LU-17566 mdt: improve new_init_ucred() for refactoring

In order to merge new_init_ucred() and old_init_ucred()
code eventually, move new_init_ucred() code around
for it to look even closer to old_init_ucred().

- Fill generic ucred fields at the beginning (similar to
what old_init_ucred() is doing.
- Move code for the bottom part to be closer to
old_init_ucred_common().

This code path is not used on most of lustre deployments,
so I'm enabling kerberos testing to ensure some tests
will go through this code path.

Test-Parameters: kerberos=true testlist=sanity-krb5

Change-Id: I113fca6a104c1db66d9e0defd6fd91e378d7208c
Signed-off-by: Aurelien Degremont <adegremont@nvidia.com>
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/55025
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Sebastien Buisson <sbuisson@ddn.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>

diff --git a/lustre/mdt/mdt_lib.c b/lustre/mdt/mdt_lib.c
index 3e33d8b..93f0826 100644 (file)
--- a/lustre/mdt/mdt_lib.c
+++ b/lustre/mdt/mdt_lib.c
@@ -201,6 +201,7 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type,
        struct lu_ucred *ucred = mdt_ucred(info);
        struct lu_nodemap *nodemap;
        struct lnet_nid peernid = req->rq_peer.nid;
+       struct md_identity *identity = NULL;
        __u32 perm = 0;
        int setuid;
        int setgid;
@@ -233,6 +234,15 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type,
        ucred->uc_o_fsuid = pud->pud_fsuid;
        ucred->uc_o_fsgid = pud->pud_fsgid;
 
+       ucred->uc_uid = pud->pud_uid;
+       ucred->uc_gid = pud->pud_gid;
+
+       ucred->uc_fsuid = pud->pud_fsuid;
+       ucred->uc_fsgid = pud->pud_fsgid;
+
+       ucred->uc_cap = CAP_EMPTY_SET;
+       ll_set_capability_u32(&ucred->uc_cap, pud->pud_cap);
+
        if (type == BODY_INIT) {
                struct mdt_body *body = (struct mdt_body *)buf;
 
@@ -240,6 +250,8 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type,
                ucred->uc_suppgids[1] = -1;
        }
 
+       /* Perm checks before fetching external identity */
+
        if (!flvr_is_rootonly(req->rq_flvr.sf_rpc) &&
            req->rq_auth_uid != pud->pud_uid) {
                CDEBUG(D_SEC, "local client %s: auth uid %u "
@@ -255,31 +267,32 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type,
                /* deny access before we get identity ref */
                GOTO(out, rc = -EACCES);
 
-       if (is_identity_get_disabled(mdt->mdt_identity_cache)) {
-               ucred->uc_identity = NULL;
-               perm = CFS_SETUID_PERM | CFS_SETGID_PERM | CFS_SETGRP_PERM;
-       } else {
-               struct md_identity *identity;
+       /* Fetch external identity info, if enabled */
 
+       if (!is_identity_get_disabled(mdt->mdt_identity_cache)) {
                identity = mdt_identity_get(mdt->mdt_identity_cache,
                                            pud->pud_uid);
                if (IS_ERR(identity)) {
-                       if (unlikely(PTR_ERR(identity) == -EREMCHG)) {
-                               ucred->uc_identity = NULL;
-                               perm = CFS_SETUID_PERM | CFS_SETGID_PERM |
-                                      CFS_SETGRP_PERM;
+                       if (unlikely(PTR_ERR(identity) == -EREMCHG ||
+                                    cap_raised(ucred->uc_cap,
+                                               CAP_DAC_READ_SEARCH))) {
+                               identity = NULL;
                        } else {
                                CDEBUG(D_SEC,
                                       "Deny access without identity: uid %u\n",
                                       pud->pud_uid);
                                GOTO(out_nodemap, rc = -EACCES);
                        }
-               } else {
-                       ucred->uc_identity = identity;
-                       perm = mdt_identity_get_perm(ucred->uc_identity,
-                                                    &peernid);
                }
        }
+       ucred->uc_identity = identity;
+
+       /* Perm checks that needs external identity */
+
+       if (ucred->uc_identity)
+               perm = mdt_identity_get_perm(ucred->uc_identity, &peernid);
+       else
+               perm = CFS_SETUID_PERM | CFS_SETGID_PERM | CFS_SETGRP_PERM;
 
        /* find out the setuid/setgid attempt */
        setuid = (pud->pud_uid != pud->pud_fsuid);
@@ -322,14 +335,6 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type,
                ucred->uc_ginfo = NULL;
        }
 
-       ll_set_capability_u32(&ucred->uc_cap, pud->pud_cap);
-
-       ucred->uc_uid = pud->pud_uid;
-       ucred->uc_gid = pud->pud_gid;
-
-       ucred->uc_fsuid = pud->pud_fsuid;
-       ucred->uc_fsgid = pud->pud_fsgid;
-
        /* clear suppgids if uid or gid was squashed. */
        if (nodemap &&
            (ucred->uc_o_uid == nodemap->nm_squash_uid ||
@@ -381,12 +386,13 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type,
                }
        }
 
-       ucred->uc_valid = UCRED_NEW;
        ucred_set_jobid(info, ucred);
        ucred_set_nid(info, ucred);
        ucred_set_audit_enabled(info, ucred);
        ucred_set_rbac_roles(info, ucred);
 
+       ucred->uc_valid = UCRED_NEW;
+
        EXIT;
 
 out:
@@ -594,12 +600,13 @@ static int old_init_ucred_common(struct mdt_thread_info *info,
                uc->uc_suppgids[1] = -1;
        }
 
-       uc->uc_valid = UCRED_OLD;
        ucred_set_jobid(info, uc);
        ucred_set_nid(info, uc);
        ucred_set_audit_enabled(info, uc);
        ucred_set_rbac_roles(info, uc);
 
+       uc->uc_valid = UCRED_OLD;
+
        EXIT;
        return 0;
 }