LU-17612 sec: return keyring errors to userspace

In current code, Linux keyring errors, when using GSS Kerberos,
are all masked under a generic ECONNREFUSED error. That makes
it hard to understand the root cause of the problem
for the I/O caller.

Update the code to propagate errors from request_key() up to
the application.

struct ptlrpc_cli_ctx * gss_sec_lookup_ctx_kr(...) is modified
to now returns a NULL pointer or -errval. This is tested by callers
and propagated. NULL values are still converted to ECONNREFUSED.

Test-Parameters: trivial
Test-Parameters: kerberos=true testlist=sanity-krb5
Test-Parameters: testgroup=review-dne-selinux-ssk-part-2
Change-Id: I13792f141a961036bc9f7629a4a2db692e245c41
Signed-off-by: Aurelien Degremont <adegremont@nvidia.com>
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/54296
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
Reviewed-by: Sebastien Buisson <sbuisson@ddn.com>

diff --git a/lustre/ptlrpc/gss/gss_keyring.c b/lustre/ptlrpc/gss/gss_keyring.c
index 7803cd6..8024b74 100644 (file)
--- a/lustre/ptlrpc/gss/gss_keyring.c
+++ b/lustre/ptlrpc/gss/gss_keyring.c
@@ -806,6 +806,10 @@ do_unlink:
        }
 }
 
+/**
+ * \retval a valid context on success
+ * \retval -ev error number or NULL on error
+ */
 static
 struct ptlrpc_cli_ctx * gss_sec_lookup_ctx_kr(struct ptlrpc_sec *sec,
                                               struct vfs_cred *vcred,
@@ -962,7 +966,10 @@ struct ptlrpc_cli_ctx * gss_sec_lookup_ctx_kr(struct ptlrpc_sec *sec,
        OBD_FREE(coinfo, coinfo_size);
 
        if (IS_ERR(key)) {
-               CERROR("failed request key: %ld\n", PTR_ERR(key));
+               CERROR("%s: request key failed for uid %d: rc = %ld\n",
+                      imp->imp_obd->obd_name, vcred->vc_uid,
+                      PTR_ERR(key));
+               ctx = ERR_CAST(key);
                goto out;
        }
        CDEBUG(D_SEC, "obtained key %08x for %s\n", key->serial, desc);

diff --git a/lustre/ptlrpc/sec.c b/lustre/ptlrpc/sec.c
index f3ad28a..d3e78bc 100644 (file)
--- a/lustre/ptlrpc/sec.c
+++ b/lustre/ptlrpc/sec.c
@@ -450,11 +450,17 @@ int sptlrpc_req_get_ctx(struct ptlrpc_request *req)
        sptlrpc_sec_put(sec);
 
        if (!req->rq_cli_ctx) {
-               CERROR("req %p: fail to get context\n", req);
-               RETURN(-ECONNREFUSED);
+               rc = -ECONNREFUSED;
+       } else if (IS_ERR(req->rq_cli_ctx)) {
+               rc = PTR_ERR(req->rq_cli_ctx);
+               req->rq_cli_ctx = NULL;
        }
 
-       RETURN(0);
+       if (rc)
+               CERROR("%s: fail to get context for req %p: rc = %d\n",
+                      imp->imp_obd->obd_name, req, rc);
+
+       RETURN(rc);
 }
 
 /**
@@ -844,6 +850,8 @@ int sptlrpc_export_update_ctx(struct obd_export *exp)
                sec = sptlrpc_import_sec_ref(imp);
        if (sec) {
                ctx = get_my_ctx(sec);
+               if (IS_ERR(ctx))
+                       ctx = NULL;
                sptlrpc_sec_put(sec);
        }
 
@@ -960,7 +968,9 @@ int sptlrpc_import_check_ctx(struct obd_import *imp)
        ctx = get_my_ctx(sec);
        sptlrpc_sec_put(sec);
 
-       if (!ctx)
+       if (IS_ERR(ctx))
+               RETURN(PTR_ERR(ctx));
+       else if (!ctx)
                RETURN(-ENOMEM);
 
        if (cli_ctx_is_eternal(ctx) ||