[LU-14538] Make namespace support optional in lgss_keyring Created: 19/Mar/21 Updated: 13/Apr/21 Resolved: 06/Apr/21 |
|
| Status: | Resolved |
| Project: | Lustre |
| Component/s: | None |
| Affects Version/s: | Lustre 2.15.0 |
| Fix Version/s: | Lustre 2.15.0 |
| Type: | Bug | Priority: | Minor |
| Reporter: | Sebastien Buisson | Assignee: | Sebastien Buisson |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | gss, patch, sec | ||
| Issue Links: |
|
||||
| Severity: | 3 | ||||
| Rank (Obsolete): | 9223372036854775807 | ||||
| Description |
|
When strong authentication such as Kerberos or SSK is enabled, Lustre is able to support different namespaces in credentials retrieval, thanks to namespace switching in lgss_keyring. This is useful when different tenants have their own credentials installed inside containers, because in this case the authentication process must use credentials from the containers, and not from the host. However, there are situations where containers are not used for multi-tenancy support, and the authentication workflow only involves credentials installed on the host. In that case, letting Lustre manipulate namespaces can get confusing, and we should be able to deactivate namespace support in lgss_keyring if the authentication workflow does not require it. |
| Comments |
| Comment by Gerrit Updater [ 19/Mar/21 ] |
|
Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/42112 |
| Comment by Gerrit Updater [ 06/Apr/21 ] |
|
Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/42112/ |
| Comment by Peter Jones [ 06/Apr/21 ] |
|
Landed for 2.15 |