From patchwork Mon Dec 2 20:32:49 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Chuck Lever X-Patchwork-Id: 296000 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "aserp1040.oracle.com", Issuer "VeriSign Class 3 International Server CA - G3" (not verified)) by ozlabs.org (Postfix) with ESMTPS id 7FDA22C0085 for ; Tue, 3 Dec 2013 07:33:23 +1100 (EST) Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id rB2KXKwu019859 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 2 Dec 2013 20:33:21 GMT Received: from oss.oracle.com (oss-external.oracle.com [137.254.96.51]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id rB2KXKsq018718 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 2 Dec 2013 20:33:20 GMT Received: from localhost ([127.0.0.1] helo=oss.oracle.com) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1VnaBE-0005yf-5s; Mon, 02 Dec 2013 12:33:20 -0800 Received: from acsinet21.oracle.com ([141.146.126.237]) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1VnaAm-0005wq-U6 for fedfs-utils-devel@oss.oracle.com; Mon, 02 Dec 2013 12:32:53 -0800 Received: from userp1030.oracle.com (userp1030.oracle.com [156.151.31.80]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id rB2KWq2O027122 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Mon, 2 Dec 2013 20:32:52 GMT Received: from mail-yh0-f49.google.com (mail-yh0-f49.google.com [209.85.213.49]) by userp1030.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id rB2KWoOh025047 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=OK) for ; Mon, 2 Dec 2013 20:32:51 GMT Received: by mail-yh0-f49.google.com with SMTP id z20so9269887yhz.36 for ; Mon, 02 Dec 2013 12:32:50 -0800 (PST) X-Received: by 10.236.28.162 with SMTP id g22mr16376816yha.52.1386016370500; Mon, 02 Dec 2013 12:32:50 -0800 (PST) Received: from seurat.1015granger.net ([2604:8800:100:81fc:20c:29ff:fe44:ec31]) by mx.google.com with ESMTPSA id d32sm23770727yhq.27.2013.12.02.12.32.49 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 02 Dec 2013 12:32:50 -0800 (PST) To: fedfs-utils-devel@oss.oracle.com From: Chuck Lever Date: Mon, 02 Dec 2013 15:32:49 -0500 Message-ID: <20131202203249.12541.30992.stgit@seurat.1015granger.net> In-Reply-To: <20131202201953.12541.27594.stgit@seurat.1015granger.net> References: <20131202201953.12541.27594.stgit@seurat.1015granger.net> User-Agent: StGit/0.16 MIME-Version: 1.0 X-Flow-Control-Info: class=Pass-to-MM reputation=ipRisk-All ip=209.85.213.49 ct-class=R5 ct-vol1=-93 ct-vol2=7 ct-vol3=7 ct-risk=56 ct-spam1=93 ct-spam2=7 ct-bulk=2 rcpts=1 size=13139 X-SPF-Info: PASS::mail-yh0-f49.google.com X-Sendmail-CM-Score: 0.00% X-Sendmail-CM-Analysis: v=2.1 cv=GZEuw2nL c=1 sm=1 tr=0 a=k/dxE0egAAEXuqTlV65oiQ==:117 a=dzsqy3y4QnMA:10 a=49jbXZzmLQQA:10 a=dPGociXpb70A:10 a=IkcTkHD0fZMA:10 a=xqWC_Br6kY4A:10 a=yPCof4ZbAAAA:8 a=Lb1rMZzfAAAA:8 a=1XWaLZrsAAAA:8 a=Cg7OhQF1WYEA:10 a=OK-8mIdLAAAA: 8 a=7ffwvx0f1q0eZ1qZCrkA:9 a=Bg3OyGOoWHBv3qW1:21 a=_f6HXxuL1Unfk4aw:21 a=QEXdDO2ut3YA:10 a=nvz6EU7xhngA:10 a=7DSvI1NPTFQA:10 X-Sendmail-CT-Classification: not spam X-Sendmail-CT-RefID: str=0001.0A090208.529CEE74.0008, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0 X-MIME-Autoconverted: from 8bit to quoted-printable by acsinet21.oracle.com id rB2KWq2O027122 Subject: [fedfs-utils] [PATCH 05/11] fedfsc: Convert fedfs-delete-replication to use new libadmin API X-BeenThere: fedfs-utils-devel@oss.oracle.com X-Mailman-Version: 2.1.9 Precedence: list Reply-To: fedfs-utils Developers List-Id: fedfs-utils Developers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: fedfs-utils-devel-bounces@oss.oracle.com Errors-To: fedfs-utils-devel-bounces@oss.oracle.com X-Source-IP: acsinet22.oracle.com [141.146.126.238] Add support for AUTH_UNIX and RPCSEC_GSS security. The tool now exits with a typical Unix exit status code. Signed-off-by: Chuck Lever --- doc/man/fedfs-delete-replication.8 | 105 +++++++------------ src/fedfsc/fedfs-delete-replication.c | 180 +++++++++++++++++++-------------- 2 files changed, 144 insertions(+), 141 deletions(-) diff --git a/doc/man/fedfs-delete-replication.8 b/doc/man/fedfs-delete-replication.8 index a12bbfa..2a4ad79 100644 --- a/doc/man/fedfs-delete-replication.8 +++ b/doc/man/fedfs-delete-replication.8 @@ -5,7 +5,7 @@ .\" .\" -.\" Copyright 2011 Oracle. All rights reserved. +.\" Copyright 2011, 2013 Oracle. All rights reserved. .\" .\" This file is part of fedfs-utils. .\" @@ -33,6 +33,8 @@ fedfs-delete-replication \- send a FEDFS_DELETE_REPLICATION ADMIN protocol reque .IR nettype ] .RB [ \-h .IR hostname ] +.RB [ \-s +.IR security ] .I path .SH INTRODUCTION RFC 5716 introduces the Federated File System (FedFS, for short). @@ -90,70 +92,21 @@ If this option is not specified, the default value is See .BR rpc (3t) for details. -.SH EXIT CODES -The remote administration service returns a value that reflects the -success of the requested operation. -.TP -.B FEDFS_OK -The operation succeeded. -.TP -.B FEDFS_ERR_ACCESS -The caller does not have permission to perform the requested operation -on the remote server. -.TP -.B FEDFS_ERR_BADCHAR -The pathname contains a character which is not -supported by the remote server. -.TP -.B FEDFS_ERR_BADNAME -A component of the pathname consisted of valid UTF-8 characters -supported by the remote server, -but the name is not supported by the remote server -as a valid name for the current operation. -.TP -.B FEDFS_ERR_NAMETOOLONG -The length of the pathname exceeds the remote server’s implementation limit. -.TP -.B FEDFS_ERR_LOOP -Too many symbolic links were encountered in resolving the pathname. -.TP -.B FEDFS_ERR_BADXDR -The remote server encountered an XDR decoding error while -processing the request. -.TP -.B FEDFS_ERR_INVAL -One of the arguments was not valid. -.TP -.B FEDFS_ERR_IO -A hard error occurred on the remote server. -.TP -.B FEDFS_ERR_NOSPC -The requested operation would have caused the remote -server’s filesystem to exceed some limit (for example, if there is -a fixed number of replications per fileset or per server). -.TP -.B FEDFS_ERR_NOTJUNCT -The pathname does not end in a replication. -.TP -.B FEDFS_ERR_NOTLOCAL -The pathname contains a junction in any position other than the last component. -.TP -.B FEDFS_ERR_PERM -The operation was not allowed because the caller is -either not a privileged user or not the owner of an object that -would be modified by the operation. -.TP -.B FEDFS_ERR_ROFS -A modifying operation was attempted on a read-only filesystem. -.TP -.B FEDFS_ERR_SVRFAULT -An unanticipated non-protocol error occurred on the remote server. -.TP -.B FEDFS_ERR_PATH_TYPE_UNSUPP -The remote server does not support the specified FedFsPathType value. -.TP -.B FEDFS_ERR_NOTSUPP -The remote server does not support the specified procedure. +.IP "\fB\-s, \-\-security=\fIflavor\fP" +Specifies the security flavor to use +when contacting the remote FedFS ADMIN service. +Valid flavors are +.BR sys , +.BR unix , +.BR krb5 , +.BR krb5i ", and" +.BR krb5p . +If this option is not specified, the +.B unix +flavor is used. +See the +.B SECURITY +section of this man page for details. .SH EXAMPLES Suppose you are the FedFS administrator of the .I example.net @@ -165,10 +118,30 @@ use: .sp $ fedfs-delete-replication -h fs.example.net /export/replication1 .SH SECURITY -RPCSEC GSSAPI authentication has not yet been implemented for this command. +By default, or if the +.B sys +and +.B unix +flavors are specified with the +.BI \-\-security= flavor +option, the +.BR fedfs-create-junction (8) +command uses AUTH_SYS security for the Remote Procedure Call. +AUTH_SYS has known weaknesses and should be avoided on untrusted networks. +.P +The RPC client uses the Kerberos v5 GSS mechanism +if a Kerberos security flavor is specified. +When specifying a Kerberos security flavor, +the user must first obtain a valid Kerberos ticket using +.BR kinit (1) +before running +.BR fedfs-create-junction (8). +.P +The AUTH_NONE security flavor is no