git://git.whamcloud.com - fs/lustre-release.git/commit

author	Sebastien Buisson <sbuisson@ddn.com>
	Mon, 27 Jan 2025 16:44:25 +0000 (17:44 +0100)
committer	Oleg Drokin <green@whamcloud.com>
	Thu, 12 Jun 2025 06:32:01 +0000 (06:32 +0000)
commit	14b519b52d403ebc283e56fd223177c3c885518f
tree	fe43e29ea41167d9f3d5a1640e0119d3e5f7f7f0	tree \| snapshot
parent	07f6a59ad71324ed253c2eba519cf095f346bde9	commit \| diff

LU-17410 sec: per-nodemap capabilities mask

Add a per-nodemap capabilities mask, used in preference to the global
enable_cap_mask parameter if it is set.
The new nodemap property is named enable_cap_mask, and can be set
thanks to the new lctl command 'nodemap_set_cap'. It is possible to
specify capabilities in hex or with symbolic names, with '+' and '-'
prefixes to respectively add or remove corresponding capabilities.
We support defining 2 types of capabilities, either a "set" so that it
is possible to add capabilities, or a "mask" to reduce capabilities of
the client.
This per-nodemap capabilities mask is available on any nodemap
including the default nodemap.

A dynamic child nodemap is allowed to define only a subset of the
capabilities set on the parent, unless the child_raise_privileges
property has the 'caps' privilege.

sanity-sec test_51 is enhanced to exercise this new nodemap property.

Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: I1ed91c721d869d0596af9c2d7e07a2c411f2b7c2
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/57938
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Marc Vef <mvef@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>

libcfs/include/libcfs/Makefile.am		diff \| blob \| history
libcfs/include/libcfs/libcfs_caps.h	[new file with mode: 0644]	blob
libcfs/libcfs/debug.c		diff \| blob \| history
lustre/doc/Makefile.am		diff \| blob \| history
lustre/doc/lctl-nodemap-modify.8		diff \| blob \| history
lustre/doc/lctl-nodemap-set-cap.8	[new file with mode: 0644]	blob
lustre/doc/lctl-nodemap_set_cap.8	[new file with mode: 0644]	blob
lustre/doc/lctl.8		diff \| blob \| history
lustre/include/lustre_nodemap.h		diff \| blob \| history
lustre/include/uapi/linux/lustre/lustre_cfg.h		diff \| blob \| history
lustre/include/uapi/linux/lustre/lustre_disk.h		diff \| blob \| history
lustre/include/uapi/linux/lustre/lustre_idl.h		diff \| blob \| history
lustre/mdt/mdt_internal.h		diff \| blob \| history
lustre/mdt/mdt_lib.c		diff \| blob \| history
lustre/mdt/mdt_lproc.c		diff \| blob \| history
lustre/ptlrpc/nodemap_handler.c		diff \| blob \| history
lustre/ptlrpc/nodemap_internal.h		diff \| blob \| history
lustre/ptlrpc/nodemap_lproc.c		diff \| blob \| history
lustre/ptlrpc/nodemap_storage.c		diff \| blob \| history
lustre/ptlrpc/wiretest.c		diff \| blob \| history
lustre/tests/sanity-sec.sh		diff \| blob \| history
lustre/utils/lctl.c		diff \| blob \| history
lustre/utils/obd.c		diff \| blob \| history
lustre/utils/obdctl.h		diff \| blob \| history
lustre/utils/wirecheck.c		diff \| blob \| history
lustre/utils/wiretest.c		diff \| blob \| history