Whamcloud Community JIRA https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 [LU-16901] Provide l_getidentity_nss identity provider https://jira.whamcloud.com/browse/LU-16901 Lustre <p>l_getidenity to fetch user's supplementary groups info from NIS, LDAP and/or any other services that NSS modules exist for. Add lustre-only user/group configuration in plain files, keeping Lustre users and groups separate from Linux users/groups on Lustre server's machines for security reason</p> LU-16901 Provide l_getidentity_nss identity provider Bug Minor Resolved Fixed Shaun Tancheff Shaun Tancheff Thu, 15 Jun 2023 09:40:08 +0000 Mon, 20 Nov 2023 16:50:27 +0000 Sat, 18 Nov 2023 22:05:00 +0000 Lustre 2.16.0 0 5 <p>"Shaun Tancheff &lt;shaun.tancheff@hpe.com&gt;" uploaded a new patch: <a href="https://review.whamcloud.com/c/fs/lustre-release/+/51329" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/c/fs/lustre-release/+/51329</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-16901" title="Provide l_getidentity_nss identity provider" class="issue-link" data-issue-key="LU-16901"><del>LU-16901</del></a> utils: l_getidentity_nss<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: 1<br/> Commit: bf6a4565c11ae2d570e04f3d982e0bd1f4903d71</p> <p>I think this was previously submitted under patch <a href="https://review.whamcloud.com/45634" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/45634</a></p> <p>My question there was:</p> <blockquote> <p>Maybe I'm missing something, but doesn't the existing l_getidentity.c <b>already</b> handle lookups based on /etc/nsswitch.conf by calling the Glibc getpwuid/getgrouplist to do lookups in LDAP, NIS, SSS?</p></blockquote> <p>And the response from Alexander Zarochentsev was:</p> <blockquote> <p>the idea is to have configuration independent from the system on in /etc/nsswitch.conf. at least I was told it is useful for server security.</p></blockquote> <p>but it didn't provide enough explanation about what security issues this addresses</p> <p>It should be possible to query the LDAP without allowing the users to login to the MDS and needing a separate upcall?</p> <p>"Oleg Drokin &lt;green@whamcloud.com&gt;" merged in patch <a href="https://review.whamcloud.com/c/fs/lustre-release/+/51329/" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/c/fs/lustre-release/+/51329/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-16901" title="Provide l_getidentity_nss identity provider" class="issue-link" data-issue-key="LU-16901"><del>LU-16901</del></a> utils: l_getidentity with nss module support<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: <br/> Commit: 5f9f92454ef2a46075c850546ad4ac1621038dcf</p> <p>Landed for 2.16</p> Duplicate LU-15267 Related LU-17301 Development Rank 1|i03o3j: Rank (Obsolete) 9223372036854775807 Severity