Project quotas: users can change project IDs

Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/36544/
Subject: LU-12826 mdt: limit root to change project state by default
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 8fad70c0872ba13133024e4abf53a0bbee7ba1e9

It would be nice to have a backport of this important patch to b2_12 when it has landed (I tried to apply it but it doesn't work as is). Thanks much!

Wang Shilong (wshilong@ddn.com) uploaded a new patch: https://review.whamcloud.com/36544
Subject: LU-12826 mdt: limit root to change project state
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 3d38465be14aa28b89f75384980c4e96e15a1f04

I think it makes sense to add a tunable on the MDS similar to "mdt.*.enable_remote_dir_gid" that allows users in specific groups to also change the projid. By default, I think it makes sense to default to only allow root (CAP_SYS_RESOURCE) to change the projid directly, and set "mdt.*.change_projid_gid=0". Any users in that group (e.g. wheel or admin) can also change projid directly, if it is "-1" then any user can change it.

Hi Li Xi,

Just to clarify, when you say:

> I still think the current behavior (not allowing the file owner to change the project ID of its file) is still useful in a lot of use cases. 

It is actually the opposite: currently in Lustre the file owner can change the project ID of its file. That means on filesystems where project quotas are enforced, users can likely bypass their project quota if they use lfs project or chattr -p (if available on the cluster) on their own files. We need a fix to only allow admins to set/change/remove project IDs and this should be the default, as in my understanding, the most common use case with Lustre is to use project quotas to enforce some kind of directory quotas (with inheritance), managed by system administrators, not users.

But a tunable on the server should solve that.

and I agree with Andreas

PS: I agree that regular users should not be able to change the projid by default.

I think rather than a mount option, it would be better to have a tunable on the MDS to control this, maybe along with a nodemap option as Sébastien has done in patch https://review.whamcloud.com/36433 so that it can be controlled by the server instead of the client, which may be a VM under the control of an unfriendly user.

Let me push a patch to limit root for project change in default, and with prjid_owner_changeable option, users could change their project ID and inherit flags.

After understanding the reasons of the project ID behavior in the mail list, I still think the current behavior (not allowing the file owner to change the project ID of its file) is still useful in a lot of use cases. It would be a lose to change the current Lustre behavior to the same with Ext4/XFS, especially considering that most likely Lustre are used in the circumstances with more users than local file systems. Another factor is Lustre usually have much larger size than local file systems. That means if any user walks around the project quota limitations, it could troubles to the administrators. Thus, I don't think it is proper to change the current bahvior of Lustre project quota .

Nevertheless, it is still valuable to enable some use cases of project quota similar to Ext4/XFS, especailly when containers are being used. Thus, I think it might be a good idea to add a new mount option to Lustre client like "prjid_owner_changable". If that option is enabled whem mounting, then it will have the same behavior like Ext4/XFS.

In this way, I think we are enabling all kinds of use cases depending on the requirement. It is a question whether "prjid_owner_changable" should be enabled by default or not. I feel the answer is "no" at least for now.