nfs/auth: Fix sensitivity to rw,ro ordering in the exports file

Summary: When a netgroup is marked as rw in the exports file, and another netgroup is marked as ro for the same share, the ro option is not honored. This diff fixes that bug Test Plan: Added a test and verifies that it passes with this patch and does not pass without this patch. Reviewers: rwareing, dph, moox Reviewed By: moox FB-commit-id: 2d36d2d Change-Id: Ia394f36472f094a62ddfedc0c8fd5d95e247b4b0 Signed-off-by: Kevin Vigor <kvigor@fb.com> Reviewed-on: https://review.gluster.org/16908 Smoke: Gluster Build System <jenkins@build.gluster.org> Reviewed-by: Shreyas Siravara <sshreyas@fb.com> CentOS-regression: Gluster Build System <jenkins@build.gluster.org> NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org>
author: Shreyas Siravara <sshreyas@fb.com> 2015-09-02 22:58:32 -0700
committer: Kevin Vigor <kvigor@fb.com> 2017-03-17 13:13:32 -0400
commit: bc7df6287a79a817579b9f925b9e97cd997201f3 (patch)
tree: 145ccfbd4b69113bfe85705859f121710353f4d8
parent: ae361e8339cc51966ebd222d7fb9046e936d56f5 (diff)
2 files changed, 48 insertions, 4 deletions
diff --git a/tests/basic/mount-nfs-auth.t b/tests/basic/mount-nfs-auth.t
index 99f032cbd44..a2e1d1697a3 100755
--- a/tests/basic/mount-nfs-auth.t
+++ b/tests/basic/mount-nfs-auth.t
@@ -31,7 +31,11 @@ V0L1="$V0/L1"
 V0L2="$V0L1/L2"
 V0L3="$V0L2/L3"
 
+NETGROUP_COMPLEX_ALLOW="storage storage.region\nstorage.region (1.2.3.4,,)\nngtop ng1\nng1 ($H0,,)"
+EXPORT_COMPLEX_RO_ALLOW="/$V0L1 @storage(sec=sys,rw,anonuid=0) @ngtop(sec=sys,ro,anonuid=0)"
+
 # Other variations for allow & deny
+EXPORT_ALLOW_NETGROUP_RO="/$V0 @ngtop(sec=sys,ro,anonuid=0)"
 EXPORT_ALLOW_RO="/$V0 $H0(sec=sys,ro,anonuid=0) @ngtop(sec=sys,ro,anonuid=0)"
 EXPORT_ALLOW_L1="/$V0L1 $H0(sec=sys,rw,anonuid=0) @ngtop(sec=sys,rw,anonuid=0)"
 EXPORT_WILDCARD="/$V0 *(sec=sys,rw,anonuid=0) @ngtop(sec=sys,rw,anonuid=0)"
@@ -68,6 +72,10 @@ function export_allow_this_host_ro () {
         printf "$EXPORT_ALLOW_RO\n" > ${NFSDIR}/exports
 }
 
+function export_allow_netgroup_ro () {
+        printf "$EXPORT_ALLOW_NETGROUP_RO\n" > ${NFSDIR}/exports
+}
+
 function netgroup_allow_this_host () {
         printf "$NETGROUP_ALLOW\n" > ${NFSDIR}/netgroups
 }
@@ -76,6 +84,14 @@ function netgroup_deny_this_host () {
         printf "$NETGROUP_DENY\n" > ${NFSDIR}/netgroups
 }
 
+function netgroup_complex_allow() {
+        printf "$NETGROUP_COMPLEX_ALLOW\n" > ${NFSDIR}/netgroup
+}
+
+function export_complex_ro_allow() {
+        printf "$EXPORT_COMPLEX_RO_ALLOW\n" > ${NFSDIR}/exports
+}
+
 function create_vol () {
         $CLI vol create $V0 $H0:$B0/b0
 }
@@ -269,6 +285,29 @@ TEST ! create      # Create should not be allowed
 TEST stat_nfs      # Stat should be allowed
 EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" umount_nfs $N0
 
+TEST export_allow_netgroup_ro
+TEST netgroup_allow_this_host
+sleep $AUTH_REFRESH_SLEEP
+
+TEST do_mount $V0
+TEST ! small_write # Writes should not be allowed
+TEST ! create      # Create should not be allowed
+TEST stat_nfs      # Stat should be allowed
+EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" umount_nfs $N0
+
+# This test checks the case where the exports file
+# has a 'rw' perm set for a netgroup followed
+# by a 'ro' perm for a different netgroup.
+TEST netgroup_complex_allow
+TEST export_complex_ro_allow
+sleep $AUTH_REFRESH_SLEEP
+
+TEST do_mount $V0L1
+TEST ! small_write # Writes should not be allowed
+TEST ! create      # Create should not be allowed
+TEST stat_nfs      # Stat should be allowed
+EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" umount_nfs $N0
+
 TEST export_deny_this_host
 TEST netgroup_deny_this_host
 TEST export_allow_this_host_l1 # Allow this host at L1
diff --git a/xlators/nfs/server/src/mount3-auth.c b/xlators/nfs/server/src/mount3-auth.c
index 97c95cbfd23..831d92edbef 100644
--- a/xlators/nfs/server/src/mount3-auth.c
+++ b/xlators/nfs/server/src/mount3-auth.c
@@ -429,6 +429,15 @@ __export_dir_lookup_netgroup (dict_t *dict, char *key, data_t *val,
 
         GF_ASSERT ((*key == '@'));
 
+        /**
+         * If at any point in time as we search through the dictionaries,
+         * if we were marked as "Found", we should exit out immediately
+         * and not set anything else in this struct.
+         */
+        if (ngsa->found) {
+                goto out;
+        }
+
         /* We use ++key here because keys start with '@' for ngs */
         ngentry = ng_file_get_netgroup (nfile, (key + 1));
         if (!ngentry) {
@@ -452,10 +461,6 @@ __export_dir_lookup_netgroup (dict_t *dict, char *key, data_t *val,
                               ngsa);
         }
 
-        /* If the above search was successful, just return */
-        if (ngsa->found)
-                goto out;
-
         /* Run through the netgroups dict */
         if (ngentry->netgroup_ngs) {
                 ngsa->_is_host_dict = _gf_false;
author	Shreyas Siravara <sshreyas@fb.com>	2015-09-02 22:58:32 -0700
committer	Kevin Vigor <kvigor@fb.com>	2017-03-17 13:13:32 -0400
commit	bc7df6287a79a817579b9f925b9e97cd997201f3 (patch)
tree	145ccfbd4b69113bfe85705859f121710353f4d8
parent	ae361e8339cc51966ebd222d7fb9046e936d56f5 (diff)