git://git.whamcloud.com - fs/lustre-release.git/commit

author	Sebastien Buisson <sbuisson@ddn.com>
	Mon, 8 Apr 2024 15:52:50 +0000 (17:52 +0200)
committer	Oleg Drokin <green@whamcloud.com>
	Tue, 21 May 2024 18:24:45 +0000 (18:24 +0000)
commit	045ab5c0273a843493ed2d6d3486b41efe36b834
tree	72ba967b1af43010330cbcd2751ebf666d6287c3	tree \| snapshot
parent	afe0e091d1b82391a929df74717b9665a6f0ab75	commit \| diff

LU-17714 gss: protect against revoked session keyring

In case the session keyring is revoked, request_key() still tries to
search it. Sadly this keyring is searched before the user keyring, so
it will return -EKEYREVOKED, and the user keyring, that does contain
the Lustre key, will not even be searched.
To work around this issue in the kernel implementation of request_key,
override the current process's credentials with no session keyring,
if we detect it has been revoked.

Test-Parameters: kerberos=true testlist=sanity-krb5 serverdistro=el8.9
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: I64b6ac4693a47cf43d6fa1bf4e17bfb4907670fa
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/54706
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Aurelien Degremont <adegremont@nvidia.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>