From: Christopher Hoffman <choffman@redhat.com>
Date: Wed, 12 Mar 2025 21:31:35 +0000 (+0000)
Subject: client: Add client_fscrypt_as option
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=1b5b1630bcc55a11a9fdb6c9ed61d8596b7b2e5b;p=ceph-ci.git

client: Add client_fscrypt_as option

Add option to toggle enforcement of fscrypt access semantics.

Signed-off-by: Christopher Hoffman <choffman@redhat.com>
---

diff --git a/src/client/Client.cc b/src/client/Client.cc
index 6b4dd7f1a82..c1b27c8244b 100644
--- a/src/client/Client.cc
+++ b/src/client/Client.cc
@@ -3963,7 +3963,7 @@ int Client::get_caps(Fh *fh, int need, int want, int *phave, loff_t endoff)
     if ((need & CEPH_CAP_FILE_WR) &&
         ((in->auth_cap && in->auth_cap->session->readonly) ||
         // (is locked)
-        (in->is_fscrypt_enabled() && is_inode_locked(in))))
+        (in->is_fscrypt_enabled() && is_inode_locked(in) && cct->_conf.get_val<bool>("client_fscrypt_as"))))
       return -EROFS;
 
     if (in->flags & I_CAP_DROPPED) {
@@ -6334,7 +6334,7 @@ int Client::may_open(const InodeRef& in, int flags, const UserPerm& perms)
   ldout(cct, 20) << __func__ << " " << *in << "; " << perms << dendl;
   unsigned want = 0;
 
-  if (!in->is_dir() && is_inode_locked(in))
+  if (!in->is_dir() && is_inode_locked(in) && cct->_conf.get_val<bool>("client_fscrypt_as"))
     return -ENOKEY;
 
   if ((flags & O_ACCMODE) == O_WRONLY)
@@ -6390,7 +6390,7 @@ out:
 int Client::may_create(const InodeRef& dir, const UserPerm& perms)
 {
   ldout(cct, 20) << __func__ << " " << *dir << "; " << perms << dendl;
-  if (dir->is_dir() && is_inode_locked(dir))
+  if (dir->is_dir() && is_inode_locked(dir) && cct->_conf.get_val<bool>("client_fscrypt_as"))
     return -ENOKEY;
 
   int r = _getattr_for_perm(dir, perms);
diff --git a/src/common/options/mds-client.yaml.in b/src/common/options/mds-client.yaml.in
index a35c3c76489..3223cc4e6de 100644
--- a/src/common/options/mds-client.yaml.in
+++ b/src/common/options/mds-client.yaml.in
@@ -597,4 +597,14 @@ options:
   default: 16
   services:
   - mds_client
-  min: 1
\ No newline at end of file
+  min: 1
+- name: client_fscrypt_as
+  type: bool
+  level: advanced
+  desc: Enable fscrypt access semantics
+  long_desc: Enable fscrypt access semantics for locked/unlocked states.
+  default: true
+  services:
+  - mds_client
+  flags:
+  - runtime