LU-13343 gss: no sec flavor on loopback connection

When using a local client, i.e. a client mounted on a server node,
there is no benefit from a security standpoint to enforce an SSK or
KRB flavor, since the data does not go over the network.
So force the 'null' security flavor for connections on 0@lo,
independently of the currently defined srpc flavor.

Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: If25d69bb1e67735cb0544ca954e49175f7471248
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/46704
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Aurelien Degremont <adegremont@nvidia.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: James Simmons <jsimmons@infradead.org>
Reviewed-by: Oleg Drokin <green@whamcloud.com>

diff --git a/lustre/lmv/lmv_obd.c b/lustre/lmv/lmv_obd.c
index ddaae05..efcefcb 100644 (file)
--- a/lustre/lmv/lmv_obd.c
+++ b/lustre/lmv/lmv_obd.c
@@ -482,6 +482,7 @@ out_disc:
                        continue;
 
                --lmv->lmv_mdt_descs.ltd_lmv_desc.ld_active_tgt_count;
+               obd_register_observer(tgt->ltd_exp->exp_obd, NULL);
                obd_disconnect(tgt->ltd_exp);
        }
 

diff --git a/lustre/lov/lov_obd.c b/lustre/lov/lov_obd.c
index 3a74d9e..71c11a4 100644 (file)
--- a/lustre/lov/lov_obd.c
+++ b/lustre/lov/lov_obd.c
@@ -124,24 +124,26 @@ int lov_connect_osc(struct obd_device *obd, u32 index, int activate,
        if (lov->lov_tgts[index] == NULL)
                RETURN(-EINVAL);
 
-        tgt_uuid = &lov->lov_tgts[index]->ltd_uuid;
-        tgt_obd = lov->lov_tgts[index]->ltd_obd;
+       tgt_uuid = &lov->lov_tgts[index]->ltd_uuid;
+       tgt_obd = lov->lov_tgts[index]->ltd_obd;
 
-        if (!tgt_obd->obd_set_up) {
-                CERROR("Target %s not set up\n", obd_uuid2str(tgt_uuid));
-                RETURN(-EINVAL);
-        }
+       if (!tgt_obd->obd_set_up) {
+               rc = -EINVAL;
+               CERROR("%s: target not set up: rc = %d\n",
+                      obd_uuid2str(tgt_uuid), rc);
+               RETURN(rc);
+       }
 
-        /* override the sp_me from lov */
-        tgt_obd->u.cli.cl_sp_me = lov->lov_sp_me;
+       /* override the sp_me from lov */
+       tgt_obd->u.cli.cl_sp_me = lov->lov_sp_me;
 
-        if (data && (data->ocd_connect_flags & OBD_CONNECT_INDEX))
-                data->ocd_index = index;
+       if (data && (data->ocd_connect_flags & OBD_CONNECT_INDEX))
+               data->ocd_index = index;
 
-        /*
-         * Divine LOV knows that OBDs under it are OSCs.
-         */
-        imp = tgt_obd->u.cli.cl_import;
+       /*
+        * Divine LOV knows that OBDs under it are OSCs.
+        */
+       imp = tgt_obd->u.cli.cl_import;
 
        if (activate) {
                tgt_obd->obd_no_recov = 0;
@@ -150,12 +152,12 @@ int lov_connect_osc(struct obd_device *obd, u32 index, int activate,
                ptlrpc_activate_import(imp, false);
        }
 
-        rc = obd_register_observer(tgt_obd, obd);
-        if (rc) {
-                CERROR("Target %s register_observer error %d\n",
-                       obd_uuid2str(tgt_uuid), rc);
-                RETURN(rc);
-        }
+       rc = obd_register_observer(tgt_obd, obd);
+       if (rc) {
+               CERROR("%s: target register_observer error: rc = %d\n",
+                      obd_uuid2str(tgt_uuid), rc);
+               RETURN(rc);
+       }
 
        if (imp->imp_invalid) {
                CDEBUG(D_CONFIG, "%s: not connecting - administratively disabled\n",
@@ -165,16 +167,17 @@ int lov_connect_osc(struct obd_device *obd, u32 index, int activate,
 
