HDFS-6439. Merging change r1603622 from trunk

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1603624 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Brandon Li 2014-06-18 20:50:05 +00:00
parent 6c92704276
commit 5e0bc1ee85
12 changed files with 290 additions and 182 deletions

View File

@ -17,12 +17,9 @@
*/ */
package org.apache.hadoop.nfs.nfs3; package org.apache.hadoop.nfs.nfs3;
import java.net.InetAddress;
import org.apache.hadoop.nfs.nfs3.response.NFS3Response; import org.apache.hadoop.nfs.nfs3.response.NFS3Response;
import org.apache.hadoop.oncrpc.RpcInfo;
import org.apache.hadoop.oncrpc.XDR; import org.apache.hadoop.oncrpc.XDR;
import org.apache.hadoop.oncrpc.security.SecurityHandler;
import org.jboss.netty.channel.Channel;
/** /**
* RPC procedures as defined in RFC 1813. * RPC procedures as defined in RFC 1813.
@ -33,70 +30,65 @@ public interface Nfs3Interface {
public NFS3Response nullProcedure(); public NFS3Response nullProcedure();
/** GETATTR: Get file attributes */ /** GETATTR: Get file attributes */
public NFS3Response getattr(XDR xdr, SecurityHandler securityHandler, public NFS3Response getattr(XDR xdr, RpcInfo info);
InetAddress client);
/** SETATTR: Set file attributes */ /** SETATTR: Set file attributes */
public NFS3Response setattr(XDR xdr, SecurityHandler securityHandler, public NFS3Response setattr(XDR xdr, RpcInfo info);
InetAddress client);
/** LOOKUP: Lookup filename */ /** LOOKUP: Lookup filename */
public NFS3Response lookup(XDR xdr, SecurityHandler securityHandler, public NFS3Response lookup(XDR xdr, RpcInfo info);
InetAddress client);
/** ACCESS: Check access permission */ /** ACCESS: Check access permission */
public NFS3Response access(XDR xdr, SecurityHandler securityHandler, public NFS3Response access(XDR xdr, RpcInfo info);
InetAddress client);
/** READLINK: Read from symbolic link */
public NFS3Response readlink(XDR xdr, RpcInfo info);
/** READ: Read from file */ /** READ: Read from file */
public NFS3Response read(XDR xdr, SecurityHandler securityHandler, public NFS3Response read(XDR xdr, RpcInfo info);
InetAddress client);
/** WRITE: Write to file */ /** WRITE: Write to file */
public NFS3Response write(XDR xdr, Channel channel, int xid, public NFS3Response write(XDR xdr, RpcInfo info);
SecurityHandler securityHandler, InetAddress client);
/** CREATE: Create a file */ /** CREATE: Create a file */
public NFS3Response create(XDR xdr, SecurityHandler securityHandler, public NFS3Response create(XDR xdr, RpcInfo info);
InetAddress client);
/** MKDIR: Create a directory */ /** MKDIR: Create a directory */
public NFS3Response mkdir(XDR xdr, SecurityHandler securityHandler, public NFS3Response mkdir(XDR xdr, RpcInfo info);
InetAddress client);
/** REMOVE: Remove a file */
public NFS3Response remove(XDR xdr, SecurityHandler securityHandler,
InetAddress client);
/** RMDIR: Remove a directory */
public NFS3Response rmdir(XDR xdr, SecurityHandler securityHandler,
InetAddress client);
/** RENAME: Rename a file or directory */
public NFS3Response rename(XDR xdr, SecurityHandler securityHandler,
InetAddress client);
/** SYMLINK: Create a symbolic link */ /** SYMLINK: Create a symbolic link */
public NFS3Response symlink(XDR xdr, SecurityHandler securityHandler, public NFS3Response symlink(XDR xdr, RpcInfo info);
InetAddress client);
/** MKNOD: Create a special device */
public NFS3Response mknod(XDR xdr, RpcInfo info);
/** REMOVE: Remove a file */
public NFS3Response remove(XDR xdr, RpcInfo info);
/** RMDIR: Remove a directory */
public NFS3Response rmdir(XDR xdr, RpcInfo info);
/** RENAME: Rename a file or directory */
public NFS3Response rename(XDR xdr, RpcInfo info);
/** LINK: create link to an object */
public NFS3Response link(XDR xdr, RpcInfo info);
/** READDIR: Read From directory */ /** READDIR: Read From directory */
public NFS3Response readdir(XDR xdr, SecurityHandler securityHandler, public NFS3Response readdir(XDR xdr, RpcInfo info);
InetAddress client);
/** READDIRPLUS: Extended read from directory */
public NFS3Response readdirplus(XDR xdr, RpcInfo info);
/** FSSTAT: Get dynamic file system information */ /** FSSTAT: Get dynamic file system information */
public NFS3Response fsstat(XDR xdr, SecurityHandler securityHandler, public NFS3Response fsstat(XDR xdr, RpcInfo info);
InetAddress client);
/** FSINFO: Get static file system information */ /** FSINFO: Get static file system information */
public NFS3Response fsinfo(XDR xdr, SecurityHandler securityHandler, public NFS3Response fsinfo(XDR xdr, RpcInfo info);
InetAddress client);
/** PATHCONF: Retrieve POSIX information */ /** PATHCONF: Retrieve POSIX information */
public NFS3Response pathconf(XDR xdr, SecurityHandler securityHandler, public NFS3Response pathconf(XDR xdr, RpcInfo info);
InetAddress client);
/** COMMIT: Commit cached data on a server to stable storage */ /** COMMIT: Commit cached data on a server to stable storage */
public NFS3Response commit(XDR xdr, Channel channel, int xid, public NFS3Response commit(XDR xdr, RpcInfo info);
SecurityHandler securityHandler, InetAddress client);
} }

View File

@ -48,7 +48,7 @@ public abstract class RpcProgram extends SimpleChannelUpstreamHandler {
private final int progNumber; private final int progNumber;
private final int lowProgVersion; private final int lowProgVersion;
private final int highProgVersion; private final int highProgVersion;
private final boolean allowInsecurePorts; protected final boolean allowInsecurePorts;
/** /**
* If not null, this will be used as the socket to use to connect to the * If not null, this will be used as the socket to use to connect to the
@ -146,31 +146,6 @@ public abstract class RpcProgram extends SimpleChannelUpstreamHandler {
RpcCall call = (RpcCall) info.header(); RpcCall call = (RpcCall) info.header();
SocketAddress remoteAddress = info.remoteAddress(); SocketAddress remoteAddress = info.remoteAddress();
if (!allowInsecurePorts) {
if (LOG.isDebugEnabled()) {
LOG.debug("Will not allow connections from unprivileged ports. " +
"Checking for valid client port...");
}
if (remoteAddress instanceof InetSocketAddress) {
InetSocketAddress inetRemoteAddress = (InetSocketAddress) remoteAddress;
if (inetRemoteAddress.getPort() > 1023) {
LOG.warn("Connection attempted from '" + inetRemoteAddress + "' "
+ "which is an unprivileged port. Rejecting connection.");
sendRejectedReply(call, remoteAddress, ctx);
return;
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("Accepting connection from '" + remoteAddress + "'");
}
}
} else {
LOG.warn("Could not determine remote port of socket address '" +
remoteAddress + "'. Rejecting connection.");
sendRejectedReply(call, remoteAddress, ctx);
return;
}
}
if (LOG.isTraceEnabled()) { if (LOG.isTraceEnabled()) {
LOG.trace(program + " procedure #" + call.getProcedure()); LOG.trace(program + " procedure #" + call.getProcedure());
} }
@ -191,6 +166,29 @@ public abstract class RpcProgram extends SimpleChannelUpstreamHandler {
handleInternal(ctx, info); handleInternal(ctx, info);
} }
public boolean doPortMonitoring(SocketAddress remoteAddress) {
if (!allowInsecurePorts) {
if (LOG.isTraceEnabled()) {
LOG.trace("Will not allow connections from unprivileged ports. "
+ "Checking for valid client port...");
}
if (remoteAddress instanceof InetSocketAddress) {
InetSocketAddress inetRemoteAddress = (InetSocketAddress) remoteAddress;
if (inetRemoteAddress.getPort() > 1023) {
LOG.warn("Connection attempted from '" + inetRemoteAddress + "' "
+ "which is an unprivileged port. Rejecting connection.");
return false;
}
} else {
LOG.warn("Could not determine remote port of socket address '"
+ remoteAddress + "'. Rejecting connection.");
return false;
}
}
return true;
}
private void sendAcceptedReply(RpcCall call, SocketAddress remoteAddress, private void sendAcceptedReply(RpcCall call, SocketAddress remoteAddress,
AcceptState acceptState, ChannelHandlerContext ctx) { AcceptState acceptState, ChannelHandlerContext ctx) {
RpcAcceptedReply reply = RpcAcceptedReply.getInstance(call.getXid(), RpcAcceptedReply reply = RpcAcceptedReply.getInstance(call.getXid(),
@ -208,7 +206,7 @@ public abstract class RpcProgram extends SimpleChannelUpstreamHandler {
RpcUtil.sendRpcResponse(ctx, rsp); RpcUtil.sendRpcResponse(ctx, rsp);
} }
private static void sendRejectedReply(RpcCall call, protected static void sendRejectedReply(RpcCall call,
SocketAddress remoteAddress, ChannelHandlerContext ctx) { SocketAddress remoteAddress, ChannelHandlerContext ctx) {
XDR out = new XDR(); XDR out = new XDR();
RpcDeniedReply reply = new RpcDeniedReply(call.getXid(), RpcDeniedReply reply = new RpcDeniedReply(call.getXid(),

View File

@ -66,6 +66,18 @@ public class TestFrameDecoder {
@Override @Override
protected void handleInternal(ChannelHandlerContext ctx, RpcInfo info) { protected void handleInternal(ChannelHandlerContext ctx, RpcInfo info) {
// This is just like what's done in RpcProgramMountd#handleInternal and
// RpcProgramNfs3#handleInternal.
RpcCall rpcCall = (RpcCall) info.header();
final int procedure = rpcCall.getProcedure();
if (procedure != 0) {
boolean portMonitorSuccess = doPortMonitoring(info.remoteAddress());
if (!portMonitorSuccess) {
sendRejectedReply(rpcCall, info.remoteAddress(), ctx);
return;
}
}
resultSize = info.data().readableBytes(); resultSize = info.data().readableBytes();
RpcAcceptedReply reply = RpcAcceptedReply.getAcceptInstance(1234, RpcAcceptedReply reply = RpcAcceptedReply.getAcceptInstance(1234,
new VerifierNone()); new VerifierNone());
@ -190,6 +202,20 @@ public class TestFrameDecoder {
// Verify the server rejected the request. // Verify the server rejected the request.
assertEquals(0, resultSize); assertEquals(0, resultSize);
// Ensure that the NULL procedure does in fact succeed.
xdrOut = new XDR();
createPortmapXDRheader(xdrOut, 0);
int headerSize = xdrOut.size();
buffer = new byte[bufsize];
xdrOut.writeFixedOpaque(buffer);
int requestSize = xdrOut.size() - headerSize;
// Send the request to the server
testRequest(xdrOut, serverPort);
// Verify the server did not reject the request.
assertEquals(requestSize, resultSize);
} }
private static int startRpcServer(boolean allowInsecurePorts) { private static int startRpcServer(boolean allowInsecurePorts) {

View File

@ -51,7 +51,8 @@ public class NfsConfigKeys {
public static final String DFS_NFS_KEYTAB_FILE_KEY = "nfs.keytab.file"; public static final String DFS_NFS_KEYTAB_FILE_KEY = "nfs.keytab.file";
public static final String DFS_NFS_KERBEROS_PRINCIPAL_KEY = "nfs.kerberos.principal"; public static final String DFS_NFS_KERBEROS_PRINCIPAL_KEY = "nfs.kerberos.principal";
public static final String DFS_NFS_REGISTRATION_PORT_KEY = "nfs.registration.port"; public static final String DFS_NFS_REGISTRATION_PORT_KEY = "nfs.registration.port";
public static final int DFS_NFS_REGISTRATION_PORT_DEFAULT = 40; // Currently unassigned. public static final int DFS_NFS_REGISTRATION_PORT_DEFAULT = 40; // Currently unassigned.
public static final String DFS_NFS_ALLOW_INSECURE_PORTS_KEY = "nfs.allow.insecure.ports"; public static final String DFS_NFS_PORT_MONITORING_DISABLED_KEY = "nfs.port.monitoring.disabled";
public static final boolean DFS_NFS_ALLOW_INSECURE_PORTS_DEFAULT = true; public static final boolean DFS_NFS_PORT_MONITORING_DISABLED_DEFAULT = true;
} }

View File

@ -49,6 +49,8 @@ public class NfsConfiguration extends HdfsConfiguration {
new DeprecationDelta("dfs.nfs3.stream.timeout", new DeprecationDelta("dfs.nfs3.stream.timeout",
NfsConfigKeys.DFS_NFS_STREAM_TIMEOUT_KEY), NfsConfigKeys.DFS_NFS_STREAM_TIMEOUT_KEY),
new DeprecationDelta("dfs.nfs3.export.point", new DeprecationDelta("dfs.nfs3.export.point",
NfsConfigKeys.DFS_NFS_EXPORT_POINT_KEY) }); NfsConfigKeys.DFS_NFS_EXPORT_POINT_KEY),
new DeprecationDelta("nfs.allow.insecure.ports",
NfsConfigKeys.DFS_NFS_PORT_MONITORING_DISABLED_KEY) });
} }
} }

View File

@ -194,7 +194,13 @@ public class RpcProgramMountd extends RpcProgram implements MountInterface {
if (mntproc == MNTPROC.NULL) { if (mntproc == MNTPROC.NULL) {
out = nullOp(out, xid, client); out = nullOp(out, xid, client);
} else if (mntproc == MNTPROC.MNT) { } else if (mntproc == MNTPROC.MNT) {
out = mnt(xdr, out, xid, client); // Only do port monitoring for MNT
if (!doPortMonitoring(info.remoteAddress())) {
out = MountResponse.writeMNTResponse(Nfs3Status.NFS3ERR_ACCES, out,
xid, null);
} else {
out = mnt(xdr, out, xid, client);
}
} else if (mntproc == MNTPROC.DUMP) { } else if (mntproc == MNTPROC.DUMP) {
out = dump(out, xid, client); out = dump(out, xid, client);
} else if (mntproc == MNTPROC.UMNT) { } else if (mntproc == MNTPROC.UMNT) {