longer supported by this implementation. .SH "SEE ALSO" .BR fedfs (7), .BR rpc.fedfsd (8), +.BR kinit (1), .BR rpc (3t) .sp RFC 5716 for FedFS requirements and overview diff --git a/src/fedfsc/fedfs-delete-replication.c b/src/fedfsc/fedfs-delete-replication.c index 8da9ebd..aff44f6 100644 --- a/src/fedfsc/fedfs-delete-replication.c +++ b/src/fedfsc/fedfs-delete-replication.c @@ -4,7 +4,7 @@ */ /* - * Copyright 2010 Oracle. All rights reserved. + * Copyright 2010, 2013 Oracle. All rights reserved. * * This file is part of fedfs-utils. * @@ -27,30 +27,25 @@ #include #include +#include #include #include #include #include #include -#include - #include "fedfs.h" #include "fedfs_admin.h" +#include "admin.h" #include "nsdb.h" #include "junction.h" #include "xlog.h" #include "gpl-boiler.h" /** - * Default RPC request timeout - */ -static struct timeval fedfs_delete_replication_timeout = { 25, 0 }; - -/** * Short form command line options */ -static const char fedfs_delete_replication_opts[] = "?dh:n:"; +static const char fedfs_delete_replication_opts[] = "?dh:n:s:"; /** * Long form command line options @@ -60,6 +55,7 @@ static const struct option fedfs_delete_replication_longopts[] = { { "help", 0, NULL, '?', }, { "hostname", 1, NULL, 'h', }, { "nettype", 1, NULL, 'n', }, + { "security", 1, NULL, 's', }, { NULL, 0, NULL, 0, }, }; @@ -67,8 +63,9 @@ static const struct option fedfs_delete_replication_longopts[] = { * Display program synopsis * * @param progname NUL-terminated C string containing name of program + * @return program exit status */ -static void +static int fedfs_delete_replication_usage(const char *progname) { fprintf(stderr, "\n%s version " VERSION "\n", progname); @@ -79,70 +76,97 @@ fedfs_delete_replication_usage(const char *progname) fprintf(stderr, "\t-d, --debug Enable debug messages\n"); fprintf(stderr, "\t-n, --nettype RPC transport (default: 'netpath')\n"); fprintf(stderr, "\t-h, --hostname ADMIN server hostname (default: 'localhost')\n"); + fprintf(stderr, "\t-s, --security RPC security level\n"); fprintf(stderr, "%s", fedfs_gpl_boilerplate); - exit((int)FEDFS_ERR_INVAL); + return EXIT_FAILURE; } /** * Delete a replication on a remote fileserver * - * @param hostname NUL-terminated UTF-8 string containing ADMIN server's hostname - * @param nettype NUL-terminated C string containing nettype to use for connection - * @param path NUL-terminated C string containing remote pathname of replication to delete - * @return a FedFsStatus code + * @param host an initialized and opened admin_t + * @param path_array an array of NUL-terminated C strings containing pathname components + * @return program exit status */ -static FedFsStatus -fedfs_delete_replication_call(const char *hostname, const char *nettype, - const char *path) +static int +fedfs_delete_replication_try(admin_t host, char * const *path_array) { - enum clnt_stat status; - FedFsStatus result; - char **path_array; - CLIENT *client; - FedFsPath arg; - - memset(&arg, 0, sizeof(arg)); - - result = nsdb_posix_to_path_array(path, &path_array); - if (result != FEDFS_OK) { - fprintf(stderr, "Failed to encode pathname: %s", - nsdb_display_fedfsstatus(result)); - return result; - } - result = nsdb_path_array_to_fedfspathname(path_array, - &arg.FedFsPath_u.adminPath); - if (result != FEDFS_OK) { - fprintf(stderr, "Failed to encode pathname: %s", - nsdb_display_fedfsstatus(result)); - nsdb_free_string_array(path_array); - return result; - } - - client = clnt_create(hostname, FEDFS_PROG, FEDFS_V1, nettype); - if (client == NULL) { - clnt_pcreateerror("Failed to create FEDFS client"); - result = FEDFS_ERR_SVRFAULT; + int status, err; + + status = EXIT_FAILURE; + err = admin_delete_replication(host, path_array); + switch (err) { + case 0: + break; + case EACCES: + xlog(L_ERROR, "%s: access denied", admin_hostname(host)); + xlog(D_GENERAL, "%s", + admin_perror(host, admin_hostname(host))); + goto out; + case EIO: + xlog(L_ERROR, "%s", + admin_perror(host, admin_hostname(host))); + goto