[#LU-3778] GSS doesn't know about proxy subsystems

IU Shared Secret Key authentication and encryption (LU-3289) [LU-3778] GSS doesn't know about proxy subsystems Created: 19/Aug/13 Updated: 30/Nov/16 Resolved: 02/Jul/15
Status:	Resolved
Project:	Lustre
Component/s:	None
Affects Version/s:	Lustre 2.4.0
Fix Version/s:	Lustre 2.8.0

Type:

Technical task

Priority:

Critical

Reporter:

Daniel Kobras (Inactive)

Assignee:

WC Triage

Resolution:

Fixed

Votes:

Labels:

SSK, patch

Issue Links:

Related
is related to	~~LU-6356~~	Kerberos revival	Resolved
is related to	~~LU-3289~~	IU Shared Secret Key authentication a...	Resolved
is related to	~~LU-8880~~	sanity test_1: fails w/DNE @@@ faked ...	Resolved

Rank (Obsolete):

9779

Description

Trying to use a GSS-enabled Lustre build with Kerberos authentication with 2.4.0 leads to instand LBUGs on connect because gss_internal.h::import_to_gss_svc() only knows about mgc, mdc, and osc. It bails out as soon as another component like osp or lwp tries to initiate an authenticated connection. It depends on the srpc configuration, which of the components triggers the LBUG first, but the root cause is always the proxies trying to use GSS authentication while the GSS subsystem doesn't known about them.

Comments

Comment by Jodi Levi (Inactive) [ 19/Aug/13 ]

Mike,
Could you please comment on this one?
Thank you!

Comment by Nathan Rutman [ 20/Aug/13 ]

Is this a problem with any GSS usage in 2.4, or do you need to do something specific?

Comment by Nikitas Angelinas [ 20/Aug/13 ]

I remember seeing this LBUG when testing GSS/Kerberos on 2.4; according to my notes, it happened soon after the Kerberos mode was switched to krb5p.

Comment by Daniel Kobras (Inactive) [ 26/Aug/13 ]

So far, I haven't found a way to avoid this bug when trying to use GSS with 2.4. From my testing, osp and lwp seem to be treated as 'clients' by sptlrpc: The LBUG is hit if krb5p is configured for directions default, cli2mdt, and cli2ost. It might not trigger if only mdt2mdt or mdt2ost are used, but I haven't verified these combinations.

The easiest reproducer is:

Start MGS
Run lctl conf_param <fsname>.srpc.flavor.default=krb5p
Start MDT -> immediate LBUG.

Comment by Andreas Dilger [ 05/Nov/13 ]

It looks like we need to initialize the sptlrpc subsystem for OSP and LWP connections, presumably using sptlrpc_lprocfs_cliobd_attach(). That will also configure the srpc_info and srpc_contexts files in /proc that test-framework.sh::flvr_cnt_mdt2ost->get_mdtosc_proc_path() needs for sanity-gss.sh to work.

Comment by Jodi Levi (Inactive) [ 10/Nov/14 ]

Shared key crypto will not be in the 2.7 Release.

Comment by Sebastien Buisson (Inactive) [ 11/Mar/15 ]

Hi,

Following Andreas' advice, I have made a patch that initializes the sptlrpc subsystem for OSP and LWP connections, by calling sptlrpc_lprocfs_cliobd_attach(). I also found that GSS related functions must not return an LBUG when dealing with OSP and LWP OBDs.

Sebastien.

Comment by Gerrit Updater [ 11/Mar/15 ]

Sebastien Buisson (sebastien.buisson@bull.net) uploaded a new patch: http://review.whamcloud.com/14040
Subject: ~~LU-3778~~ sptlrpc: OSP and LWP don't know sptlrpc
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: fa5a6d591d883c6940179dd09e3288483769bfb6

Comment by Gerrit Updater [ 01/Jul/15 ]

Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/14040/
Subject: ~~LU-3778~~ sptlrpc: OSP and LWP don't know sptlrpc
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: cf57dfc4c9bf4b9d36e356d6f33550676b21e066

Comment by Peter Jones [ 02/Jul/15 ]

Landed for 2.8

Generated at Sat Feb 10 01:36:49 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.

[LU-3778] GSS doesn't know about proxy subsystems Created: 19/Aug/13 Updated: 30/Nov/16 Resolved: 02/Jul/15