EX-9392 sec: add server_upcall rbac role

The purpose of the new server_upcall rbac role is to control whether
clients use the server side defined identity upcall. When set, clients
do comply with the server side identity upcall. When not set, clients
are leveraging the special INTERNAL identity upcall, which means
servers trust supplementary groups as provided by the clients.

Test-Parameters: trivial
Test-Parameters: testgroup=review-dne-part-2
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: I01dcedad5da0e175aa7b8d187f2affd34d933e39
Reviewed-on: https://review.whamcloud.com/c/ex/lustre-release/+/54360
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Lai Siyao <lai.siyao@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>

diff --git a/lustre/doc/lctl-nodemap-modify.8 b/lustre/doc/lctl-nodemap-modify.8
index 9ad93a4..f380e3a 100644 (file)
--- a/lustre/doc/lctl-nodemap-modify.8
+++ b/lustre/doc/lctl-nodemap-modify.8
@@ -108,6 +108,10 @@ access to fscrypt metadata.
 .br
 - quota_ops, to allow quota modifications.
 .br
+- server_upcall, to define which identity upcall to use. If set, identity upcall
+is defined by server side tunable. If not set, identity upcall is forced to
+INTERNAL, so that servers trust supplementary groups as provided by clients.
+.br
 Apart from all, any role not explicitly specified is forbidden. And to forbid
 all roles, use 'none' value.
 .RE

diff --git a/lustre/include/lustre_nodemap.h b/lustre/include/lustre_nodemap.h
index 546e076..979bdab 100644 (file)
--- a/lustre/include/lustre_nodemap.h
+++ b/lustre/include/lustre_nodemap.h
@@ -46,6 +46,7 @@ static const struct nodemap_rbac_name {
        { NODEMAP_RBAC_BYFID_OPS,       "byfid_ops"     },
        { NODEMAP_RBAC_CHLG_OPS,        "chlg_ops"      },
        { NODEMAP_RBAC_FSCRYPT_ADMIN,   "fscrypt_admin" },
+       { NODEMAP_RBAC_SERVER_UPCALL,   "server_upcall" },
 };
 
 struct nodemap_pde {

diff --git a/lustre/include/md_object.h b/lustre/include/md_object.h
index 8c8b4b9..cbb3d63 100644 (file)
--- a/lustre/include/md_object.h
+++ b/lustre/include/md_object.h
@@ -742,6 +742,7 @@ struct lu_ucred {
        int                      uc_rbac_byfid_ops:1;
        int                      uc_rbac_chlg_ops:1;
        int                      uc_rbac_fscrypt_admin:1;
+       int                      uc_rbac_server_upcall:1;
 };
 
 struct lu_ucred *lu_ucred(const struct lu_env *env);

diff --git a/lustre/include/uapi/linux/lustre/lustre_idl.h b/lustre/include/uapi/linux/lustre/lustre_idl.h
index 3aa7ae7..0b92d21 100644 (file)
--- a/lustre/include/uapi/linux/lustre/lustre_idl.h
+++ b/lustre/include/uapi/linux/lustre/lustre_idl.h
@@ -3722,12 +3722,14 @@ enum nodemap_rbac_roles {
        NODEMAP_RBAC_BYFID_OPS          = 0x00000008,
        NODEMAP_RBAC_CHLG_OPS           = 0x00000010,
        NODEMAP_RBAC_FSCRYPT_ADMIN      = 0x00000020,
+       NODEMAP_RBAC_SERVER_UPCALL      = 0x00000040,
        NODEMAP_RBAC_NONE       = (__u32)~(NODEMAP_RBAC_FILE_PERMS      |
                                           NODEMAP_RBAC_DNE_OPS |
                                           NODEMAP_RBAC_QUOTA_OPS       |
                                           NODEMAP_RBAC_BYFID_OPS       |
                                           NODEMAP_RBAC_CHLG_OPS        |
-                                          NODEMAP_RBAC_FSCRYPT_ADMIN),
+                                          NODEMAP_RBAC_FSCRYPT_ADMIN   |
+                                          NODEMAP_RBAC_SERVER_UPCALL),
        NODEMAP_RBAC_ALL        = 0xFFFFFFFF, /* future caps ON by default */
 };
 

