mds unix group management redone

git-svn-id: https://ceph.svn.sf.net/svnroot/ceph@1184 29311d96-e01e-0410-9327-a35deaab8ce9

branches/aleung/security1/ceph/crypto/CapGroup.h

@@ -20,30 +20,49 @@ using namespace std;
 
 class CapGroup {
  private:
-  gid_t group_id;
+  //gid_t group_id;
   hash_t root_hash;
   MerkleTree mtree;
   list<uid_t> users;
+  byte signature[ESIGNSIGSIZE];
 
  public:
   friend class OSD;
   friend class Locker;
   CapGroup () { }
-  CapGroup (gid_t id) { group_id = id; }
+  //CapGroup (gid_t id) { group_id = id; }
   CapGroup (hash_t rhash, list<uid_t>& ulist) :
     root_hash(rhash), users(ulist) { }
-  CapGroup (gid_t id, list<uid_t>& ulist) : group_id(id), users(ulist) {
-    // add users to MerkleTree
-    mtree = MerkleTree(users);
+  CapGroup (uid_t user) {
+    users.push_back(user);
+    mtree.add_user(user);
     root_hash = mtree.get_root_hash();
   }
+  //CapGroup (gid_t id, list<uid_t>& ulist) : group_id(id), users(ulist) {
+    // add users to MerkleTree
+  //  mtree = MerkleTree(users);
+  //  root_hash = mtree.get_root_hash();
+  //}
   
-  gid_t get_gid() { return group_id; }
-  void set_gid(gid_t id) { group_id = id; }
+  //gid_t get_gid() { return group_id; }
+  //void set_gid(gid_t id) { group_id = id; }
+
+  byte *get_sig() { return signature; }
 
   hash_t get_root_hash() { return root_hash; }
   void set_root_hash(hash_t nhash) { root_hash = nhash; }
 
+  void sign_list(esignPriv privKey) {
+    SigBuf sig;
+    sig = esignSig((byte*)&root_hash, sizeof(root_hash), privKey);
+    memcpy(signature, sig.data(), sig.size());
+  }
+  bool verify_list(esignPub pubKey) {
+    SigBuf sig;
+    sig.Assign(signature, sizeof(signature));
+    return esignVer((byte*)&root_hash, sizeof(root_hash), sig, pubKey);
+  }
+
   void add_user(uid_t user) {
     users.push_back(user);
     // re-compute root-hash

branches/aleung/security1/ceph/crypto/ExtCap.h

@@ -148,7 +148,7 @@ public:
     data.ino = n;
   }
 
-  ExtCap(int m, uid_t u, CapGroup& cg, inodeno_t n)
+  ExtCap(int m, uid_t u, gid_t g, hash_t h, inodeno_t n)
   {
     data.id.cid = 0;
     data.id.mds_id = 0;
@@ -157,8 +157,8 @@ public:
     data.t_e += 3600;
     data.mode = m;
     data.uid = u;
-    data.gid = cg.get_gid();
-    data.user_group = cg.get_root_hash();
+    data.gid = g;
+    data.user_group = h;
     data.ino = n;
   }
 

branches/aleung/security1/ceph/mds/Locker.cc

@@ -240,22 +240,50 @@ ExtCap* Locker::issue_new_extcaps(CInode *in, int mode, MClientRequest *req) {
     // unix grouping
     if (g_conf.mds_group == 1) {
 
-      // configure group
-      if (mds->unix_groups.count(my_group) == 0)
-	mds->unix_groups[my_group].set_gid(my_group);
+      // new group
+      if (mds->unix_groups_map.count(my_group) == 0) {
+	// make a group & add user
+	CapGroup group(my_user);
+	//group.add_user(my_user);
+
+	// sign the hash
+	group.sign_list(mds->getPrvKey());
+
+	// put it into hash
+	mds->unix_groups_byhash[group.get_root_hash()] = group;
+	// put pointer into map
+	mds->unix_groups_map[my_group] = group.get_root_hash();
+      }
 
