diff options
| -rwxr-xr-x | tests/basic/mount-nfs-auth.t | 39 | ||||
| -rw-r--r-- | xlators/nfs/server/src/mount3-auth.c | 13 |
2 files changed, 48 insertions, 4 deletions
diff --git a/tests/basic/mount-nfs-auth.t b/tests/basic/mount-nfs-auth.t index 99f032cbd44..a2e1d1697a3 100755 --- a/tests/basic/mount-nfs-auth.t +++ b/tests/basic/mount-nfs-auth.t @@ -31,7 +31,11 @@ V0L1="$V0/L1" V0L2="$V0L1/L2" V0L3="$V0L2/L3" +NETGROUP_COMPLEX_ALLOW="storage storage.region\nstorage.region (1.2.3.4,,)\nngtop ng1\nng1 ($H0,,)" +EXPORT_COMPLEX_RO_ALLOW="/$V0L1 @storage(sec=sys,rw,anonuid=0) @ngtop(sec=sys,ro,anonuid=0)" + # Other variations for allow & deny +EXPORT_ALLOW_NETGROUP_RO="/$V0 @ngtop(sec=sys,ro,anonuid=0)" EXPORT_ALLOW_RO="/$V0 $H0(sec=sys,ro,anonuid=0) @ngtop(sec=sys,ro,anonuid=0)" EXPORT_ALLOW_L1="/$V0L1 $H0(sec=sys,rw,anonuid=0) @ngtop(sec=sys,rw,anonuid=0)" EXPORT_WILDCARD="/$V0 *(sec=sys,rw,anonuid=0) @ngtop(sec=sys,rw,anonuid=0)" @@ -68,6 +72,10 @@ function export_allow_this_host_ro () { printf "$EXPORT_ALLOW_RO\n" > ${NFSDIR}/exports } +function export_allow_netgroup_ro () { + printf "$EXPORT_ALLOW_NETGROUP_RO\n" > ${NFSDIR}/exports +} + function netgroup_allow_this_host () { printf "$NETGROUP_ALLOW\n" > ${NFSDIR}/netgroups } @@ -76,6 +84,14 @@ function netgroup_deny_this_host () { printf "$NETGROUP_DENY\n" > ${NFSDIR}/netgroups } +function netgroup_complex_allow() { + printf "$NETGROUP_COMPLEX_ALLOW\n" > ${NFSDIR}/netgroup +} + +function export_complex_ro_allow() { + printf "$EXPORT_COMPLEX_RO_ALLOW\n" > ${NFSDIR}/exports +} + function create_vol () { $CLI vol create $V0 $H0:$B0/b0 } @@ -269,6 +285,29 @@ TEST ! create # Create should not be allowed TEST stat_nfs # Stat should be allowed EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" umount_nfs $N0 +TEST export_allow_netgroup_ro +TEST netgroup_allow_this_host +sleep $AUTH_REFRESH_SLEEP + +TEST do_mount $V0 +TEST ! small_write # Writes should not be allowed +TEST ! create # Create should not be allowed +TEST stat_nfs # Stat should be allowed +EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" umount_nfs $N0 + +# This test checks the case where the exports file +# has a 'rw' perm set for a netgroup followed +# by a 'ro' perm for a different netgroup. +TEST netgroup_complex_allow +TEST export_complex_ro_allow +sleep $AUTH_REFRESH_SLEEP + +TEST do_mount $V0L1 +TEST ! small_write # Writes should not be allowed +TEST ! create # Create should not be allowed +TEST stat_nfs # Stat should be allowed +EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" umount_nfs $N0 + TEST export_deny_this_host TEST netgroup_deny_this_host TEST export_allow_this_host_l1 # Allow this host at L1 diff --git a/xlators/nfs/server/src/mount3-auth.c b/xlators/nfs/server/src/mount3-auth.c index 97c95cbfd23..831d92edbef 100644 --- a/xlators/nfs/server/src/mount3-auth.c +++ b/xlators/nfs/server/src/mount3-auth.c @@ -429,6 +429,15 @@ __export_dir_lookup_netgroup (dict_t *dict, char *key, data_t *val, GF_ASSERT ((*key == '@')); + /** + * If at any point in time as we search through the dictionaries, + * if we were marked as "Found", we should exit out immediately + * and not set anything else in this struct. + */ + if (ngsa->found) { + goto out; + } + /* We use ++key here because keys start with '@' for ngs */ ngentry = ng_file_get_netgroup (nfile, (key + 1)); if (!ngentry) { @@ -452,10 +461,6 @@ __export_dir_lookup_netgroup (dict_t *dict, char *key, data_t *val, ngsa); } - /* If the above search was successful, just return */ - if (ngsa->found) - goto out; - /* Run through the netgroups dict */ if (ngentry->netgroup_ngs) { ngsa->_is_host_dict = _gf_false; |