[LU-16901] Provide l_getidentity_nss identity provider Created: 15/Jun/23 Updated: 20/Nov/23 Resolved: 18/Nov/23 |
|
| Status: | Resolved |
| Project: | Lustre |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | Lustre 2.16.0 |
| Type: | Bug | Priority: | Minor |
| Reporter: | Shaun Tancheff | Assignee: | Shaun Tancheff |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Issue Links: |
|
||||||||||||||||
| Severity: | 3 | ||||||||||||||||
| Rank (Obsolete): | 9223372036854775807 | ||||||||||||||||
| Description |
|
l_getidenity to fetch user's supplementary groups info from NIS, LDAP and/or any other services that NSS modules exist for. Add lustre-only user/group configuration in plain files, keeping Lustre users and groups separate from Linux users/groups on Lustre server's machines for security reason |
| Comments |
| Comment by Gerrit Updater [ 15/Jun/23 ] |
|
"Shaun Tancheff <shaun.tancheff@hpe.com>" uploaded a new patch: https://review.whamcloud.com/c/fs/lustre-release/+/51329 |
| Comment by Andreas Dilger [ 16/Jun/23 ] |
|
I think this was previously submitted under patch https://review.whamcloud.com/45634 My question there was:
And the response from Alexander Zarochentsev was:
but it didn't provide enough explanation about what security issues this addresses It should be possible to query the LDAP without allowing the users to login to the MDS and needing a separate upcall? |
| Comment by Gerrit Updater [ 18/Nov/23 ] |
|
"Oleg Drokin <green@whamcloud.com>" merged in patch https://review.whamcloud.com/c/fs/lustre-release/+/51329/ |
| Comment by Peter Jones [ 18/Nov/23 ] |
|
Landed for 2.16 |