IU Shared Secret Key authentication and encryption
(LU-3289)
|
|
| Status: | Resolved |
| Project: | Lustre |
| Component/s: | None |
| Affects Version/s: | Lustre 2.4.0 |
| Fix Version/s: | Lustre 2.8.0 |
| Type: | Technical task | Priority: | Critical |
| Reporter: | Daniel Kobras (Inactive) | Assignee: | WC Triage |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | SSK, patch | ||
| Issue Links: |
|
||||||||||||||||
| Rank (Obsolete): | 9779 | ||||||||||||||||
| Description |
|
Trying to use a GSS-enabled Lustre build with Kerberos authentication with 2.4.0 leads to instand LBUGs on connect because gss_internal.h::import_to_gss_svc() only knows about mgc, mdc, and osc. It bails out as soon as another component like osp or lwp tries to initiate an authenticated connection. It depends on the srpc configuration, which of the components triggers the LBUG first, but the root cause is always the proxies trying to use GSS authentication while the GSS subsystem doesn't known about them. |
| Comments |
| Comment by Jodi Levi (Inactive) [ 19/Aug/13 ] |
|
Mike, |
| Comment by Nathan Rutman [ 20/Aug/13 ] |
|
Is this a problem with any GSS usage in 2.4, or do you need to do something specific? |
| Comment by Nikitas Angelinas [ 20/Aug/13 ] |
|
I remember seeing this LBUG when testing GSS/Kerberos on 2.4; according to my notes, it happened soon after the Kerberos mode was switched to krb5p. |
| Comment by Daniel Kobras (Inactive) [ 26/Aug/13 ] |
|
So far, I haven't found a way to avoid this bug when trying to use GSS with 2.4. From my testing, osp and lwp seem to be treated as 'clients' by sptlrpc: The LBUG is hit if krb5p is configured for directions default, cli2mdt, and cli2ost. It might not trigger if only mdt2mdt or mdt2ost are used, but I haven't verified these combinations. The easiest reproducer is:
|
| Comment by Andreas Dilger [ 05/Nov/13 ] |
|
It looks like we need to initialize the sptlrpc subsystem for OSP and LWP connections, presumably using sptlrpc_lprocfs_cliobd_attach(). That will also configure the srpc_info and srpc_contexts files in /proc that test-framework.sh::flvr_cnt_mdt2ost->get_mdtosc_proc_path() needs for sanity-gss.sh to work. |
| Comment by Jodi Levi (Inactive) [ 10/Nov/14 ] |
|
Shared key crypto will not be in the 2.7 Release. |
| Comment by Sebastien Buisson (Inactive) [ 11/Mar/15 ] |
|
Hi, Following Andreas' advice, I have made a patch that initializes the sptlrpc subsystem for OSP and LWP connections, by calling sptlrpc_lprocfs_cliobd_attach(). I also found that GSS related functions must not return an LBUG when dealing with OSP and LWP OBDs. Sebastien. |
| Comment by Gerrit Updater [ 11/Mar/15 ] |
|
Sebastien Buisson (sebastien.buisson@bull.net) uploaded a new patch: http://review.whamcloud.com/14040 |
| Comment by Gerrit Updater [ 01/Jul/15 ] |
|
Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/14040/ |
| Comment by Peter Jones [ 02/Jul/15 ] |
|
Landed for 2.8 |