// ---------------------------------------------------------------------- // File: Access.hh // Author: Andreas-Joachim Peters - CERN // ---------------------------------------------------------------------- /************************************************************************ * EOS - the CERN Disk Storage System * * Copyright (C) 2011 CERN/Switzerland * * * * This program is free software: you can redistribute it and/or modify * * it under the terms of the GNU General Public License as published by * * the Free Software Foundation, either version 3 of the License, or * * (at your option) any later version. * * * * This program is distributed in the hope that it will be useful, * * but WITHOUT ANY WARRANTY; without even the implied warranty of * * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * * GNU General Public License for more details. * * * * You should have received a copy of the GNU General Public License * * along with this program. If not, see .* ************************************************************************/ //------------------------------------------------------------------------------ //! Class defining access rules like banned users, hosts, stall rules etc. //------------------------------------------------------------------------------ #ifndef __EOSCOMMON_ACCESS__ #define __EOSCOMMON_ACCESS__ #include "mgm/Namespace.hh" #include "common/RWMutex.hh" #include "common/Mapping.hh" #include #include #include #include EOSMGMNAMESPACE_BEGIN /*----------------------------------------------------------------------------*/ /** @brief class implementing global access rules * * The access regulations are applied in XrdMgmOfs::ShouldStall & * XrdMgmOfs::ShouldRedirect functions.\n * Normally User,Group & Host rules act as black-list and the AllowedXX rules * exclude individuals from the black list.\n\n * The stall rules can be:\n * '*' => everything get's stalled by number of seconds stored * in gStallRules["*"]\n * 'r:*" => everything get's stalled in read operations as above.\n *'w:*" => everything get's stalled in write operations as above.\n\n * The same syntax is used in gRedirectionRules to define r+w, * r or w operation redirection. * The value in this map is defined as ':' */ /*----------------------------------------------------------------------------*/ class Access { public: // static key defining the ban users entry in the global configuration // key-value map static const char* gUserKey; // static key defining the ban group key in the global configuration // key-value map static const char* gGroupKey; // static key defining the ban host key in the global configuration // key-value map static const char* gHostKey; // static key defining the ban domain key in the global configuration // key-value map static const char* gDomainKey; // static key defining the ban token key in the global configuration // key-value map static const char* gTokenKey; // static key defining the allowed users key in the global configuration // key-value map static const char* gAllowedUserKey; // static key defining the allowed group key in the global configuration // key-value map static const char* gAllowedGroupKey; // static key defining the allowed host key in the global configuration // key-value map static const char* gAllowedHostKey; // static key defining the allowed domain key in the global configuration // key-value map static const char* gAllowedDomainKey; // static key defining the allowed tokens key in the global configuration // key-value map static const char* gAllowedTokenKey; // static key defining the stall rules in the global configuration // key-value map static const char* gStallKey; // static key defining the redirection rules in the global configuration // key-value map static const char* gRedirectionKey; // static key defining the hosts which are eligible for stalling (whitelist) // set static const char* gStallHostsKey; // static key defining the hosts which are not eligible for stalling (blacklist) // set static const char* gNoStallHostsKey; // set containing the banned user ID static std::set gBannedUsers; //! set containing the banned group ID static std::set gBannedGroups; //! set containing the allowed host IDs static std::set gAllowedUsers; //! set containing the allowed group IDs static std::set gAllowedGroups; //! set containing the banned host names static std::set gBannedHosts; //! set containing the banned domain names static std::set gBannedDomains; //! set containing the banned token names static std::set gBannedTokens; //! set containing the allowed host names static std::set gAllowedHosts; //! set containing the allowed domain IDs static std::set gAllowedDomains; //! set containing the allowed token IDs static std::set gAllowedTokens; //! map containing redirection rules static std::map gRedirectionRules; //! map containing stall rules static std::map gStallRules; //! map containint stall message comment static std::map gStallComment; //! indicates global stall rule static std::atomic gStallGlobal; //! indicates global read stall static std::atomic gStallRead; //! indicates global write stall static std::atomic gStallWrite; //! indicates a user or group rate stall entry static std::atomic gStallUserGroup; //! indicates a list of hostname matching static std::set gNoStallHosts; //! indicates a list of hostname matching static std::set gStallHosts; //! map containing user based redirection static std::map gUserRedirection; //! map containing group based redirection static std::map gGroupRedirection; //! global rw mutex protecting all static set's and maps in Access static eos::common::RWMutex gAccessMutex; //---------------------------------------------------------------------------- //! Struct holding stall info //---------------------------------------------------------------------------- struct StallInfo { std::string mType; std::string mDelay; std::string mComment; bool mIsGlobal; //-------------------------------------------------------------------------- //! Default constructor //-------------------------------------------------------------------------- StallInfo(const std::string& type = "", const std::string delay = "", const std::string& comment = "", bool is_global = false): mType(type), mDelay(delay), mComment(comment), mIsGlobal(is_global) {} }; //---------------------------------------------------------------------------- //! Reset/clear all access rules //! //! @param skip_stall_redirect if true don't reset the global stall and //! redirect rules //---------------------------------------------------------------------------- static void Reset(bool skip_stall_redirect = false); // --------------------------------------------------------------------------- // retrieve the access configuration from the global shared // hash/config engine and fill all static access configuration variables // --------------------------------------------------------------------------- static void ApplyAccessConfig(bool applystallandredirection = true); // --------------------------------------------------------------------------- // store the global access configuration variable into the global // shared hash/config engine // --------------------------------------------------------------------------- static bool StoreAccessConfig(); //---------------------------------------------------------------------------- //! Get find limits in number of files/dirs returned for a certain user //! //! @param vid virtual identity of the client //! @param dir_limit number of directories limit //! @param file_limit number of files limit //---------------------------------------------------------------------------- static void GetFindLimits(const eos::common::VirtualIdentity& vid, uint64_t& dir_limit, uint64_t& file_limit); //---------------------------------------------------------------------------- //! Set global stall rule and save the previous status //! //! @param new_stall stall rule to be applied //! @param old_stall old stall rule if present //---------------------------------------------------------------------------- static void SetStallRule(const StallInfo& new_stall, StallInfo& old_stall); //---------------------------------------------------------------------------- //! Set access rules for a slave to master transition. More precisely remove //! any stall and redirection rules //---------------------------------------------------------------------------- static void SetSlaveToMasterRules(); //---------------------------------------------------------------------------- //! Set access rules for a master to slave transition. //! //! @param other_master_id newly assigned master identity : //---------------------------------------------------------------------------- static void SetMasterToSlaveRules(const std::string& other_master_id); //---------------------------------------------------------------------------- //! Remove stall rule specified by key //! //! @param key stall rule key //---------------------------------------------------------------------------- static void RemoveStallRule(const std::string& key); //---------------------------------------------------------------------------- //! Get Thread limit (by uid) //---------------------------------------------------------------------------- static size_t ThreadLimit(uid_t uid, bool lock_ns = true); static size_t ThreadLimit(bool lock_ns = true); //---------------------------------------------------------------------------- //! Check if the given host can be stalled according to white and blacklist settings //---------------------------------------------------------------------------- static bool CanStall(const char* host); }; EOSMGMNAMESPACE_END #endif