[LU-17528] Cleanup context_mit code - Whamcloud Community JIRA

Details

Type: Bug
Resolution: Fixed
Priority: Minor
Fix Version/s: Lustre 2.16.0
Affects Version/s: Lustre 2.16.0
Labels:
- gss
- patch
- sec

Severity:
3
Rank (Obsolete):
9223372036854775807

Description

Support for MIT Kerberos prior to 1.4 can be dropped now. So cleanup context_mit support and use standard access to security context via functions exported by the GSS API.

Attachments

Activity

[LU-17528] Cleanup context_mit code

Peter Jones added a comment - 23/Feb/24 2:53 PM

Landed for 2.16

Peter Jones added a comment - 23/Feb/24 2:53 PM Landed for 2.16

Gerrit Updater added a comment - 23/Feb/24 7:18 AM

"Oleg Drokin <green@whamcloud.com>" merged in patch https://review.whamcloud.com/c/fs/lustre-release/+/54063/
Subject: ~~LU-17528~~ gss: cleanup gss api usage
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 79a2d8645a28de77c7406ba56889d3a0749b851c

Gerrit Updater added a comment - 23/Feb/24 7:18 AM "Oleg Drokin <green@whamcloud.com>" merged in patch https://review.whamcloud.com/c/fs/lustre-release/+/54063/ Subject: LU-17528 gss: cleanup gss api usage Project: fs/lustre-release Branch: master Current Patch Set: Commit: 79a2d8645a28de77c7406ba56889d3a0749b851c

Andreas Dilger added a comment - 16/Feb/24 10:04 PM

Is it reasonable to deprecate/remove the older Kerberos encryption methods as well, like DES, since they are horribly insecure these days? If there is some concern about compatibility, I would be reluctantly OK with making the DES modes disabled by default and return a clear error if they try to be used (and a warning about their insecurity), and require some kind of override setting to enable them. Then schedule them for permanent removal in 2.17.53 or similar (which we should already have done years ago).

Andreas Dilger added a comment - 16/Feb/24 10:04 PM Is it reasonable to deprecate/remove the older Kerberos encryption methods as well, like DES, since they are horribly insecure these days? If there is some concern about compatibility, I would be reluctantly OK with making the DES modes disabled by default and return a clear error if they try to be used (and a warning about their insecurity), and require some kind of override setting to enable them. Then schedule them for permanent removal in 2.17.53 or similar (which we should already have done years ago).

Sebastien Buisson added a comment - 15/Feb/24 9:26 AM

Actually, lucid context has been available since krb5 1.7 at least:
https://github.com/krb5/krb5/commit/0ba5ccd7bb3ea15e44a87f84ca6feed8890f657d
RHEL 7 already have something much recent.

So we can drop support for non-lucid context api.

Sebastien Buisson added a comment - 15/Feb/24 9:26 AM Actually, lucid context has been available since krb5 1.7 at least: https://github.com/krb5/krb5/commit/0ba5ccd7bb3ea15e44a87f84ca6feed8890f657d RHEL 7 already have something much recent. So we can drop support for non-lucid context api.

Gerrit Updater added a comment - 15/Feb/24 9:23 AM

"Sebastien Buisson <sbuisson@ddn.com>" uploaded a new patch: https://review.whamcloud.com/c/fs/lustre-release/+/54063
Subject: ~~LU-17528~~ gss: cleanup gss api usage
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 68af4009bac02d8a9d01967ab7e4fbdf4023b054

Gerrit Updater added a comment - 15/Feb/24 9:23 AM "Sebastien Buisson <sbuisson@ddn.com>" uploaded a new patch: https://review.whamcloud.com/c/fs/lustre-release/+/54063 Subject: LU-17528 gss: cleanup gss api usage Project: fs/lustre-release Branch: master Current Patch Set: 1 Commit: 68af4009bac02d8a9d01967ab7e4fbdf4023b054

Gerrit Updater added a comment - 12/Feb/24 3:51 PM

"Sebastien Buisson <sbuisson@ddn.com>" uploaded a new patch: https://review.whamcloud.com/c/fs/lustre-release/+/54010
Subject: ~~LU-17528~~ gss: cleanup context_mit code
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 5e2890e910d3e696a56e4137397aa8c3f1ebfb73

Gerrit Updater added a comment - 12/Feb/24 3:51 PM "Sebastien Buisson <sbuisson@ddn.com>" uploaded a new patch: https://review.whamcloud.com/c/fs/lustre-release/+/54010 Subject: LU-17528 gss: cleanup context_mit code Project: fs/lustre-release Branch: master Current Patch Set: 1 Commit: 5e2890e910d3e696a56e4137397aa8c3f1ebfb73

People

Assignee:: Sebastien Buisson

Reporter:: Sebastien Buisson

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 12/Feb/24 3:47 PM

Updated:: 24/Feb/24 3:46 AM

Resolved:: 23/Feb/24 2:53 PM