Details
-
Bug
-
Resolution: Fixed
-
Medium
-
None
-
None
-
3
-
9223372036854775807
Description
1) On mds, enable nodemap and then set both admin_nodemap and trusted_nodemap to 1.
[mds ~]# lctl nodemap_info --name test_fs
nodemap.test_fs.admin_nodemap=1
nodemap.test_fs.audit_mode=1
nodemap.test_fs.banlist=[]
nodemap.test_fs.child_raise_privileges=none
nodemap.test_fs.deny_mount=0
nodemap.test_fs.deny_unknown=0
nodemap.test_fs.enable_cap_mask=off
nodemap.test_fs.exports=
[
{ nid: XXX.XXX.XXX.XXX@tcp, uuid: 84974280-595e-43d0-a8cb-e062c5706529, dev: test-MDT0000 }
]
nodemap.test_fs.fileset=
[
]
nodemap.test_fs.forbid_encryption=0
nodemap.test_fs.gssonly_identification=0
nodemap.test_fs.id=2
nodemap.test_fs.idmap=[]
nodemap.test_fs.map_mode=all
nodemap.test_fs.md_stats=
snapshot_time 1773639205.771299571 secs.nsecs
start_time 1773586178.571936472 secs.nsecs
elapsed_time 53027.199363099 secs.nsecs
getattr 1 samples [usecs] 138 138 138 19044
statfs 1770 samples [usecs] 31 523 144533 13400771
nodemap.test_fs.offset=
{
start_uid: 0,
limit_uid: 0,
start_gid: 0,
limit_gid: 0,
start_projid: 0,
limit_projid: 0
}
nodemap.test_fs.parent=
nodemap.test_fs.ranges=
[
{ id: 1, start_nid: XXX.XXX.XXX.XXX@tcp, end_nid: XXX.XXX.XXX.XXX@tcp }
]
nodemap.test_fs.rbac=file_perms,dne_ops,quota_ops,byfid_ops,chlg_ops,fscrypt_admin,server_upcall,ignore_root_prjquota,hsm_ops,local_admin,pool_quota_ops,lqa_quota_ops
nodemap.test_fs.readonly_mount=0
nodemap.test_fs.sepol=
nodemap.test_fs.squash_gid=65534
nodemap.test_fs.squash_projid=65534
nodemap.test_fs.squash_uid=65534
nodemap.test_fs.trusted_nodemap=1
# lctl get_param mdt.test-MDT0000.identity_upcall
mdt.test-MDT0000.identity_upcall=/usr/sbin/l_getidentity
2) on client, tried to access lustre mount point as 10007(testid) UID which doesn't exist on mds.
[client ~]$ id testid uid=10007(testid) gid=10007(testid) groups=10007(testid) [client ~]$ cd /mnt/test bash: cd: /mnt/test: Permission denied
3) On mds, there are two improper outputs in /var/log/secure.
a) l_getidentity threw EBADF(9) error when no 10007(testid) UID was found.
b) Writing identity_info interface returned EBADF(9).
[mds ~]# tail -n 10 /var/log/secure Mar 16 14:25:11 exa63-mds l_getidentity[238571]: no such user 10007 Mar 16 14:25:11 exa63-mds l_getidentity[238571]: partial write ret 9: No such file or directory Mar 16 14:25:11 exa63-mds l_getidentity[238571]: no such user 10007 Mar 16 14:25:11 exa63-mds l_getidentity[238571]: partial write ret -1: Invalid argument Mar 16 14:25:11 exa63-mds l_getidentity[238571]: get identity for uid 10007 start time 1773638711.893934 got time 140728047608048.000000 end time 1773638711.897899: rc = -1 Mar 16 14:25:11 exa63-mds l_getidentity[238572]: no such user 10007 Mar 16 14:25:11 exa63-mds l_getidentity[238572]: partial write ret 9: No such file or directory Mar 16 14:25:11 exa63-mds l_getidentity[238572]: no such user 10007 Mar 16 14:25:11 exa63-mds l_getidentity[238572]: partial write ret -1: Invalid argument Mar 16 14:25:11 exa63-mds l_getidentity[238572]: get identity for uid 10007 start time 1773638711.900692 got time 140728171880256.000000 end time 1773638711.904444: rc = -1
In my opinion, a) l_getidentity should throw EIDRM(43) error when no 10007(testid) UID is found. b) Writing identity_info interface should returned -1 and set errno to EIDRM(43)