View File

@ -61,8 +61,8 @@ public class Nfs3 extends Nfs3Base {
StringUtils.startupShutdownMessage(Nfs3.class, args, LOG); StringUtils.startupShutdownMessage(Nfs3.class, args, LOG);
NfsConfiguration conf = new NfsConfiguration(); NfsConfiguration conf = new NfsConfiguration();
boolean allowInsecurePorts = conf.getBoolean( boolean allowInsecurePorts = conf.getBoolean(
NfsConfigKeys.DFS_NFS_ALLOW_INSECURE_PORTS_KEY, NfsConfigKeys.DFS_NFS_PORT_MONITORING_DISABLED_KEY,
NfsConfigKeys.DFS_NFS_ALLOW_INSECURE_PORTS_DEFAULT); NfsConfigKeys.DFS_NFS_PORT_MONITORING_DISABLED_DEFAULT);
final Nfs3 nfsServer = new Nfs3(conf, registrationSocket, final Nfs3 nfsServer = new Nfs3(conf, registrationSocket,
allowInsecurePorts); allowInsecurePorts);
nfsServer.startServiceInternal(true); nfsServer.startServiceInternal(true);

View File

@ -23,6 +23,7 @@ import java.io.IOException;
import java.net.DatagramSocket; import java.net.DatagramSocket;
import java.net.InetAddress; import java.net.InetAddress;
import java.net.InetSocketAddress; import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.nio.ByteBuffer; import java.nio.ByteBuffer;
import java.util.EnumSet; import java.util.EnumSet;
@ -230,15 +231,15 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
} }
@Override @Override
public GETATTR3Response getattr(XDR xdr, SecurityHandler securityHandler, public GETATTR3Response getattr(XDR xdr, RpcInfo info) {
InetAddress client) {
GETATTR3Response response = new GETATTR3Response(Nfs3Status.NFS3_OK); GETATTR3Response response = new GETATTR3Response(Nfs3Status.NFS3_OK);
if (!checkAccessPrivilege(client, AccessPrivilege.READ_ONLY)) { if (!checkAccessPrivilege(info, AccessPrivilege.READ_ONLY)) {
response.setStatus(Nfs3Status.NFS3ERR_ACCES); response.setStatus(Nfs3Status.NFS3ERR_ACCES);
return response; return response;
} }
SecurityHandler securityHandler = getSecurityHandler(info);
DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser()); DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
if (dfsClient == null) { if (dfsClient == null) {
response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT); response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
@ -322,9 +323,9 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
} }
@Override @Override
public SETATTR3Response setattr(XDR xdr, SecurityHandler securityHandler, public SETATTR3Response setattr(XDR xdr, RpcInfo info) {
InetAddress client) {
SETATTR3Response response = new SETATTR3Response(Nfs3Status.NFS3_OK); SETATTR3Response response = new SETATTR3Response(Nfs3Status.NFS3_OK);
SecurityHandler securityHandler = getSecurityHandler(info);
DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser()); DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
if (dfsClient == null) { if (dfsClient == null) {
response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT); response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
@ -370,7 +371,7 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
} }
// check the write access privilege // check the write access privilege
if (!checkAccessPrivilege(client, AccessPrivilege.READ_WRITE)) { if (!checkAccessPrivilege(info, AccessPrivilege.READ_WRITE)) {
return new SETATTR3Response(Nfs3Status.NFS3ERR_ACCES, new WccData( return new SETATTR3Response(Nfs3Status.NFS3ERR_ACCES, new WccData(
preOpWcc, preOpAttr)); preOpWcc, preOpAttr));
} }
@ -398,15 +399,15 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
} }
@Override @Override
public LOOKUP3Response lookup(XDR xdr, SecurityHandler securityHandler, public LOOKUP3Response lookup(XDR xdr, RpcInfo info) {
InetAddress client) {
LOOKUP3Response response = new LOOKUP3Response(Nfs3Status.NFS3_OK); LOOKUP3Response response = new LOOKUP3Response(Nfs3Status.NFS3_OK);
if (!checkAccessPrivilege(client, AccessPrivilege.READ_ONLY)) { if (!checkAccessPrivilege(info, AccessPrivilege.READ_ONLY)) {
response.setStatus(Nfs3Status.NFS3ERR_ACCES); response.setStatus(Nfs3Status.NFS3ERR_ACCES);
return response; return response;
} }
SecurityHandler securityHandler = getSecurityHandler(info);
DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser()); DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
if (dfsClient == null) { if (dfsClient == null) {
response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT); response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
@ -460,15 +461,15 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
} }
@Override @Override
public ACCESS3Response access(XDR xdr, SecurityHandler securityHandler, public ACCESS3Response access(XDR xdr, RpcInfo info) {
InetAddress client) {
ACCESS3Response response = new ACCESS3Response(Nfs3Status.NFS3_OK); ACCESS3Response response = new ACCESS3Response(Nfs3Status.NFS3_OK);
if (!checkAccessPrivilege(client, AccessPrivilege.READ_ONLY)) { if (!checkAccessPrivilege(info, AccessPrivilege.READ_ONLY)) {
response.setStatus(Nfs3Status.NFS3ERR_ACCES); response.setStatus(Nfs3Status.NFS3ERR_ACCES);
return response; return response;
} }
SecurityHandler securityHandler = getSecurityHandler(info);
DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser()); DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
if (dfsClient == null) { if (dfsClient == null) {
response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT); response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
@ -519,15 +520,16 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
} }
} }
public READLINK3Response readlink(XDR xdr, SecurityHandler securityHandler, @Override
InetAddress client) { public READLINK3Response readlink(XDR xdr, RpcInfo info) {
READLINK3Response response = new READLINK3Response(Nfs3Status.NFS3_OK); READLINK3Response response = new READLINK3Response(Nfs3Status.NFS3_OK);
if (!checkAccessPrivilege(client, AccessPrivilege.READ_ONLY)) { if (!checkAccessPrivilege(info, AccessPrivilege.READ_ONLY)) {
response.setStatus(Nfs3Status.NFS3ERR_ACCES); response.setStatus(Nfs3Status.NFS3ERR_ACCES);
return response; return response;
} }
SecurityHandler securityHandler = getSecurityHandler(info);
DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser()); DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
if (dfsClient == null) { if (dfsClient == null) {
response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT); response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
@ -591,12 +593,19 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
} }
@Override @Override
public READ3Response read(XDR xdr, SecurityHandler securityHandler, public READ3Response read(XDR xdr, RpcInfo info) {
InetAddress client) { SecurityHandler securityHandler = getSecurityHandler(info);
SocketAddress remoteAddress = info.remoteAddress();
return read(xdr, securityHandler, remoteAddress);
}
@VisibleForTesting
READ3Response read(XDR xdr, SecurityHandler securityHandler,
SocketAddress remoteAddress) {
READ3Response response = new READ3Response(Nfs3Status.NFS3_OK); READ3Response response = new READ3Response(Nfs3Status.NFS3_OK);
final String userName = securityHandler.getUser(); final String userName = securityHandler.getUser();
if (!checkAccessPrivilege(client, AccessPrivilege.READ_ONLY)) { if (!checkAccessPrivilege(remoteAddress, AccessPrivilege.READ_ONLY)) {
response.setStatus(Nfs3Status.NFS3ERR_ACCES); response.setStatus(Nfs3Status.NFS3ERR_ACCES);
return response; return response;
} }
@ -715,8 +724,17 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
} }
@Override @Override
public WRITE3Response write(XDR xdr, Channel channel, int xid, public WRITE3Response write(XDR xdr, RpcInfo info) {
