS_USERID ((uid_t)-2)
|
||||||
|
#define RPC_ANONYMOUS_GROUPID ((gid_t)-2)
|
||||||
|
|
||||||
struct generic_cred {
|
struct generic_cred {
|
||||||
struct rpc_cred gc_base;
|
struct rpc_cred gc_base;
|
||||||
struct auth_cred acred;
|
struct auth_cred acred;
|
||||||
|
@ -35,6 +38,22 @@ struct rpc_cred *rpc_lookup_cred(void)
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL_GPL(rpc_lookup_cred);
|
EXPORT_SYMBOL_GPL(rpc_lookup_cred);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Public call interface for looking up machine creds.
|
||||||
|
*/
|
||||||
|
struct rpc_cred *rpc_lookup_machine_cred(void)
|
||||||
|
{
|
||||||
|
struct auth_cred acred = {
|
||||||
|
.uid = RPC_ANONYMOUS_USERID,
|
||||||
|
.gid = RPC_ANONYMOUS_GROUPID,
|
||||||
|
.machine_cred = 1,
|
||||||
|
};
|
||||||
|
|
||||||
|
dprintk("RPC: looking up machine cred\n");
|
||||||
|
return generic_auth.au_ops->lookup_cred(&generic_auth, &acred, 0);
|
||||||
|
}
|
||||||
|
EXPORT_SYMBOL_GPL(rpc_lookup_machine_cred);
|
||||||
|
|
||||||
static void
|
static void
|
||||||
generic_bind_cred(struct rpc_task *task, struct rpc_cred *cred)
|
generic_bind_cred(struct rpc_task *task, struct rpc_cred *cred)
|
||||||
{
|
{
|
||||||
|
@ -75,8 +94,10 @@ generic_create_cred(struct rpc_auth *auth, struct auth_cred *acred, int flags)
|
||||||
gcred->acred.group_info = acred->group_info;
|
gcred->acred.group_info = acred->group_info;
|
||||||
if (gcred->acred.group_info != NULL)
|
if (gcred->acred.group_info != NULL)
|
||||||
get_group_info(gcred->acred.group_info);
|
get_group_info(gcred->acred.group_info);
|
||||||
|
gcred->acred.machine_cred = acred->machine_cred;
|
||||||
|
|
||||||
dprintk("RPC: allocated generic cred %p for uid %d gid %d\n",
|
dprintk("RPC: allocated %s cred %p for uid %d gid %d\n",
|
||||||
|
gcred->acred.machine_cred ? "machine" : "generic",
|
||||||
gcred, acred->uid, acred->gid);
|
gcred, acred->uid, acred->gid);
|
||||||
return &gcred->gc_base;
|
return &gcred->gc_base;
|
||||||
}
|
}
|
||||||
|
@ -115,7 +136,8 @@ generic_match(struct auth_cred *acred, struct rpc_cred *cred, int flags)
|
||||||
|
|
||||||
if (gcred->acred.uid != acred->uid ||
|
if (gcred->acred.uid != acred->uid ||
|
||||||
gcred->acred.gid != acred->gid ||
|
gcred->acred.gid != acred->gid ||
|
||||||
gcred->acred.group_info != acred->group_info)
|
gcred->acred.group_info != acred->group_info ||
|
||||||
|
gcred->acred.machine_cred != acred->machine_cred)
|
||||||
return 0;
|
return 0;
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
|
@ -371,9 +371,16 @@ gss_alloc_msg(struct gss_auth *gss_auth, uid_t uid)
|
||||||
static struct gss_upcall_msg *
|
static struct gss_upcall_msg *
|
||||||
gss_setup_upcall(struct rpc_clnt *clnt, struct gss_auth *gss_auth, struct rpc_cred *cred)
|
gss_setup_upcall(struct rpc_clnt *clnt, struct gss_auth *gss_auth, struct rpc_cred *cred)
|
||||||
{
|
{
|
||||||
|
struct gss_cred *gss_cred = container_of(cred,
|
||||||
|
struct gss_cred, gc_base);
|
||||||
struct gss_upcall_msg *gss_new, *gss_msg;
|
struct gss_upcall_msg *gss_new, *gss_msg;
|
||||||
|
uid_t uid = cred->cr_uid;
|
||||||
|
|
||||||
gss_new = gss_alloc_msg(gss_auth, cred->cr_uid);
|
/* Special case: rpc.gssd assumes that uid == 0 implies machine creds */
|
||||||
|
if (gss_cred->gc_machine_cred != 0)
|
||||||
|
uid = 0;
|
||||||
|
|
||||||
|
gss_new = gss_alloc_msg(gss_auth, uid);
|
||||||
if (gss_new == NULL)
|
if (gss_new == NULL)
|
||||||
return ERR_PTR(-ENOMEM);
|
return ERR_PTR(-ENOMEM);
|
||||||
gss_msg = gss_add_msg(gss_auth, gss_new);
|
gss_msg = gss_add_msg(gss_auth, gss_new);
|
||||||
|
@ -818,6 +825,7 @@ gss_create_cred(struct rpc_auth *auth, struct auth_cred *acred, int flags)
|
||||||
*/
|
*/
|
||||||
cred->gc_base.cr_flags = 1UL << RPCAUTH_CRED_NEW;
|
cred->gc_base.cr_flags = 1UL << RPCAUTH_CRED_NEW;
|
||||||
cred->gc_service = gss_auth->service;
|
cred->gc_service = gss_auth->service;
|
||||||
|
cred->gc_machine_cred = acred->machine_cred;
|
||||||
kref_get(&gss_auth->kref);
|
kref_get(&gss_auth->kref);
|
||||||
return &cred->gc_base;
|
return &cred->gc_base;
|
||||||
|
|
||||||
|
@ -855,6 +863,8 @@ gss_match(struct auth_cred *acred, struct rpc_cred *rc, int flags)
|
||||||
if (gss_cred->gc_ctx && time_after(jiffies, gss_cred->gc_ctx->gc_expiry))
|
if (gss_cred->gc_ctx && time_after(jiffies, gss_cred->gc_ctx->gc_expiry))
|
||||||
return 0;
|
return 0;
|
||||||
out:
|
out:
|
||||||
|
if (acred->machine_cred != gss_cred->gc_machine_cred)
|
||||||
|
return 0;
|
||||||
return (rc->cr_uid == acred->uid);
|
return (rc->cr_uid == acred->uid);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue