| Message ID | 20220901145237.267010-1-xiubli@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ceph: force sending open request to MDS for root user | expand |
On 9/1/22 10:52 PM, xiubli@redhat.com wrote: > From: Xiubo Li <xiubli@redhat.com> > > With the root_squash MDS caps enabled and for a root user it should > fail to write the file. But currently the kclient will just skip > sending a open request and check the cap instead even with the root > user. This will skip checking the MDS caps in MDS server. > > URL: https://tracker.ceph.com/issues/56067 > URL: https://tracker.ceph.com/issues/57154 > Signed-off-by: Xiubo Li <xiubli@redhat.com> > --- > fs/ceph/file.c | 17 ++++++++++++----- > 1 file changed, 12 insertions(+), 5 deletions(-) > > diff --git a/fs/ceph/file.c b/fs/ceph/file.c > index 86265713a743..642c0facbdcd 100644 > --- a/fs/ceph/file.c > +++ b/fs/ceph/file.c > @@ -360,6 +360,7 @@ int ceph_open(struct inode *inode, struct file *file) > struct ceph_mds_client *mdsc = fsc->mdsc; > struct ceph_mds_request *req; > struct ceph_file_info *fi = file->private_data; > + uid_t uid = from_kuid(&init_user_ns, get_current_cred()->fsuid); > int err; > int flags, fmode, wanted; > > @@ -393,13 +394,19 @@ int ceph_open(struct inode *inode, struct file *file) > } > > /* > - * No need to block if we have caps on the auth MDS (for > - * write) or any MDS (for read). Update wanted set > - * asynchronously. > + * If the caller is root user and the Fw caps is required > + * it will force sending a open request to MDS to let > + * the MDS do the root_squash MDS caps check. > + * > + * Otherwise no need to block if we have caps on the auth > + * MDS (for write) or any MDS (for read). Update wanted > + * set asynchronously. > */ > spin_lock(&ci->i_ceph_lock); > - if (__ceph_is_any_real_caps(ci) && > - (((fmode & CEPH_FILE_MODE_WR) == 0) || ci->i_auth_cap)) { > + if (((fmode & CEPH_FILE_MODE_WR) && uid != 0) && This should be: if (!((fmode & CEPH_FILE_MODE_WR) && !uid) && Will send the V2 to fix it. - Xiubo > + (__ceph_is_any_real_caps(ci) && > + (((fmode & CEPH_FILE_MODE_WR) == 0) || ci->i_auth_cap))) { > + > int mds_wanted = __ceph_caps_mds_wanted(ci, true); > int issued = __ceph_caps_issued(ci, NULL); >
diff --git a/fs/ceph/file.c b/fs/ceph/file.c index 86265713a743..642c0facbdcd 100644 --- a/fs/ceph/file.c +++ b/fs/ceph/file.c @@ -360,6 +360,7 @@ int ceph_open(struct inode *inode, struct file *file) struct ceph_mds_client *mdsc = fsc->mdsc; struct ceph_mds_request *req; struct ceph_file_info *fi = file->private_data; + uid_t uid = from_kuid(&init_user_ns, get_current_cred()->fsuid); int err; int flags, fmode, wanted; @@ -393,13 +394,19 @@ int ceph_open(struct inode *inode, struct file *file) } /* - * No need to block if we have caps on the auth MDS (for - * write) or any MDS (for read). Update wanted set - * asynchronously. + * If the caller is root user and the Fw caps is required + * it will force sending a open request to MDS to let + * the MDS do the root_squash MDS caps check. + * + * Otherwise no need to block if we have caps on the auth + * MDS (for write) or any MDS (for read). Update wanted + * set asynchronously. */ spin_lock(&ci->i_ceph_lock); - if (__ceph_is_any_real_caps(ci) && - (((fmode & CEPH_FILE_MODE_WR) == 0) || ci->i_auth_cap)) { + if (((fmode & CEPH_FILE_MODE_WR) && uid != 0) && + (__ceph_is_any_real_caps(ci) && + (((fmode & CEPH_FILE_MODE_WR) == 0) || ci->i_auth_cap))) { + int mds_wanted = __ceph_caps_mds_wanted(ci, true); int issued = __ceph_caps_issued(ci, NULL);