SecurityHandler securityHandler, InetAddress client) { SecurityHandler securityHandler = getSecurityHandler(info);
RpcCall rpcCall = (RpcCall) info.header();
int xid = rpcCall.getXid();
SocketAddress remoteAddress = info.remoteAddress();
return write(xdr, info.channel(), xid, securityHandler, remoteAddress);
}
@VisibleForTesting
WRITE3Response write(XDR xdr, Channel channel, int xid,
SecurityHandler securityHandler, SocketAddress remoteAddress) {
WRITE3Response response = new WRITE3Response(Nfs3Status.NFS3_OK); WRITE3Response response = new WRITE3Response(Nfs3Status.NFS3_OK);
DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser()); DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
@ -758,7 +776,7 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
return new WRITE3Response(Nfs3Status.NFS3ERR_STALE); return new WRITE3Response(Nfs3Status.NFS3ERR_STALE);
} }
if (!checkAccessPrivilege(client, AccessPrivilege.READ_WRITE)) { if (!checkAccessPrivilege(remoteAddress, AccessPrivilege.READ_WRITE)) {
return new WRITE3Response(Nfs3Status.NFS3ERR_ACCES, new WccData( return new WRITE3Response(Nfs3Status.NFS3ERR_ACCES, new WccData(
Nfs3Utils.getWccAttr(preOpAttr), preOpAttr), 0, stableHow, Nfs3Utils.getWccAttr(preOpAttr), preOpAttr), 0, stableHow,
Nfs3Constant.WRITE_COMMIT_VERF); Nfs3Constant.WRITE_COMMIT_VERF);
@ -791,8 +809,15 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
} }
@Override @Override
public CREATE3Response create(XDR xdr, SecurityHandler securityHandler, public CREATE3Response create(XDR xdr, RpcInfo info) {
InetAddress client) { SecurityHandler securityHandler = getSecurityHandler(info);
SocketAddress remoteAddress = info.remoteAddress();
return create(xdr, securityHandler, remoteAddress);
}
@VisibleForTesting
CREATE3Response create(XDR xdr, SecurityHandler securityHandler,
SocketAddress remoteAddress) {
CREATE3Response response = new CREATE3Response(Nfs3Status.NFS3_OK); CREATE3Response response = new CREATE3Response(Nfs3Status.NFS3_OK);
DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser()); DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
if (dfsClient == null) { if (dfsClient == null) {
@ -838,7 +863,7 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
return new CREATE3Response(Nfs3Status.NFS3ERR_STALE); return new CREATE3Response(Nfs3Status.NFS3ERR_STALE);
} }
if (!checkAccessPrivilege(client, AccessPrivilege.READ_WRITE)) { if (!checkAccessPrivilege(remoteAddress, AccessPrivilege.READ_WRITE)) {
return new CREATE3Response(Nfs3Status.NFS3ERR_ACCES, null, return new CREATE3Response(Nfs3Status.NFS3ERR_ACCES, null,
preOpDirAttr, new WccData(Nfs3Utils.getWccAttr(preOpDirAttr), preOpDirAttr, new WccData(Nfs3Utils.getWccAttr(preOpDirAttr),
preOpDirAttr)); preOpDirAttr));
@ -922,9 +947,9 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
} }
@Override @Override
public MKDIR3Response mkdir(XDR xdr, SecurityHandler securityHandler, public MKDIR3Response mkdir(XDR xdr, RpcInfo info) {
InetAddress client) {
MKDIR3Response response = new MKDIR3Response(Nfs3Status.NFS3_OK); MKDIR3Response response = new MKDIR3Response(Nfs3Status.NFS3_OK);
SecurityHandler securityHandler = getSecurityHandler(info);
DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser()); DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
if (dfsClient == null) { if (dfsClient == null) {
response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT); response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
@ -960,7 +985,7 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
return new MKDIR3Response(Nfs3Status.NFS3ERR_STALE); return new MKDIR3Response(Nfs3Status.NFS3ERR_STALE);
} }
if (!checkAccessPrivilege(client, AccessPrivilege.READ_WRITE)) { if (!checkAccessPrivilege(info, AccessPrivilege.READ_WRITE)) {
return new MKDIR3Response(Nfs3Status.NFS3ERR_ACCES, null, preOpDirAttr, return new MKDIR3Response(Nfs3Status.NFS3ERR_ACCES, null, preOpDirAttr,
new WccData(Nfs3Utils.getWccAttr(preOpDirAttr), preOpDirAttr)); new WccData(Nfs3Utils.getWccAttr(preOpDirAttr), preOpDirAttr));
} }
@ -1012,15 +1037,15 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
} }
} }
public READDIR3Response mknod(XDR xdr, @Override
SecurityHandler securityHandler, InetAddress client) { public READDIR3Response mknod(XDR xdr, RpcInfo info) {
return new READDIR3Response(Nfs3Status.NFS3ERR_NOTSUPP); return new READDIR3Response(Nfs3Status.NFS3ERR_NOTSUPP);
} }
@Override @Override
public REMOVE3Response remove(XDR xdr, public REMOVE3Response remove(XDR xdr, RpcInfo info) {
SecurityHandler securityHandler, InetAddress client) {
REMOVE3Response response = new REMOVE3Response(Nfs3Status.NFS3_OK); REMOVE3Response response = new REMOVE3Response(Nfs3Status.NFS3_OK);
SecurityHandler securityHandler = getSecurityHandler(info);
DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser()); DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
if (dfsClient == null) { if (dfsClient == null) {
response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT); response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
@ -1093,9 +1118,9 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
} }
@Override @Override
public RMDIR3Response rmdir(XDR xdr, SecurityHandler securityHandler, public RMDIR3Response rmdir(XDR xdr, RpcInfo info) {
InetAddress client) {
RMDIR3Response response = new RMDIR3Response(Nfs3Status.NFS3_OK); RMDIR3Response response = new RMDIR3Response(Nfs3Status.NFS3_OK);
SecurityHandler securityHandler = getSecurityHandler(info);
DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser()); DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
if (dfsClient == null) { if (dfsClient == null) {
response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT); response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
@ -1129,7 +1154,7 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
WccData errWcc = new WccData(Nfs3Utils.getWccAttr(preOpDirAttr), WccData errWcc = new WccData(Nfs3Utils.getWccAttr(preOpDirAttr),
preOpDirAttr); preOpDirAttr);
if (!checkAccessPrivilege(client, AccessPrivilege.READ_WRITE)) { if (!checkAccessPrivilege(info, AccessPrivilege.READ_WRITE)) {
return new RMDIR3Response(Nfs3Status.NFS3ERR_ACCES, errWcc); return new RMDIR3Response(Nfs3Status.NFS3ERR_ACCES, errWcc);
} }
@ -1175,9 +1200,9 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
} }
@Override @Override
public RENAME3Response rename(XDR xdr, SecurityHandler securityHandler, public RENAME3Response rename(XDR xdr, RpcInfo info) {
InetAddress client) {
RENAME3Response response = new RENAME3Response(Nfs3Status.NFS3_OK); RENAME3Response response = new RENAME3Response(Nfs3Status.NFS3_OK);
SecurityHandler securityHandler = getSecurityHandler(info);
DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser()); DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
if (dfsClient == null) { if (dfsClient == null) {
response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT); response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
@ -1221,7 +1246,7 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
return new RENAME3Response(Nfs3Status.NFS3ERR_STALE); return new RENAME3Response(Nfs3Status.NFS3ERR_STALE);
} }
if (!checkAccessPrivilege(client, AccessPrivilege.READ_WRITE)) { if (!checkAccessPrivilege(info, AccessPrivilege.READ_WRITE)) {
WccData fromWcc = new WccData(Nfs3Utils.getWccAttr(fromPreOpAttr), WccData fromWcc = new WccData(Nfs3Utils.getWccAttr(fromPreOpAttr),
fromPreOpAttr); fromPreOpAttr);
