LU-17612 sec: return keyring errors to userspace

In current code, Linux keyring errors, when using GSS Kerberos,
are all masked under a generic ECONNREFUSED error. That makes
it hard to understand the root cause of the problem
for the I/O caller.

Update the code to propagate errors from request_key() up to
the application.

struct ptlrpc_cli_ctx * gss_sec_lookup_ctx_kr(...) is modified
to now returns a NULL pointer or -errval. This is tested by callers
and propagated. NULL values are still converted to ECONNREFUSED.

Lustre-change: https://review.whamcloud.com/54296
Lustre-commit: cd8625792f10d51fceca4717544ff8016609c3be

Test-Parameters: trivial
Test-Parameters: kerberos=true testlist=sanity-krb5
Test-Parameters: testgroup=review-dne-selinux-ssk-part-2
Change-Id: I13792f141a961036bc9f7629a4a2db692e245c41
Signed-off-by: Aurelien Degremont <adegremont@nvidia.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-on: https://review.whamcloud.com/c/ex/lustre-release/+/54556
Reviewed-by: Sebastien Buisson <sbuisson@ddn.com>
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>

diff --git a/lustre/ptlrpc/gss/gss_keyring.c b/lustre/ptlrpc/gss/gss_keyring.c
index 57d3c4f..e66ee17 100644 (file)
--- a/lustre/ptlrpc/gss/gss_keyring.c
+++ b/lustre/ptlrpc/gss/gss_keyring.c
@@ -806,6 +806,10 @@ do_unlink:
        }
 }
 
+/**
+ * \retval a valid context on success
+ * \retval -ev error number or NULL on error
+ */
 static
 struct ptlrpc_cli_ctx * gss_sec_lookup_ctx_kr(struct ptlrpc_sec *sec,
                                               struct vfs_cred *vcred,
@@ -955,7 +959,10 @@ struct ptlrpc_cli_ctx * gss_sec_lookup_ctx_kr(struct ptlrpc_sec *sec,
        OBD_FREE(coinfo, coinfo_size);
 
        if (IS_ERR(key)) {
-               CERROR("failed request key: %ld\n", PTR_ERR(key));
+               CERROR("%s: request key failed for uid %d: rc = %ld\n",
+                      imp->imp_obd->obd_name, vcred->vc_uid,
+                      PTR_ERR(key));
+               ctx = ERR_CAST(key);
                goto out;
        }
        CDEBUG(D_SEC, "obtained key %08x for %s\n", key->serial, desc);

diff --git a/lustre/ptlrpc/sec.c b/lustre/ptlrpc/sec.c
index e47f9b3..e185211 100644 (file)
--- a/lustre/ptlrpc/sec.c
+++ b/lustre/ptlrpc/sec.c
@@ -449,11 +449,17 @@ int sptlrpc_req_get_ctx(struct ptlrpc_request *req)
        sptlrpc_sec_put(sec);
 
        if (!req->rq_cli_ctx) {
-               CERROR("req %p: fail to get context\n", req);
-               RETURN(-ECONNREFUSED);
+               rc = -ECONNREFUSED;
+       } else if (IS_ERR(req->rq_cli_ctx)) {
+               rc = PTR_ERR(req->rq_cli_ctx);
+               req->rq_cli_ctx = NULL;
        }
 
-       RETURN(0);
+       if (rc)
+               CERROR("%s: fail to get context for req %p: rc = %d\n",
+                      imp->imp_obd->obd_name, req, rc);
+
+       RETURN(rc);
 }
 
 /**
@@ -843,6 +849,8 @@ int sptlrpc_export_update_ctx(struct obd_export *exp)
                sec = sptlrpc_import_sec_ref(imp);
        if (sec) {
                ctx = get_my_ctx(sec);
+               if (IS_ERR(ctx))
+                       ctx = NULL;
                sptlrpc_sec_put(sec);
        }
 
@@ -959,7 +967,9 @@ int sptlrpc_import_check_ctx(struct obd_import *imp)
        ctx = get_my_ctx(sec);
        sptlrpc_sec_put(sec);
 
-       if (!ctx)
+       if (IS_ERR(ctx))
+               RETURN(PTR_ERR(ctx));
+       else if (!ctx)
                RETURN(-ENOMEM);
 
        if (cli_ctx_is_eternal(ctx) ||