summaryrefslogtreecommitdiffstats
path: root/xlators
diff options
context:
space:
mode:
authorShreyas Siravara <sshreyas@fb.com>2016-05-24 10:51:23 -0700
committerJeff Darcy <jeff@pl.atyp.us>2017-12-06 20:52:36 +0000
commit820a91a219bbeb65f84d963db3fd79e261f194ad (patch)
treeb85d9bc174f9da369475c2ee9674d661e856469b /xlators
parent7f2e67d40d1006e88fda86eb04699c15db3440ee (diff)
nfs: Check if FQDN is authorized before unmounting clients
Summary: - We have a thread that checks if connected clients are "still" authorized for a mount. - This thread is currently only checking the IP (regression from the 3.4 -> 3.6 rebase, perhaps). - This diff adds code toe check the IP *and* the FQDN before unmounting the client. Test Plan: Tested on devserver, auth prove tests. Reviewers: rwareing, kvigor Reviewed By: kvigor Change-Id: I441a4436d8df064d2f09a2539acb780ab53943f6 BUG: 1522847 Reviewed-on: https://review.gluster.org/18193 Reviewed-by: Shreyas Siravara <sshreyas@fb.com> CentOS-regression: Gluster Build System <jenkins@build.gluster.org> Smoke: Gluster Build System <jenkins@build.gluster.org> Signed-off-by: Siri Uppalapati <siri@fb.com>
Diffstat (limited to 'xlators')
-rw-r--r--xlators/nfs/server/src/mount3.c46
1 files changed, 39 insertions, 7 deletions
diff --git a/xlators/nfs/server/src/mount3.c b/xlators/nfs/server/src/mount3.c
index b171d2ce138..40244e9b794 100644
--- a/xlators/nfs/server/src/mount3.c
+++ b/xlators/nfs/server/src/mount3.c
@@ -3712,9 +3712,11 @@ __mnt3_mounted_exports_walk (dict_t *dict, char *key, data_t *val, void *tmp)
{
char *path = NULL;
char *host_addr_ip = NULL;
+ char *host_addr_fqdn = NULL;
char *keydup = NULL;
char *colon = NULL;
struct mnt3_auth_params *auth_params = NULL;
+ int ret = 0;
int auth_status_code = 0;
gf_msg_trace (GF_MNT, 0, "Checking if key %s is authorized.", key);
@@ -3740,14 +3742,44 @@ __mnt3_mounted_exports_walk (dict_t *dict, char *key, data_t *val, void *tmp)
/* Host is one character after ':' */
host_addr_ip = colon + 1;
- auth_status_code = mnt3_auth_host (auth_params, host_addr_ip, NULL,
- path, _gf_false, NULL);
- if (auth_status_code != 0) {
- gf_msg (GF_MNT, GF_LOG_ERROR, 0, NFS_MSG_AUTH_ERROR,
- "%s is no longer authorized for %s",
- host_addr_ip, path);
- mnt3svc_umount (auth_params->ms, path, host_addr_ip);
+
+ /* Check if the IP is authorized */
+ auth_status_code = mnt3_auth_host (auth_params, host_addr_ip,
+ NULL, path, FALSE, NULL);
+ if (auth_status_code == 0) {
+ goto out;
}
+
+ ret = gf_get_hostname_from_ip (host_addr_ip, &host_addr_fqdn);
+ if (ret != 0) {
+ gf_msg (GF_MNT, GF_LOG_DEBUG, 0, NFS_MSG_AUTH_ERROR ,
+ "Authorization failed for IP [%s], but name "
+ "resolution also failed!", host_addr_ip);
+ goto unmount;
+ }
+
+ /* If not, check if the FQDN is authorized */
+ gf_msg (GF_MNT, GF_LOG_DEBUG, 0, NFS_MSG_AUTH_ERROR,
+ "Authorization failed for IP [%s], attempting to"
+ " auth hostname [%s]...", host_addr_ip, host_addr_fqdn);
+
+ auth_status_code = mnt3_auth_host (auth_params, host_addr_fqdn,
+ NULL, path, FALSE, NULL);
+ if (auth_status_code == 0) {
+ gf_msg (GF_MNT, GF_LOG_DEBUG, 0, NFS_MSG_AUTH_ERROR,
+ "Authorization succeeded for "
+ "Client [IP=%s, Hostname=%s].",
+ host_addr_ip, host_addr_fqdn);
+ goto out;
+ }
+
+unmount:
+ gf_msg (GF_MNT, GF_LOG_ERROR, 0, NFS_MSG_AUTH_ERROR,
+ "Client [IP=%s, Hostname=%s] not authorized for this mount. "
+ "Unmounting!", host_addr_ip, host_addr_fqdn);
+ mnt3svc_umount (auth_params->ms, path, host_addr_ip);
+out:
+ GF_FREE (host_addr_fqdn);
return 0;
}