WccData toWcc = new WccData(Nfs3Utils.getWccAttr(toPreOpAttr), WccData toWcc = new WccData(Nfs3Utils.getWccAttr(toPreOpAttr),
@ -1263,15 +1288,15 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
} }
@Override @Override
public SYMLINK3Response symlink(XDR xdr, SecurityHandler securityHandler, public SYMLINK3Response symlink(XDR xdr, RpcInfo info) {
InetAddress client) {
SYMLINK3Response response = new SYMLINK3Response(Nfs3Status.NFS3_OK); SYMLINK3Response response = new SYMLINK3Response(Nfs3Status.NFS3_OK);
if (!checkAccessPrivilege(client, AccessPrivilege.READ_WRITE)) { if (!checkAccessPrivilege(info, AccessPrivilege.READ_WRITE)) {
response.setStatus(Nfs3Status.NFS3ERR_ACCES); response.setStatus(Nfs3Status.NFS3ERR_ACCES);
return response; return response;
} }
SecurityHandler securityHandler = getSecurityHandler(info);
DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser()); DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
if (dfsClient == null) { if (dfsClient == null) {
response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT); response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
@ -1322,8 +1347,8 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
} }
} }
public READDIR3Response link(XDR xdr, SecurityHandler securityHandler, @Override
InetAddress client) { public READDIR3Response link(XDR xdr, RpcInfo info) {
return new READDIR3Response(Nfs3Status.NFS3ERR_NOTSUPP); return new READDIR3Response(Nfs3Status.NFS3ERR_NOTSUPP);
} }
@ -1351,11 +1376,16 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
} }
@Override @Override
public READDIR3Response readdir(XDR xdr, RpcInfo info) {
SecurityHandler securityHandler = getSecurityHandler(info);
SocketAddress remoteAddress = info.remoteAddress();
return readdir(xdr, securityHandler, remoteAddress);
}
public READDIR3Response readdir(XDR xdr, SecurityHandler securityHandler, public READDIR3Response readdir(XDR xdr, SecurityHandler securityHandler,
InetAddress client) { SocketAddress remoteAddress) {
READDIR3Response response = new READDIR3Response(Nfs3Status.NFS3_OK); READDIR3Response response = new READDIR3Response(Nfs3Status.NFS3_OK);
if (!checkAccessPrivilege(client, AccessPrivilege.READ_ONLY)) { if (!checkAccessPrivilege(remoteAddress, AccessPrivilege.READ_ONLY)) {
response.setStatus(Nfs3Status.NFS3ERR_ACCES); response.setStatus(Nfs3Status.NFS3ERR_ACCES);
return response; return response;
} }
@ -1491,9 +1521,17 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
dirStatus.getModificationTime(), dirList); dirStatus.getModificationTime(), dirList);
} }
public READDIRPLUS3Response readdirplus(XDR xdr, @Override
SecurityHandler securityHandler, InetAddress client) { public READDIRPLUS3Response readdirplus(XDR xdr, RpcInfo info) {
if (!checkAccessPrivilege(client, AccessPrivilege.READ_ONLY)) { SecurityHandler securityHandler = getSecurityHandler(info);
SocketAddress remoteAddress = info.remoteAddress();
return readdirplus(xdr, securityHandler, remoteAddress);
}
@VisibleForTesting
READDIRPLUS3Response readdirplus(XDR xdr, SecurityHandler securityHandler,
SocketAddress remoteAddress) {
if (!checkAccessPrivilege(remoteAddress, AccessPrivilege.READ_ONLY)) {
return new READDIRPLUS3Response(Nfs3Status.NFS3ERR_ACCES); return new READDIRPLUS3Response(Nfs3Status.NFS3ERR_ACCES);
} }
@ -1643,15 +1681,15 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
} }
@Override @Override
public FSSTAT3Response fsstat(XDR xdr, SecurityHandler securityHandler, public FSSTAT3Response fsstat(XDR xdr, RpcInfo info) {
InetAddress client) {
FSSTAT3Response response = new FSSTAT3Response(Nfs3Status.NFS3_OK); FSSTAT3Response response = new FSSTAT3Response(Nfs3Status.NFS3_OK);
if (!checkAccessPrivilege(client, AccessPrivilege.READ_ONLY)) { if (!checkAccessPrivilege(info, AccessPrivilege.READ_ONLY)) {
response.setStatus(Nfs3Status.NFS3ERR_ACCES); response.setStatus(Nfs3Status.NFS3ERR_ACCES);
return response; return response;
} }
SecurityHandler securityHandler = getSecurityHandler(info);
DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser()); DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
if (dfsClient == null) { if (dfsClient == null) {
response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT); response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
@ -1711,15 +1749,15 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
} }
@Override @Override
public FSINFO3Response fsinfo(XDR xdr, SecurityHandler securityHandler, public FSINFO3Response fsinfo(XDR xdr, RpcInfo info) {
InetAddress client) {
FSINFO3Response response = new FSINFO3Response(Nfs3Status.NFS3_OK); FSINFO3Response response = new FSINFO3Response(Nfs3Status.NFS3_OK);
if (!checkAccessPrivilege(client, AccessPrivilege.READ_ONLY)) { if (!checkAccessPrivilege(info, AccessPrivilege.READ_ONLY)) {
response.setStatus(Nfs3Status.NFS3ERR_ACCES); response.setStatus(Nfs3Status.NFS3ERR_ACCES);
return response; return response;
} }
SecurityHandler securityHandler = getSecurityHandler(info);
DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser()); DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
if (dfsClient == null) { if (dfsClient == null) {
response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT); response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
@ -1769,15 +1807,15 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
} }
@Override @Override
public PATHCONF3Response pathconf(XDR xdr, SecurityHandler securityHandler, public PATHCONF3Response pathconf(XDR xdr, RpcInfo info) {
InetAddress client) {
PATHCONF3Response response = new PATHCONF3Response(Nfs3Status.NFS3_OK); PATHCONF3Response response = new PATHCONF3Response(Nfs3Status.NFS3_OK);
if (!checkAccessPrivilege(client, AccessPrivilege.READ_ONLY)) { if (!checkAccessPrivilege(info, AccessPrivilege.READ_ONLY)) {
response.setStatus(Nfs3Status.NFS3ERR_ACCES); response.setStatus(Nfs3Status.NFS3ERR_ACCES);
return response; return response;
} }
SecurityHandler securityHandler = getSecurityHandler(info);
DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser()); DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
if (dfsClient == null) { if (dfsClient == null) {
response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT); response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
@ -1816,9 +1854,11 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
} }
@Override @Override
public COMMIT3Response commit(XDR xdr, Channel channel, int xid, public COMMIT3Response commit(XDR xdr, RpcInfo info) {
SecurityHandler securityHandler, InetAddress client) { //Channel channel, int xid,
// SecurityHandler securityHandler, InetAddress client) {
COMMIT3Response response = new COMMIT3Response(Nfs3Status.NFS3_OK); COMMIT3Response response = new COMMIT3Response(Nfs3Status.NFS3_OK);
SecurityHandler securityHandler = getSecurityHandler(info);
DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser()); DFSClient dfsClient = clientCache.getDfsClient(securityHandler.getUser());
if (dfsClient == null) { if (dfsClient == null) {
response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT); response.setStatus(Nfs3Status.NFS3ERR_SERVERFAULT);
@ -1849,7 +1889,7 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
return new COMMIT3Response(Nfs3Status.NFS3ERR_STALE); return new COMMIT3Response(Nfs3Status.NFS3ERR_STALE);
} }
if (!checkAccessPrivilege(client, AccessPrivilege.READ_WRITE)) { if (!checkAccessPrivilege(info, AccessPrivilege.READ_WRITE)) {
return new COMMIT3Response(Nfs3Status.NFS3ERR_ACCES, new WccData( return new COMMIT3Response(Nfs3Status.NFS3ERR_ACCES, new WccData(
Nfs3Utils.getWccAttr(preOpAttr), preOpAttr), Nfs3Utils.getWccAttr(preOpAttr), preOpAttr),
Nfs3Constant.WRITE_COMMIT_VERF); Nfs3Constant.WRITE_COMMIT_VERF);
@ -1859,8 +1899,10 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
: (request.getOffset() + request.getCount()); : (request.getOffset() + request.getCount());
// Insert commit as an async request // Insert commit as an async request
writeManager.handleCommit(dfsClient, handle, commitOffset, channel, xid, RpcCall rpcCall = (RpcCall) info.header();
preOpAttr); int xid = rpcCall.getXid();
writeManager.handleCommit(dfsClient, handle, commitOffset,
info.channel(), xid, preOpAttr);
return null; return null;
} catch (IOException e) { } catch (IOException e) {
LOG.warn("Exception ", e); LOG.warn("Exception ", e);
@ -1886,6 +1928,11 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
} }
} }
private SecurityHandler getSecurityHandler(RpcInfo info) {
RpcCall rpcCall = (RpcCall) info.header();
return getSecurityHandler(rpcCall.getCredential(), rpcCall.getVerifier());
}
@Override @Override
public void handleInternal(ChannelHandlerContext ctx, RpcInfo info) { public void handleInternal(ChannelHandlerContext ctx, RpcInfo info) {
RpcCall rpcCall = (RpcCall) info.header(); RpcCall rpcCall = (RpcCall) info.header();
@ -1897,9 +1944,8 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
XDR out = new XDR(); XDR out = new XDR();
InetAddress client = ((InetSocketAddress) info.remoteAddress()) InetAddress client = ((InetSocketAddress) info.remoteAddress())
.getAddress(); .getAddress();
Channel channel = info.channel();
Credentials credentials = rpcCall.getCredential(); Credentials credentials = rpcCall.getCredential();
// Ignore auth only for NFSPROC3_NULL, especially for Linux clients. // Ignore auth only for NFSPROC3_NULL, especially for Linux clients.
if (nfsproc3 != NFSPROC3.NULL) { if (nfsproc3 != NFSPROC3.NULL) {
if (credentials.getFlavor() != AuthFlavor.AUTH_SYS if (credentials.getFlavor() != AuthFlavor.AUTH_SYS
@ -1937,27 +1983,24 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
} }
} }
SecurityHandler securityHandler = getSecurityHandler(credentials,
rpcCall.getVerifier());
NFS3Response response = null; NFS3Response response = null;
if (nfsproc3 == NFSPROC3.NULL) { if (nfsproc3 == NFSPROC3.NULL) {
response = nullProcedure(); response = nullProcedure();
} else if (nfsproc3 == NFSPROC3.GETATTR) { } else if (nfsproc3 == NFSPROC3.GETATTR) {
response = getattr(xdr, securityHandler, client); response = getattr(xdr, info);
} else if (nfsproc3 == NFSPROC3.SETATTR) { } else if (nfsproc3 == NFSPROC3.SETATTR) {
response = setattr(xdr, securityHandler, client); response = setattr(xdr, info);
} else if (nfsproc3 == NFSPROC3.LOOKUP) { } else if (nfsproc3 == NFSPROC3.LOOKUP) {
response = lookup(xdr, securityHandler, client); response = lookup(xdr, info);
} else if (nfsproc3 == NFSPROC3.ACCESS) { } else if (nfsproc3 == NFSPROC3.ACCESS) {
response = access(xdr, securityHandler, client); response = access(xdr, info);
} else if (nfsproc3 == NFSPROC3.READLINK) { } else if (nfsproc3 == NFSPROC3.READLINK) {
response = readlink(xdr, securityHandler, client); response = readlink(xdr, info);
} else if (nfsproc3 == NFSPROC3.READ) { } else if (nfsproc3 == NFSPROC3.READ) {
if (LOG.isDebugEnabled()) { if (LOG.isDebugEnabled()) {
LOG.debug(Nfs3Utils.READ_RPC_START + xid); LOG.debug(Nfs3Utils.READ_RPC_START + xid);
} }
response = read(xdr, securityHandler, client); response = read(xdr, info);
if (LOG.isDebugEnabled() && (nfsproc3 == NFSPROC3.READ)) { if (LOG.isDebugEnabled() && (nfsproc3 == NFSPROC3.READ)) {
LOG.debug(Nfs3Utils.READ_RPC_END + xid); LOG.debug(Nfs3Utils.READ_RPC_END + xid);
} }
@ -1965,36 +2008,36 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
if (LOG.isDebugEnabled()) { if (LOG.isDebugEnabled()) {
LOG.debug(Nfs3Utils.WRITE_RPC_START + xid); LOG.debug(Nfs3Utils.WRITE_RPC_START + xid);
} }
response = write(xdr, channel, xid, securityHandler, client); response = write(xdr, info);
// Write end debug trace is in Nfs3Utils.writeChannel // Write end debug trace is in Nfs3Utils.writeChannel
} else if (nfsproc3 == NFSPROC3.CREATE) { } else if (nfsproc3 == NFSPROC3.CREATE) {
response = create(xdr, securityHandler, client); response = create(xdr, info);
} else if (nfsproc3 == NFSPROC3.MKDIR) { } else if (nfsproc3 == NFSPROC3.MKDIR) {
response = mkdir(xdr, securityHandler, client); response = mkdir(xdr, info);
} else if (nfsproc3 == NFSPROC3.SYMLINK) { } else if (nfsproc3 == NFSPROC3.SYMLINK) {
response = symlink(xdr, securityHandler, client); response = symlink(xdr, info);
} else if (nfsproc3 == NFSPROC3.MKNOD) { } else if (nfsproc3 == NFSPROC3.MKNOD) {
response = mknod(xdr, securityHandler, client); response = mknod(xdr, info);
} else if (nfsproc3 == NFSPROC3.REMOVE) { } else if (nfsproc3 == NFSPROC3.REMOVE) {
response = remove(xdr, securityHandler, client); response = remove(xdr, info);
} else if (nfsproc3 == NFSPROC3.RMDIR) { } else if (nfsproc3 == NFSPROC3.RMDIR) {
response = rmdir(xdr, securityHandler, client); response = rmdir(xdr, info);
} else if (nfsproc3 == NFSPROC3.RENAME) { } else if (nfsproc3 == NFSPROC3.RENAME) {
response = rename(xdr, securityHandler, client); response = rename(xdr, info);
} else if (nfsproc3 == NFSPROC3.LINK) { } else if (nfsproc3 == NFSPROC3.LINK) {
response = link(xdr, securityHandler, client); response = link(xdr, info);
} else if (nfsproc3 == NFSPROC3.READDIR) { } else if (nfsproc3 == NFSPROC3.READDIR) {
response = readdir(xdr, securityHandler, client); response = readdir(xdr, info);
} else if (nfsproc3 == NFSPROC3.READDIRPLUS) { } else if (nfsproc3 == NFSPROC3.READDIRPLUS) {
response = readdirplus(xdr, securityHandler, client); response = readdirplus(xdr, info);
} else if (nfsproc3 == NFSPROC3.FSSTAT) { } else if (nfsproc3 == NFSPROC3.FSSTAT) {
response = fsstat(xdr, securityHandler, client); response = fsstat(xdr, info);
} else if (nfsproc3 == NFSPROC3.FSINFO) { } else if (nfsproc3 == NFSPROC3.FSINFO) {
response = fsinfo(xdr, securityHandler, client); response = fsinfo(xdr, info);
} else if (nfsproc3 == NFSPROC3.PATHCONF) { } else if (nfsproc3 == NFSPROC3.PATHCONF) {
response = pathconf(xdr, securityHandler, client); response = pathconf(xdr,info);
} else if (nfsproc3 == NFSPROC3.COMMIT) { } else if (nfsproc3 == NFSPROC3.COMMIT) {
response = commit(xdr, channel, xid, securityHandler, client); response = commit(xdr, info);
} else { } else {
// Invalid procedure // Invalid procedure
RpcAcceptedReply.getInstance(xid, RpcAcceptedReply.getInstance(xid,
@ -2027,8 +2070,21 @@ public class RpcProgramNfs3 extends RpcProgram implements Nfs3Interface {
return nfsproc3 == null || nfsproc3.isIdempotent(); return nfsproc3 == null || nfsproc3.isIdempotent();
} }
private boolean checkAccessPrivilege(final InetAddress client, private boolean checkAccessPrivilege(RpcInfo info,
final AccessPrivilege expected) { final AccessPrivilege expected) {
SocketAddress remoteAddress = info.remoteAddress();
return checkAccessPrivilege(remoteAddress, expected);
}
private boolean checkAccessPrivilege(SocketAddress remoteAddress,
final AccessPrivilege expected) {
// Port monitoring
if (!doPortMonitoring(remoteAddress)) {
return false;
}
// Check export table
InetAddress client = ((InetSocketAddress) remoteAddress).getAddress();
AccessPrivilege access = exports.getAccessPrivilege(client); AccessPrivilege access = exports.getAccessPrivilege(client);
if (access == AccessPrivilege.NONE) { if (access == AccessPrivilege.NONE) {
return false; return false;

