Whamcloud Community JIRA https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 [LU-9145] When Shared Key feature is active, Nodemap admin property allows more access https://jira.whamcloud.com/browse/LU-9145 Lustre <p>When the Shared Key feature of Lustre is active, and the Nodemap "admin" property for a nodemap is set to 0, Lustre does not restrict access to that nodemap as it normally would without Shared Key. Examples of this issue occurring can be found in tests 17, 18, and 20-23 of sanity-sec in the testing framework of the following run:<br/> <a href="https://testing.hpdd.intel.com/test_sets/36d7440a-f84f-11e6-887f-5254006e85c2" class="external-link" target="_blank" rel="nofollow noopener">https://testing.hpdd.intel.com/test_sets/36d7440a-f84f-11e6-887f-5254006e85c2</a></p> <p>This may be replicated on a system with Shared Key and Nodemap features enabled, by setting all nodemap admin and trusted properties to 0. Under these conditions, the system does not fully limit root access.</p> <p>The error returned by the test framework is:<br/> sanity-sec test_17: @@@@@@ FAIL: test trusted_noadmin:0:c0:0:000, wanted 0 0, got 1 1</p> <p>The "0 0" desired by this test is the output of do_create_delete() from the sanity-sec.sh suite in the testing framework. This function attempts to touch, and then remove, a file. Since it should not be able to do either, the test fails since both operations are permitted. Other tests of the same nature fail for similar reasons.</p> LU-9145 When Shared Key feature is active, Nodemap admin property allows more access Bug Minor Resolved Fixed Kit Westneat Chris Hanna Wed, 22 Feb 2017 19:39:15 +0000 Wed, 15 Dec 2021 02:35:29 +0000 Tue, 9 Jan 2018 15:50:45 +0000 Lustre 2.9.0 Lustre 2.11.0 Lustre 2.10.4 0 8 <p>Chris, are Kit or Jeremy still available to work on this?</p> <p>Hi Andreas,</p> <p>Kit mentioned he may take a look at this next week. Kerberos is affected in the same manner as SSK.</p> <p>Kit Westneat (kit.westneat@gmail.com) uploaded a new patch: <a href="https://review.whamcloud.com/26624" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/26624</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-9145" title="When Shared Key feature is active, Nodemap admin property allows more access" class="issue-link" data-issue-key="LU-9145"><del>LU-9145</del></a> nodemap: new_init_ucred doesn't do nodemapping<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: 1<br/> Commit: a17498dfd8a618964215974c028944d29c95f8be</p> <p>Oleg Drokin (oleg.drokin@intel.com) merged in patch <a href="https://review.whamcloud.com/26624/" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/26624/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-9145" title="When Shared Key feature is active, Nodemap admin property allows more access" class="issue-link" data-issue-key="LU-9145"><del>LU-9145</del></a> nodemap: new_init_ucred doesn't do nodemapping<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: <br/> Commit: 37db778f48f952747575e323cb341ed663852fff</p> <p>Landed for 2.11</p> <p>Minh Diep (minh.diep@intel.com) uploaded a new patch: <a href="https://review.whamcloud.com/30812" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/30812</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-9145" title="When Shared Key feature is active, Nodemap admin property allows more access" class="issue-link" data-issue-key="LU-9145"><del>LU-9145</del></a> nodemap: new_init_ucred doesn't do nodemapping<br/> Project: fs/lustre-release<br/> Branch: b2_10<br/> Current Patch Set: 1<br/> Commit: 5e5a69890e27963c2e2556e59b2984df254c3e2c</p> <p>John L. Hammond (john.hammond@intel.com) merged in patch <a href="https://review.whamcloud.com/30812/" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/30812/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-9145" title="When Shared Key feature is active, Nodemap admin property allows more access" class="issue-link" data-issue-key="LU-9145"><del>LU-9145</del></a> nodemap: new_init_ucred doesn't do nodemapping<br/> Project: fs/lustre-release<br/> Branch: b2_10<br/> Current Patch Set: <br/> Commit: 51eaf0d07e84cc86a1d4469f293060da53c351d5</p> <p>No tests are currently reported as skipped because of this ticket.</p> Related LU-9795 LU-13172 Development Rank 1|hzz4nz: Rank (Obsolete) 9223372036854775807 Severity