out; + default: + xlog(L_ERROR, "ADMIN client: %s", strerror(err)); goto out; } - memset((char *)&result, 0, sizeof(result)); - status = clnt_call(client, FEDFS_DELETE_REPLICATION, - (xdrproc_t)xdr_FedFsPath, (caddr_t)&arg, - (xdrproc_t)xdr_FedFsStatus, (caddr_t)&result, - fedfs_delete_replication_timeout); - if (status != RPC_SUCCESS) { - clnt_perror(client, "FEDFS_DELETE_REPLICATION call failed"); - result = FEDFS_ERR_SVRFAULT; - } else - nsdb_print_fedfsstatus(result); - (void)clnt_destroy(client); + switch (admin_status(host)) { + case FEDFS_OK: + printf("Replication deleted successfully\n"); + status = EXIT_SUCCESS; + break; + case FEDFS_ERR_NSDB_PARAMS: + printf("No connection parameters found\n"); + break; + default: + nsdb_print_fedfsstatus(admin_status(host)); + } out: - nsdb_free_fedfspathname(&arg.FedFsPath_u.adminPath); - nsdb_free_string_array(path_array); - return result; + return status; +} + +/** + * Delete a replication on a remote fileserver + * + * @param hostname NUL-terminated UTF-8 string containing ADMIN server's hostname + * @param nettype NUL-terminated C string containing nettype to use for connection + * @param security NUL-terminated C string containing RPC security mode + * @param path_array an array of NUL-terminated C strings containing pathname components + * @return program exit status + */ +static int +fedfs_delete_replication_host(const char *hostname, const char *nettype, + const char *security, char * const *path_array) +{ + admin_t host; + int status; + + status = EXIT_FAILURE; + switch (admin_create(hostname, nettype, security, &host)) { + case 0: + status = fedfs_delete_replication_try(host, path_array); + admin_release(host); + break; + case EINVAL: + xlog(L_ERROR, "Invalid command line parameter"); + break; + case EACCES: + xlog(L_ERROR, "Failed to authenticate server"); + break; + case EKEYEXPIRED: + xlog(L_ERROR, "User credentials not found"); + break; + default: + xlog(L_ERROR, "%s", + admin_open_perror(admin_hostname(host))); + } + + return status; } /** @@ -155,10 +179,10 @@ out: int main(int argc, char **argv) { - char *progname, *hostname, *nettype, *path; - unsigned int seconds; - FedFsStatus status; - int arg; + char *progname, *hostname, *nettype, *security, *path; + FedFsStatus retval; + char **path_array; + int arg, status; (void)setlocale(LC_ALL, ""); (void)umask(S_IRWXO); @@ -176,6 +200,7 @@ main(int argc, char **argv) hostname = "localhost"; nettype = "netpath"; + security = "unix"; while ((arg = getopt_long(argc, argv, fedfs_delete_replication_opts, fedfs_delete_replication_longopts, NULL)) != -1) { switch (arg) { case 'd': @@ -184,30 +209,35 @@ main(int argc, char **argv) case 'h': hostname = optarg; break; + case 's': + security = optarg; + break; default: fprintf(stderr, "Invalid command line argument: %c\n", (char)arg); case '?': - fedfs_delete_replication_usage(progname); + return fedfs_delete_replication_usage(progname); } } if (argc == optind + 1) path = argv[optind]; else if (argc > optind + 1) { fprintf(stderr, "Unrecognized positional parameters\n"); - fedfs_delete_replication_usage(progname); + return fedfs_delete_replication_usage(progname); } else { fprintf(stderr, "No replication pathname was specified\n"); - fedfs_delete_replication_usage(progname); + return fedfs_delete_replication_usage(progname); } - for (seconds = FEDFS_DELAY_MIN_SECS;; seconds = fedfs_delay(seconds)) { - status = fedfs_delete_replication_call(hostname, nettype, path); - if (status != FEDFS_ERR_DELAY) - break; - - xlog(D_GENERAL, "Delaying %u seconds...", seconds); - if (sleep(seconds) != 0) - break; + retval = nsdb_posix_to_path_array(path, &path_array); + if (retval != FEDFS_OK) { + fprintf(stderr, "Failed to encode pathname: %s", + nsdb_display_fedfsstatus(retval)); + return EXIT_FAILURE; } - return (int)status; + + status = fedfs_delete_replication_host(hostname, nettype, + security, path_array); + + nsdb_free_string_array(path_array); + return status; }