View File

@ -16,12 +16,14 @@
* limitations under the License. * limitations under the License.
*/ */
package org.apache.hadoop.hdfs.nfs; package org.apache.hadoop.hdfs.nfs.nfs3;
import static org.junit.Assert.assertTrue; import static org.junit.Assert.assertTrue;
import java.io.IOException; import java.io.IOException;
import java.net.InetAddress; import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.util.List; import java.util.List;
import org.apache.hadoop.fs.Path; import org.apache.hadoop.fs.Path;
@ -38,10 +40,15 @@ import org.apache.hadoop.nfs.nfs3.response.READDIR3Response;
import org.apache.hadoop.nfs.nfs3.response.READDIR3Response.Entry3; import org.apache.hadoop.nfs.nfs3.response.READDIR3Response.Entry3;
import org.apache.hadoop.nfs.nfs3.response.READDIRPLUS3Response; import org.apache.hadoop.nfs.nfs3.response.READDIRPLUS3Response;
import org.apache.hadoop.nfs.nfs3.response.READDIRPLUS3Response.EntryPlus3; import org.apache.hadoop.nfs.nfs3.response.READDIRPLUS3Response.EntryPlus3;
import org.apache.hadoop.oncrpc.RpcInfo;
import org.apache.hadoop.oncrpc.RpcMessage;
import org.apache.hadoop.oncrpc.XDR; import org.apache.hadoop.oncrpc.XDR;
import org.apache.hadoop.oncrpc.security.SecurityHandler; import org.apache.hadoop.oncrpc.security.SecurityHandler;
import org.apache.hadoop.security.authorize.DefaultImpersonationProvider; import org.apache.hadoop.security.authorize.DefaultImpersonationProvider;
import org.apache.hadoop.security.authorize.ProxyUsers; import org.apache.hadoop.security.authorize.ProxyUsers;
import org.jboss.netty.buffer.ChannelBuffer;
import org.jboss.netty.channel.Channel;
import org.jboss.netty.channel.ChannelHandlerContext;
import org.junit.AfterClass; import org.junit.AfterClass;
import org.junit.Before; import org.junit.Before;
import org.junit.BeforeClass; import org.junit.BeforeClass;
@ -122,7 +129,7 @@ public class TestReaddir {
xdr_req.writeInt(100); // count xdr_req.writeInt(100); // count
READDIR3Response response = nfsd.readdir(xdr_req.asReadOnlyWrap(), READDIR3Response response = nfsd.readdir(xdr_req.asReadOnlyWrap(),
securityHandler, InetAddress.getLocalHost()); securityHandler, new InetSocketAddress("localhost", 1234));
List<Entry3> dirents = response.getDirList().getEntries(); List<Entry3> dirents = response.getDirList().getEntries();
assertTrue(dirents.size() == 5); // inculding dot, dotdot assertTrue(dirents.size() == 5); // inculding dot, dotdot
@ -139,7 +146,7 @@ public class TestReaddir {
xdr_req.writeInt(100); // count xdr_req.writeInt(100); // count
response = nfsd.readdir(xdr_req.asReadOnlyWrap(), securityHandler, response = nfsd.readdir(xdr_req.asReadOnlyWrap(), securityHandler,
InetAddress.getLocalHost()); new InetSocketAddress("localhost", 1234));
dirents = response.getDirList().getEntries(); dirents = response.getDirList().getEntries();
assertTrue(dirents.size() == 1); assertTrue(dirents.size() == 1);
Entry3 entry = dirents.get(0); Entry3 entry = dirents.get(0);
@ -149,7 +156,7 @@ public class TestReaddir {
hdfs.delete(new Path(testdir + "/f2"), false); hdfs.delete(new Path(testdir + "/f2"), false);
response = nfsd.readdir(xdr_req.asReadOnlyWrap(), securityHandler, response = nfsd.readdir(xdr_req.asReadOnlyWrap(), securityHandler,
InetAddress.getLocalHost()); new InetSocketAddress("localhost", 1234));
dirents = response.getDirList().getEntries(); dirents = response.getDirList().getEntries();
assertTrue(dirents.size() == 2); // No dot, dotdot assertTrue(dirents.size() == 2); // No dot, dotdot
} }
@ -170,8 +177,9 @@ public class TestReaddir {
xdr_req.writeInt(100); // dirCount xdr_req.writeInt(100); // dirCount
xdr_req.writeInt(1000); // maxCount xdr_req.writeInt(1000); // maxCount
READDIRPLUS3Response responsePlus = nfsd.readdirplus( READDIRPLUS3Response responsePlus = nfsd.readdirplus(xdr_req
xdr_req.asReadOnlyWrap(), securityHandler, InetAddress.getLocalHost()); .asReadOnlyWrap(), securityHandler, new InetSocketAddress("localhost",
1234));
List<EntryPlus3> direntPlus = responsePlus.getDirListPlus().getEntries(); List<EntryPlus3> direntPlus = responsePlus.getDirListPlus().getEntries();
assertTrue(direntPlus.size() == 5); // including dot, dotdot assertTrue(direntPlus.size() == 5); // including dot, dotdot
@ -189,7 +197,7 @@ public class TestReaddir {
xdr_req.writeInt(1000); // maxCount xdr_req.writeInt(1000); // maxCount
responsePlus = nfsd.readdirplus(xdr_req.asReadOnlyWrap(), securityHandler, responsePlus = nfsd.readdirplus(xdr_req.asReadOnlyWrap(), securityHandler,
InetAddress.getLocalHost()); new InetSocketAddress("localhost", 1234));
direntPlus = responsePlus.getDirListPlus().getEntries(); direntPlus = responsePlus.getDirListPlus().getEntries();
assertTrue(direntPlus.size() == 1); assertTrue(direntPlus.size() == 1);
EntryPlus3 entryPlus = direntPlus.get(0); EntryPlus3 entryPlus = direntPlus.get(0);
@ -199,7 +207,7 @@ public class TestReaddir {
hdfs.delete(new Path(testdir + "/f2"), false); hdfs.delete(new Path(testdir + "/f2"), false);
responsePlus = nfsd.readdirplus(xdr_req.asReadOnlyWrap(), securityHandler, responsePlus = nfsd.readdirplus(xdr_req.asReadOnlyWrap(), securityHandler,
InetAddress.getLocalHost()); new InetSocketAddress("localhost", 1234));
direntPlus = responsePlus.getDirListPlus().getEntries(); direntPlus = responsePlus.getDirListPlus().getEntries();
assertTrue(direntPlus.size() == 2); // No dot, dotdot assertTrue(direntPlus.size() == 2); // No dot, dotdot
} }