       // add user to group if not in group
-      if (!(mds->unix_groups[my_group].contains(my_user))) {
-	mds->unix_groups[my_group].add_user(my_user);
-	hash_t temp_hash = mds->unix_groups[my_group].get_root_hash();
-	mds->unix_groups_byhash[temp_hash] = mds->unix_groups[my_group];
+      hash_t my_hash = mds->unix_groups_map[my_group];
+      if (!(mds->unix_groups_byhash[my_hash].contains(my_user))) {
+
+	// make a new group, equal to old group (keep old group around)
+	CapGroup group = mds->unix_groups_byhash[my_hash];
+
+	// add the user
+	group.add_user(my_user);
+
+	// re-compute the signature
+	group.sign_list(mds->getPrvKey());	
+
+	// get the new hash
+	hash_t new_hash = group.get_root_hash();
+	
+	// put it into the list	
+	mds->unix_groups_byhash[new_hash] = group;
+	mds->unix_groups_map[my_group] = new_hash;
+
 	cout << "User " << my_user << " added to group " << my_group << endl;
       }
       else
 	cout << "User " << my_user << " already in group " << my_group << endl;
 
-      ext_cap  = new ExtCap(my_want, my_user,
-			    mds->unix_groups[my_group], in->ino());
+      //get hash for gid
+      hash_t gid_hash = mds->unix_groups_map[my_group];
+
+      ext_cap  = new ExtCap(my_want, my_user, my_group, gid_hash, in->ino());
 
       ext_cap->set_type(1);
       

branches/aleung/security1/ceph/mds/MDS.cc

@@ -98,38 +98,45 @@ MDS::MDS(int whoami, Messenger *m, MonMap *mm) : timer(mds_lock) {
   // create unix_groups?
   if (g_conf.unix_group_file) {
     ifstream from(g_conf.unix_group_file);
+
     if (from.is_open()) {
-      cout << "PARSING INPUT GROUPS!" << endl;
+
       bool seen_gid = false;
       int input;
       gid_t my_gid;
       uid_t my_uid;
-      hash_t my_hash;
+      CapGroup *my_group;
       // parse file
       while (! from.eof()) {
 	from >> input;
 	if (input == -1) {
 	  seen_gid = false;
-	  cout << endl;
-	  continue;
+	  // copy hash into map
+	  unix_groups_map[my_gid] = my_group->get_root_hash();
+	  cout << " " << my_group->get_root_hash() << endl;
+	  delete my_group;
 	}
 	// first number on line is gid, rest are uids
-	if (!seen_gid) {
+	else if (!seen_gid) {
 	  // make group
 	  my_gid = input;
-	  unix_groups[my_gid].set_gid(my_gid);
-
+	  //unix_groups[my_gid].set_gid(my_gid);
+	  my_group = new CapGroup();	  
 	  seen_gid = true;
-	  cout << "gid = " << my_gid;
+	  cout << "Gid: " << my_gid;
 	}
 	else {
 	  my_uid = input;
-	  unix_groups[my_gid].add_user(my_uid);
-	  
-	  my_hash = unix_groups[my_gid].get_root_hash();
-	  unix_groups_byhash[my_hash] = unix_groups[my_gid];
+	  my_group->add_user(my_uid);
+	  //unix_groups[my_gid].add_user(my_uid);
 
-	  cout << " uid = " << my_uid;
+	  // sign the hash
+	  my_group->sign_list(myPrivKey);
+	  
+	  // update the map
+	  unix_groups_byhash[my_group->get_root_hash()] = (*my_group);
+	  
+	  cout << " uid: " << my_uid;
 	}
       }
       from.close();

branches/aleung/security1/ceph/mds/MDS.h

@@ -157,7 +157,8 @@ public:
   map<int,version_t> peer_mdsmap_epoch;
 
   // logical user group
-  map<gid_t, CapGroup> unix_groups;
+  //map<gid_t, CapGroup> unix_groups;
+  map<gid_t, hash_t> unix_groups_map;
   // hash to group map
   map<hash_t, CapGroup> unix_groups_byhash;
 

branches/aleung/security1/ceph/mds/Server.cc

@@ -262,6 +262,7 @@ void Server::handle_client_update(MClientUpdate *m)
   dout(3) << "handle_client_update for " << my_hash << endl;
 
   MClientUpdateReply *reply = new MClientUpdateReply(my_hash, mds->unix_groups_byhash[my_hash].get_list());
+  reply->set_sig(mds->unix_groups_byhash[my_hash].get_sig());
 
   messenger->send_message(reply, m->get_source_inst());
 }