From cd8625792f10d51fceca4717544ff8016609c3be Mon Sep 17 00:00:00 2001 From: Aurelien Degremont Date: Tue, 5 Mar 2024 09:29:23 +0100 Subject: [PATCH] LU-17612 sec: return keyring errors to userspace In current code, Linux keyring errors, when using GSS Kerberos, are all masked under a generic ECONNREFUSED error. That makes it hard to understand the root cause of the problem for the I/O caller. Update the code to propagate errors from request_key() up to the application. struct ptlrpc_cli_ctx * gss_sec_lookup_ctx_kr(...) is modified to now returns a NULL pointer or -errval. This is tested by callers and propagated. NULL values are still converted to ECONNREFUSED. Test-Parameters: trivial Test-Parameters: kerberos=true testlist=sanity-krb5 Test-Parameters: testgroup=review-dne-selinux-ssk-part-2 Change-Id: I13792f141a961036bc9f7629a4a2db692e245c41 Signed-off-by: Aurelien Degremont Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/54296 Tested-by: jenkins Tested-by: Maloo Reviewed-by: Andreas Dilger Reviewed-by: Oleg Drokin Reviewed-by: Sebastien Buisson --- lustre/ptlrpc/gss/gss_keyring.c | 9 ++++++++- lustre/ptlrpc/sec.c | 18 ++++++++++++++---- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/lustre/ptlrpc/gss/gss_keyring.c b/lustre/ptlrpc/gss/gss_keyring.c index 7803cd6..8024b74 100644 --- a/lustre/ptlrpc/gss/gss_keyring.c +++ b/lustre/ptlrpc/gss/gss_keyring.c @@ -806,6 +806,10 @@ do_unlink: } } +/** + * \retval a valid context on success + * \retval -ev error number or NULL on error + */ static struct ptlrpc_cli_ctx * gss_sec_lookup_ctx_kr(struct ptlrpc_sec *sec, struct vfs_cred *vcred, @@ -962,7 +966,10 @@ struct ptlrpc_cli_ctx * gss_sec_lookup_ctx_kr(struct ptlrpc_sec *sec, OBD_FREE(coinfo, coinfo_size); if (IS_ERR(key)) { - CERROR("failed request key: %ld\n", PTR_ERR(key)); + CERROR("%s: request key failed for uid %d: rc = %ld\n", + imp->imp_obd->obd_name, vcred->vc_uid, + PTR_ERR(key)); + ctx = ERR_CAST(key); goto out; } CDEBUG(D_SEC, "obtained key %08x for %s\n", key->serial, desc); diff --git a/lustre/ptlrpc/sec.c b/lustre/ptlrpc/sec.c index f3ad28a..d3e78bc 100644 --- a/lustre/ptlrpc/sec.c +++ b/lustre/ptlrpc/sec.c @@ -450,11 +450,17 @@ int sptlrpc_req_get_ctx(struct ptlrpc_request *req) sptlrpc_sec_put(sec); if (!req->rq_cli_ctx) { - CERROR("req %p: fail to get context\n", req); - RETURN(-ECONNREFUSED); + rc = -ECONNREFUSED; + } else if (IS_ERR(req->rq_cli_ctx)) { + rc = PTR_ERR(req->rq_cli_ctx); + req->rq_cli_ctx = NULL; } - RETURN(0); + if (rc) + CERROR("%s: fail to get context for req %p: rc = %d\n", + imp->imp_obd->obd_name, req, rc); + + RETURN(rc); } /** @@ -844,6 +850,8 @@ int sptlrpc_export_update_ctx(struct obd_export *exp) sec = sptlrpc_import_sec_ref(imp); if (sec) { ctx = get_my_ctx(sec); + if (IS_ERR(ctx)) + ctx = NULL; sptlrpc_sec_put(sec); } @@ -960,7 +968,9 @@ int sptlrpc_import_check_ctx(struct obd_import *imp) ctx = get_my_ctx(sec); sptlrpc_sec_put(sec); - if (!ctx) + if (IS_ERR(ctx)) + RETURN(PTR_ERR(ctx)); + else if (!ctx) RETURN(-ENOMEM); if (cli_ctx_is_eternal(ctx) || -- 1.8.3.1