View File

@ -22,7 +22,7 @@ import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail; import static org.junit.Assert.fail;
import java.io.IOException; import java.io.IOException;
import java.net.InetAddress; import java.net.InetSocketAddress;
import java.nio.ByteBuffer; import java.nio.ByteBuffer;
import java.util.Arrays; import java.util.Arrays;
import java.util.concurrent.ConcurrentNavigableMap; import java.util.concurrent.ConcurrentNavigableMap;
@ -318,7 +318,7 @@ public class TestWrites {
XDR createXdr = new XDR(); XDR createXdr = new XDR();
createReq.serialize(createXdr); createReq.serialize(createXdr);
CREATE3Response createRsp = nfsd.create(createXdr.asReadOnlyWrap(), CREATE3Response createRsp = nfsd.create(createXdr.asReadOnlyWrap(),
securityHandler, InetAddress.getLocalHost()); securityHandler, new InetSocketAddress("localhost", 1234));
FileHandle handle = createRsp.getObjHandle(); FileHandle handle = createRsp.getObjHandle();
// Test DATA_SYNC // Test DATA_SYNC
@ -331,7 +331,7 @@ public class TestWrites {
XDR writeXdr = new XDR(); XDR writeXdr = new XDR();
writeReq.serialize(writeXdr); writeReq.serialize(writeXdr);
nfsd.write(writeXdr.asReadOnlyWrap(), null, 1, securityHandler, nfsd.write(writeXdr.asReadOnlyWrap(), null, 1, securityHandler,
InetAddress.getLocalHost()); new InetSocketAddress("localhost", 1234));
waitWrite(nfsd, handle, 60000); waitWrite(nfsd, handle, 60000);
@ -340,7 +340,7 @@ public class TestWrites {
XDR readXdr = new XDR(); XDR readXdr = new XDR();
readReq.serialize(readXdr); readReq.serialize(readXdr);
READ3Response readRsp = nfsd.read(readXdr.asReadOnlyWrap(), READ3Response readRsp = nfsd.read(readXdr.asReadOnlyWrap(),
securityHandler, InetAddress.getLocalHost()); securityHandler, new InetSocketAddress("localhost", 1234));
assertTrue(Arrays.equals(buffer, readRsp.getData().array())); assertTrue(Arrays.equals(buffer, readRsp.getData().array()));
@ -352,7 +352,7 @@ public class TestWrites {
XDR createXdr2 = new XDR(); XDR createXdr2 = new XDR();
createReq2.serialize(createXdr2); createReq2.serialize(createXdr2);
CREATE3Response createRsp2 = nfsd.create(createXdr2.asReadOnlyWrap(), CREATE3Response createRsp2 = nfsd.create(createXdr2.asReadOnlyWrap(),
securityHandler, InetAddress.getLocalHost()); securityHandler, new InetSocketAddress("localhost", 1234));
FileHandle handle2 = createRsp2.getObjHandle(); FileHandle handle2 = createRsp2.getObjHandle();
WRITE3Request writeReq2 = new WRITE3Request(handle2, 0, 10, WRITE3Request writeReq2 = new WRITE3Request(handle2, 0, 10,
@ -360,7 +360,7 @@ public class TestWrites {
XDR writeXdr2 = new XDR(); XDR writeXdr2 = new XDR();
writeReq2.serialize(writeXdr2); writeReq2.serialize(writeXdr2);
nfsd.write(writeXdr2.asReadOnlyWrap(), null, 1, securityHandler, nfsd.write(writeXdr2.asReadOnlyWrap(), null, 1, securityHandler,
InetAddress.getLocalHost()); new InetSocketAddress("localhost", 1234));
waitWrite(nfsd, handle2, 60000); waitWrite(nfsd, handle2, 60000);
@ -369,7 +369,7 @@ public class TestWrites {
XDR readXdr2 = new XDR(); XDR readXdr2 = new XDR();
readReq2.serialize(readXdr2); readReq2.serialize(readXdr2);
READ3Response readRsp2 = nfsd.read(readXdr2.asReadOnlyWrap(), READ3Response readRsp2 = nfsd.read(readXdr2.asReadOnlyWrap(),
securityHandler, InetAddress.getLocalHost()); securityHandler, new InetSocketAddress("localhost", 1234));
assertTrue(Arrays.equals(buffer, readRsp2.getData().array())); assertTrue(Arrays.equals(buffer, readRsp2.getData().array()));
// FILE_SYNC should sync the file size // FILE_SYNC should sync the file size

View File

@ -404,6 +404,9 @@ Release 2.5.0 - UNRELEASED
HDFS-6551. Rename with OVERWRITE option may throw NPE when the target HDFS-6551. Rename with OVERWRITE option may throw NPE when the target
file/directory is a reference INode. (jing9) file/directory is a reference INode. (jing9)
HDFS-6439. NFS should not reject NFS requests to the NULL procedure whether
port monitoring is enabled or not. (brandonli)
BREAKDOWN OF HDFS-2006 SUBTASKS AND RELATED JIRAS BREAKDOWN OF HDFS-2006 SUBTASKS AND RELATED JIRAS
HDFS-6299. Protobuf for XAttr and client-side implementation. (Yi Liu via umamahesh) HDFS-6299. Protobuf for XAttr and client-side implementation. (Yi Liu via umamahesh)

View File

@ -322,6 +322,22 @@ HDFS NFS Gateway
Then the users can access HDFS as part of the local file system except that, Then the users can access HDFS as part of the local file system except that,
hard link and random write are not supported yet. hard link and random write are not supported yet.
* {Allow mounts from unprivileged clients}
In environments where root access on client machines is not generally
available, some measure of security can be obtained by ensuring that only NFS
clients originating from privileged ports can connect to the NFS server. This
feature is referred to as "port monitoring." This feature is not enabled by default
in the HDFS NFS Gateway, but can be optionally enabled by setting the
following config in hdfs-site.xml on the NFS Gateway machine:
-------------------------------------------------------------------
<property>
<name>nfs.port.monitoring.disabled</name>
<value>false</value>
</property>
-------------------------------------------------------------------
* {User authentication and mapping} * {User authentication and mapping}
NFS gateway in this release uses AUTH_UNIX style authentication. When the user on NFS client NFS gateway in this release uses AUTH_UNIX style authentication. When the user on NFS client