[#LU-17518] MDS still trust client-originated support GID on a Kerberos enabled filesystem

[LU-17518] MDS still trust client-originated support GID on a Kerberos enabled filesystem Created: 09/Feb/24 Updated: 09/Feb/24
Status:	Open
Project:	Lustre
Component/s:	None
Affects Version/s:	Lustre 2.16.0
Fix Version/s:	None

Type:

Bug

Priority:

Minor

Reporter:

Sebastien Buisson

Assignee:

Sebastien Buisson

Resolution:

Unresolved

Votes:

Labels:

gss, kerberos, patch, sec

Issue Links:

Related

Severity:

Rank (Obsolete):

9223372036854775807

Description

On a kerberos enabled filesystem, the MDS should not trust the UID/GID/supplementary groups sent by the clients, and instead get the UID from the GSS context, and the GID and supplementary groups from the identity upcall.

Comments

Comment by Gerrit Updater [ 09/Feb/24 ]

"Sebastien Buisson <sbuisson@ddn.com>" uploaded a new patch: https://review.whamcloud.com/c/fs/lustre-release/+/53987
Subject: LU-17518 gss: do not trust supp groups from client with krb
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 04b9ba203ef36f71ed8407cccdc8ba9a70617e49

Generated at Sat Feb 10 03:36:05 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.

[LU-17518] MDS still trust client-originated support GID on a Kerberos enabled filesystem Created: 09/Feb/24 Updated: 09/Feb/24