        rc = obd_connect(NULL, &lov->lov_tgts[index]->ltd_exp, tgt_obd,
                         &lov_osc_uuid, data, lov->lov_cache);
-        if (rc || !lov->lov_tgts[index]->ltd_exp) {
-                CERROR("Target %s connect error %d\n",
-                       obd_uuid2str(tgt_uuid), rc);
-                RETURN(-ENODEV);
-        }
+       if (rc || !lov->lov_tgts[index]->ltd_exp) {
+               CERROR("%s: target connect error: rc = %d\n",
+                      obd_uuid2str(tgt_uuid), rc);
+               obd_register_observer(tgt_obd, NULL);
+               RETURN(-ENODEV);
+       }
 
-        lov->lov_tgts[index]->ltd_reap = 0;
+       lov->lov_tgts[index]->ltd_reap = 0;
 
-        CDEBUG(D_CONFIG, "Connected tgt idx %d %s (%s) %sactive\n", index,
-               obd_uuid2str(tgt_uuid), tgt_obd->obd_name, activate ? "":"in");
+       CDEBUG(D_CONFIG, "Connected tgt idx %d %s (%s) %sactive\n", index,
+              obd_uuid2str(tgt_uuid), tgt_obd->obd_name, activate ? "":"in");
 
        if (lov->lov_tgts_kobj) {
                /* Even if we failed, that's ok */

diff --git a/lustre/ptlrpc/sec_config.c b/lustre/ptlrpc/sec_config.c
index 69596b5..19bea77 100644 (file)
--- a/lustre/ptlrpc/sec_config.c
+++ b/lustre/ptlrpc/sec_config.c
@@ -403,6 +403,10 @@ int sptlrpc_rule_set_choose(struct sptlrpc_rule_set *rset,
        struct sptlrpc_rule *r;
        int n;
 
+       if (nid_is_lo0(nid))
+               /* do not enforce any sec flavor on loopback connection */
+               return 0;
+
        for (n = 0; n < rset->srs_nrule; n++) {
                r = &rset->srs_rules[n];
 

diff --git a/lustre/tests/recovery-small.sh b/lustre/tests/recovery-small.sh
index 417eb3c..38304e8 100755 (executable)
--- a/lustre/tests/recovery-small.sh
+++ b/lustre/tests/recovery-small.sh
@@ -2967,9 +2967,6 @@ test_140a() {
        [ $MDS1_VERSION -lt $(version_code 2.12.58) ] &&
                skip "Need MDS version at least 2.13.50"
 
-       [ "$SHARED_KEY" = true ] &&
-               skip "server local client incompatible with SSK keys installed"
-
        slr=$(do_facet mds1 \
                $LCTL get_param -n mdt.$FSNAME-MDT0000.local_recovery)
        stack_trap "do_facet mds1 $LCTL set_param \
@@ -3004,9 +3001,6 @@ test_140b() {
        [ $MDS1_VERSION -lt $(version_code 2.12.58) ] &&
                skip "Need MDS version at least 2.13.50"
 
-       [ "$SHARED_KEY" = true ] &&
-               skip "server local client incompatible with SSK keys installed"
-
        slr=$(do_facet mds1 \
                $LCTL get_param -n mdt.$FSNAME-MDT0000.local_recovery)
        stack_trap "do_facet mds1 $LCTL set_param \

diff --git a/lustre/tests/test-framework.sh b/lustre/tests/test-framework.sh
index a43370f..9a9a681 100755 (executable)
--- a/lustre/tests/test-framework.sh
+++ b/lustre/tests/test-framework.sh
@@ -1196,6 +1196,12 @@ init_gss() {
                        do_nodes $clients "find $SK_PATH/nodemap \
                                -name \*.key | xargs -IX $LGSS_SK -t client \
                                -m X >/dev/null 2>&1"
+                       # also have a client key available on server side,
+                       # for local client mount
+                       do_nodes $(comma_list $(all_server_nodes)) \
+                       "cp $SK_PATH/$FSNAME.key $SK_PATH/${FSNAME}_cli.key && \
+                        $LGSS_SK -t client -m \
+                               $SK_PATH/${FSNAME}_cli.key >/dev/null 2>&1"
                fi
                # This is required for servers as well, if S2S in use
                if $SK_S2S; then