[LU-9145] When Shared Key feature is active, Nodemap admin property allows more access Created: 22/Feb/17  Updated: 15/Dec/21  Resolved: 09/Jan/18

Status: Resolved
Project: Lustre
Component/s: None
Affects Version/s: Lustre 2.9.0
Fix Version/s: Lustre 2.11.0, Lustre 2.10.4

Type: Bug Priority: Minor
Reporter: Chris Hanna Assignee: Kit Westneat
Resolution: Fixed Votes: 0
Labels: patch

Issue Links:
Related
is related to LU-9795 SSK test failures in many suites when... Reopened
is related to LU-13172 nodemap: a squashed primary GID allow... Open
Severity: 4
Rank (Obsolete): 9223372036854775807

 Description   

When the Shared Key feature of Lustre is active, and the Nodemap "admin" property for a nodemap is set to 0, Lustre does not restrict access to that nodemap as it normally would without Shared Key. Examples of this issue occurring can be found in tests 17, 18, and 20-23 of sanity-sec in the testing framework of the following run:
https://testing.hpdd.intel.com/test_sets/36d7440a-f84f-11e6-887f-5254006e85c2

This may be replicated on a system with Shared Key and Nodemap features enabled, by setting all nodemap admin and trusted properties to 0. Under these conditions, the system does not fully limit root access.

The error returned by the test framework is:
sanity-sec test_17: @@@@@@ FAIL: test trusted_noadmin:0:c0:0:000, wanted 0 0, got 1 1

The "0 0" desired by this test is the output of do_create_delete() from the sanity-sec.sh suite in the testing framework. This function attempts to touch, and then remove, a file. Since it should not be able to do either, the test fails since both operations are permitted. Other tests of the same nature fail for similar reasons.

 Comments   
Comment by Andreas Dilger [ 01/Mar/17 ]

Chris, are Kit or Jeremy still available to work on this?

Comment by Chris Hanna [ 10/Mar/17 ]

Hi Andreas,

Kit mentioned he may take a look at this next week. Kerberos is affected in the same manner as SSK.

Comment by Gerrit Updater [ 14/Apr/17 ]

Kit Westneat (kit.westneat@gmail.com) uploaded a new patch: https://review.whamcloud.com/26624
Subject: LU-9145 nodemap: new_init_ucred doesn't do nodemapping
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: a17498dfd8a618964215974c028944d29c95f8be

Comment by Gerrit Updater [ 09/Jan/18 ]

Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/26624/
Subject: LU-9145 nodemap: new_init_ucred doesn't do nodemapping
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 37db778f48f952747575e323cb341ed663852fff

Comment by Minh Diep [ 09/Jan/18 ]

Landed for 2.11

Comment by Gerrit Updater [ 09/Jan/18 ]

Minh Diep (minh.diep@intel.com) uploaded a new patch: https://review.whamcloud.com/30812
Subject: LU-9145 nodemap: new_init_ucred doesn't do nodemapping
Project: fs/lustre-release
Branch: b2_10
Current Patch Set: 1
Commit: 5e5a69890e27963c2e2556e59b2984df254c3e2c

Comment by Gerrit Updater [ 26/Feb/18 ]

John L. Hammond (john.hammond@intel.com) merged in patch https://review.whamcloud.com/30812/
Subject: LU-9145 nodemap: new_init_ucred doesn't do nodemapping
Project: fs/lustre-release
Branch: b2_10
Current Patch Set:
Commit: 51eaf0d07e84cc86a1d4469f293060da53c351d5

Comment by Andreas Dilger [ 27/Aug/19 ]

No tests are currently reported as skipped because of this ticket.

Generated at Sat Feb 10 02:23:38 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.