Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-17961

Support supplementary groups from client

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Minor
    • None
    • Lustre 2.16.0
    • 3
    • 9223372036854775807

    Description

      The usual way to support more than 2 supplementary groups is to resort to the server side's identity upcall. This identity upcall retrieves all user's credentials, including all supplementary groups, and stores them in cache.

      In some cases, resolving supplementary groups on MDS side in the context of the identity upcall is not possible. For instance, with ActiveDirectory (AD), only the user itself can get access to the list of their supplementary groups, and only after having authenticated to AD. Given that this list of supplementary groups can have thousands of entries, it is not possible to pack it along with usual requests such as open, stat, etc.

      As an alternative to the server side's identity upcall, we want to propose a retry mechanism for intent locking. The client can provide at most 2 supplementary groups in the request sent to the MDS, but sometimes it does not know which ones are useful for credentials calculation on server side. For instance in case of lookup, the client does not have the child inode yet when it sends the intent lock request. Hopefully, the server can hint at the useful groups, by putting in the request reply the target inode's GID, and also its ACL. So, in case the server replies -EACCES, we can check the user's credentials against those, and try again the intent lock request if we find a matching supplementary group.

      These supplementary groups provided by the clients are going to be put in a dedicated identity cache on server side, called INTERNAL. This INTERNAL upcall implements a particular behavior which does not involve an actual upcall, but instead the cache is filled with supplementary groups read from the client request, cumulatively at each request.

      The use of the INTERNAL upcall, and the fact that the group verification depends on the client, should be limited to a restricted number of clients. So we want to make the INTERNAL upcall selectable on a per-nodemap basis, avoiding the need to set it globally.

      Attachments

        Issue Links

          Activity

            People

              sebastien Sebastien Buisson
              sebastien Sebastien Buisson
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated: