LU-18591 sec: remove support for idmap.conf

Patch "LU-16630 sec: improve Kerberos cross-realm trust remapping"
added a warning message that idmap.conf is deprecated.
With this patch, we go one step further and remove support for
idmap.conf. This means l_idmap is also removed.
Cross-realm trust remapping should be carried out via a mechanism
provided by Kerberos, such as auth_to_local or equivalent.

Test-Parameters: trivial
Test-Parameters: kerberos=true testlist=sanity-krb5
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: I0ab2f3a12d47f55756094043b0ec2b19d8634de1
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/57651
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Aurelien Degremont <adegremont@nvidia.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>

diff --git a/lustre/utils/gss/.gitignore b/lustre/utils/gss/.gitignore
index a28ef0b..96c9afd 100644 (file)
--- a/lustre/utils/gss/.gitignore
+++ b/lustre/utils/gss/.gitignore
@@ -1,6 +1,5 @@
 /Makefile.in
 /lsvcgssd
-/l_idmap
 /lgss_keyring
 /lgss_sk
 /l_getauth

diff --git a/lustre/utils/gss/Makefile.am b/lustre/utils/gss/Makefile.am
index da3566d..c57b552 100644 (file)
--- a/lustre/utils/gss/Makefile.am
+++ b/lustre/utils/gss/Makefile.am
@@ -4,7 +4,7 @@ AM_CFLAGS := -fPIC \
             -D_LARGEFILE64_SOURCE=1 -D_FILE_OFFSET_BITS=64 -DLUSTRE_UTILS=1 \
             -D_GNU_SOURCE
 
-sbin_PROGRAMS = l_idmap
+sbin_PROGRAMS =
 
 if GSS_KEYRING
 sbin_PROGRAMS += lsvcgssd lgss_keyring l_getauth
@@ -50,15 +50,6 @@ if GSS_SSK
 lsvcgssd_LDADD += -lcrypto -lssl
 endif
 
-l_idmap_SOURCES = \
-       l_idmap.c \
-       lsupport.c \
-       err_util.c \
-       \
-       lsupport.h
-
-l_idmap_LDADD = $(top_builddir)/lustre/utils/liblustreapi.la $(KRBLIBS)
-
 l_getauth_SOURCES = \
        l_getauth.c \
        lsupport.c \

diff --git a/lustre/utils/gss/l_idmap.c b/lustre/utils/gss/l_idmap.c
deleted file mode 100644 (file)
index 9fcf8a5..0000000
--- a/lustre/utils/gss/l_idmap.c
+++ /dev/null
@@ -1,39 +0,0 @@
-#include <sys/types.h>
-#include <stdbool.h>
-#include <stdlib.h>
-#include <stdio.h>
-/* For basename() */
-#include <libgen.h>
-#include "lsupport.h"
-
-int main(int argc, char **argv)
-{
-       lnet_nid_t nid;
-       uid_t uid;
-       int rc;
-
-       if (argc < 3) {
-               printf("Usage:\n"
-                      "%s <princ> <nid>\n",
-                      basename(argv[0]));
-               return 1;
-       }
-
-       nid = libcfs_str2nid(argv[2]);
-       if (nid == LNET_NID_ANY) {
-               printf("parse nid %s failed\n", argv[2]);
-               return 1;
-       }
-       rc = lookup_mapping(argv[1], nid, &uid);
-       if (rc == -1) {
-               printf("lookup mapping failed\n");
-               return 1;
-       }
-
-       printf("principal: %s\n"
-              "nid:       %#llx\n"
-              "uid:       %u\n",
-              argv[1], nid, uid);
-
-       return 0;
-}

diff --git a/lustre/utils/gss/lsupport.c b/lustre/utils/gss/lsupport.c
index e975761..4126fee 100644 (file)
--- a/lustre/utils/gss/lsupport.c
+++ b/lustre/utils/gss/lsupport.c
@@ -411,70 +411,6 @@ int lnet_nid2hostname(lnet_nid_t nid, char *buf, int buflen)
                                       buf, buflen);
 }
 
-
-/****************************************
- * user mapping database handling       *
- * (very rudiment)                      *
- ****************************************/
-
-#define MAPPING_GROW_SIZE       512
-#define MAX_LINE_LEN            256
-
-struct user_map_item {
-       char        *principal; /* NULL means match all */
-       lnet_nid_t   nid;
-       uid_t        uid;
-};
-
-struct user_mapping {
-       int                   nitems;
-       struct user_map_item *items;
-};
-
-static struct user_mapping mapping;
-/* FIXME to be finished: monitor change of mapping database */
-static int mapping_mtime;
-
-void cleanup_mapping(void)
-{
-       if (mapping.items) {
-               for (; mapping.nitems > 0; mapping.nitems--)
-                       if (mapping.items[mapping.nitems-1].principal)
-                               free(mapping.items[mapping.nitems-1].principal);
-
-               free(mapping.items);
-               mapping.items = NULL;
-       }
-}
-
-static int grow_mapping(int nitems)
-{
-       struct user_map_item *new;
-       int oldsize, newsize;
-
-       oldsize = (mapping.nitems * sizeof(struct user_map_item) +
-                  MAPPING_GROW_SIZE - 1) / MAPPING_GROW_SIZE;
-       newsize = (nitems * sizeof(struct user_map_item) +
-                  MAPPING_GROW_SIZE - 1) / MAPPING_GROW_SIZE;
-       while (newsize <= oldsize)
-               return 0;
-
-       newsize *= MAPPING_GROW_SIZE;
-       new = malloc(newsize);
-       if (!new) {
-               printerr(LL_ERR, "can't alloc mapping size %d\n", newsize);
-               return -1;
-       }
-
-       if (mapping.items) {
-               memcpy(new, mapping.items,
-                      mapping.nitems * sizeof(struct user_map_item));
-               free(mapping.items);
-       }
-       mapping.items = new;
-       return 0;
-}
-
 uid_t parse_uid(char *uidstr)
 {
        struct passwd *pw;
@@ -492,153 +428,6 @@ uid_t parse_uid(char *uidstr)
        return -1;
 }
 
-static int read_mapping_db(void)
-{
-       char princ[MAX_LINE_LEN];
-       char nid_str[MAX_LINE_LEN];
-       char dest[MAX_LINE_LEN];
-       char linebuf[MAX_LINE_LEN];
-       char *line;
-       lnet_nid_t nid;
-       uid_t dest_uid;
-       FILE *f;
-
-       /* cleanup old mappings */
-       cleanup_mapping();
-
-       f = fopen(MAPPING_DATABASE_FILE, "r");
-       if (!f) {
-               printerr(LL_ERR, "can't open mapping database: %s\n",
-                        MAPPING_DATABASE_FILE);
-               return -1;
-       }
-
-       while ((line = fgets(linebuf, MAX_LINE_LEN, f)) != NULL) {
-               char *name;
-
-               if (sscanf(line, "%s %s %s", princ, nid_str, dest) != 3) {
-                       printerr(LL_ERR, "mapping db: syntax error\n");
-                       continue;
-               }
-
-               if (!strcmp(princ, "*")) {
-                       name = NULL;
-               } else {
-                       name = strdup(princ);
-                       if (!name) {
-                               printerr(LL_ERR, "fail to dup str %s\n", princ);
-                               continue;
-                       }
-               }
-
-               if (!strcmp(nid_str, "*")) {
-                       nid = LNET_NID_ANY;
-               } else {
-                       nid = libcfs_str2nid(nid_str);
-                       if (nid == LNET_NID_ANY) {
-                               printerr(LL_ERR, "fail to parse nid %s\n",
-                                        nid_str);
-                               if (name)
-                                       free(name);
-                               continue;
-                       }
-               }
-
-               dest_uid = parse_uid(dest);
-               if (dest_uid == -1) {
-                       printerr(LL_ERR, "no valid user: %s\n", dest);
-                       if (name)
-                               free(name);
-                       continue;
-               }
-
-               if (grow_mapping(mapping.nitems + 1)) {
-                       printerr(LL_ERR, "fail to grow mapping to %d\n",
-                                mapping.nitems + 1);
-                       if (name)
-                               free(name);
-                       fclose(f);
-                       return -1;
-               }
-
-               mapping.items[mapping.nitems].principal = name;
-               mapping.items[mapping.nitems].nid = nid;
-               mapping.items[mapping.nitems].uid = dest_uid;
-               mapping.nitems++;
-               printerr(LL_WARN, "add mapping: %s(%s/0x%llx) ==> %d\n",
-                        name, nid_str, nid, dest_uid);
-       }
-
-       fclose(f);
-       return 0;
-}
-
-static inline int mapping_changed(void)
-{
-       struct stat st;
-
-       if (stat(MAPPING_DATABASE_FILE, &st) == -1) {
-               /* stat failed, treat it like doesn't exist or be removed */
-               if (mapping_mtime == 0)
-                       return 0;
-
-               printerr(LL_ERR, "stat %s failed: %s\n",
-                        MAPPING_DATABASE_FILE, strerror(errno));
-
-               mapping_mtime = 0;
-               return 1;
-       }
-       printerr(LL_WARN,
-                "Use of idmap.conf is deprecated.\nPlease consider switching to auth_to_local or equivalent as provided by Kerberos for cross-realm trust remapping.\n");
-
-       if (st.st_mtime != mapping_mtime) {
-               mapping_mtime = st.st_mtime;
-               return 1;
-       }
-
-       return 0;
-}
-
-void load_mapping(void)
-{
-       if (mapping_changed())
-               (void)read_mapping_db();
-}
-
-int mapping_empty(void)
-{
-       return !mapping.nitems;
-}
-
-int lookup_mapping(char *princ, lnet_nid_t nid, uid_t *uid)
-{
-       int n;
-
-       *uid = -1;
-
-       /* FIXME race condition here */
-       if (mapping_changed()) {
-               if (read_mapping_db())
-                       printerr(LL_ERR, "all remote users will be denied\n");
-       }
-
-       for (n = 0; n < mapping.nitems; n++) {
-               struct user_map_item *entry = &mapping.items[n];
-
-               if (entry->nid != LNET_NID_ANY && entry->nid != nid)
-                       continue;
-               if (!entry->principal || !strcasecmp(entry->principal, princ)) {
-                       printerr(LL_WARN, "found mapping: %s ==> %d\n",
-                                princ, entry->uid);
-                       *uid = entry->uid;
-                       return 0;
-               }
-       }
-
-       printerr(LL_INFO, "no mapping for %s/%#Lx\n", princ, nid);
-       return -1;
-}
-
 /* realm of this node */
 char *krb5_this_realm;
 

diff --git a/lustre/utils/gss/lsupport.h b/lustre/utils/gss/lsupport.h
index 6d565f8..e4a3c03 100644 (file)
--- a/lustre/utils/gss/lsupport.h
+++ b/lustre/utils/gss/lsupport.h
@@ -102,15 +102,10 @@ struct lgssd_upcall_data {
 #define GSSD_INTERFACE_VERSION_V1       (1)
 
 #define GSSD_DEFAULT_GETHOSTNAME_EX     "/etc/lustre/nid2hostname"
-#define MAPPING_DATABASE_FILE           "/etc/lustre/idmap.conf"
 
 int getcanonname(const char *host, char *buf, int buflen);
 int lnet_nid2hostname(lnet_nid_t nid, char *buf, int buflen);
-void cleanup_mapping(void);
 uid_t parse_uid(char *uidstr);
-void load_mapping(void);
-int mapping_empty(void);
-int lookup_mapping(char *princ, lnet_nid_t nid, uid_t *uid);
 int gss_get_realm(char *realm);
 
 /*

diff --git a/lustre/utils/gss/svcgssd.c b/lustre/utils/gss/svcgssd.c
index 4711a49..d92288d 100644 (file)
--- a/lustre/utils/gss/svcgssd.c
+++ b/lustre/utils/gss/svcgssd.c
@@ -171,8 +171,6 @@ release_parent()
 static void
 sig_die(int signal)
 {
-       /* destroy krb5 machine creds */
-       cleanup_mapping();
        /* cleanup allocated strings for realms */
        gssd_cleanup_realms();
        /* remove socket */
@@ -351,7 +349,6 @@ err_krb:
        gssd_init_unique(GSSD_SVC);
 
        svcgssd_run();
-       cleanup_mapping();
        gssd_cleanup_realms();
        printerr(LL_ERR, "svcgssd_run returned!\n");
        abort();

diff --git a/lustre/utils/gss/svcgssd_main_loop.c b/lustre/utils/gss/svcgssd_main_loop.c
index c3a0a4c..777cdb2 100644 (file)
--- a/lustre/utils/gss/svcgssd_main_loop.c
+++ b/lustre/utils/gss/svcgssd_main_loop.c
@@ -98,9 +98,6 @@ void svcgssd_run(void)
                printerr(LL_WARN,
                         "will use default number of rounds for prime testing\n");
 #endif
-       } else {
-               /* For krb, preload mapping table if any */
-               load_mapping();
        }
 
 again:

diff --git a/lustre/utils/gss/svcgssd_proc.c b/lustre/utils/gss/svcgssd_proc.c
index 3aa2d19..5250f0e 100644 (file)
--- a/lustre/utils/gss/svcgssd_proc.c
+++ b/lustre/utils/gss/svcgssd_proc.c
@@ -309,9 +309,6 @@ free:
 static int lookup_id(gss_name_t client_name, char *princ, lnet_nid_t nid,
                     uid_t *uid)
 {
-       if (!mapping_empty())
-               return lookup_mapping(princ, nid, uid);
-
        return lookup_localname(client_name, princ, nid, uid);
 }