diff --git a/lustre/mdt/mdt_coordinator.c b/lustre/mdt/mdt_coordinator.c
index 159ada9..8e7014c 100644 (file)
--- a/lustre/mdt/mdt_coordinator.c
+++ b/lustre/mdt/mdt_coordinator.c
@@ -1012,6 +1012,7 @@ int hsm_init_ucred(struct lu_ucred *uc)
        uc->uc_rbac_byfid_ops = 1;
        uc->uc_rbac_chlg_ops = 1;
        uc->uc_rbac_fscrypt_admin = 1;
+       uc->uc_rbac_server_upcall = 1;
 
        RETURN(0);
 }

diff --git a/lustre/mdt/mdt_handler.c b/lustre/mdt/mdt_handler.c
index c46efc0..2a9db61 100644 (file)
--- a/lustre/mdt/mdt_handler.c
+++ b/lustre/mdt/mdt_handler.c
@@ -6777,6 +6777,7 @@ static int mdt_ctxt_add_dirty_flag(struct lu_env *env,
        mdt_ucred(info)->uc_rbac_byfid_ops = 1;
        mdt_ucred(info)->uc_rbac_chlg_ops = 1;
        mdt_ucred(info)->uc_rbac_fscrypt_admin = 1;
+       mdt_ucred(info)->uc_rbac_server_upcall = 1;
        rc = mdt_add_dirty_flag(info, mfd->mfd_object, &info->mti_attr);
 
        lu_context_exit(&ses);

diff --git a/lustre/mdt/mdt_lib.c b/lustre/mdt/mdt_lib.c
index 4dce873..1198ca2 100644 (file)
--- a/lustre/mdt/mdt_lib.c
+++ b/lustre/mdt/mdt_lib.c
@@ -189,6 +189,7 @@ static void ucred_set_rbac_roles(struct mdt_thread_info *info,
        uc->uc_rbac_byfid_ops = !!(rbac & NODEMAP_RBAC_BYFID_OPS);
        uc->uc_rbac_chlg_ops = !!(rbac & NODEMAP_RBAC_CHLG_OPS);
        uc->uc_rbac_fscrypt_admin = !!(rbac & NODEMAP_RBAC_FSCRYPT_ADMIN);
+       uc->uc_rbac_server_upcall = !!(rbac & NODEMAP_RBAC_SERVER_UPCALL);
 }
 
 static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type,

diff --git a/lustre/mdt/mdt_restripe.c b/lustre/mdt/mdt_restripe.c
index 0d16db2..4030db7 100644 (file)
--- a/lustre/mdt/mdt_restripe.c
+++ b/lustre/mdt/mdt_restripe.c
@@ -942,6 +942,7 @@ int mdt_restriper_start(struct mdt_device *mdt)
        uc->uc_rbac_byfid_ops = 1;
        uc->uc_rbac_chlg_ops = 1;
        uc->uc_rbac_fscrypt_admin = 1;
+       uc->uc_rbac_server_upcall = 1;
 
        task = kthread_create(mdt_restriper_main, info, "mdt_restriper_%03d",
                              mdt_seq_site(mdt)->ss_node_id);

diff --git a/lustre/obdecho/echo_client.c b/lustre/obdecho/echo_client.c
index 2bb4836..8da914c 100644 (file)
--- a/lustre/obdecho/echo_client.c
+++ b/lustre/obdecho/echo_client.c
@@ -1840,6 +1840,7 @@ static void echo_ucred_init(struct lu_env *env)
        ucred->uc_rbac_byfid_ops = 1;
        ucred->uc_rbac_chlg_ops = 1;
        ucred->uc_rbac_fscrypt_admin = 1;
+       ucred->uc_rbac_server_upcall = 1;
 }
 
 static void echo_ucred_fini(struct lu_env *env)

diff --git a/lustre/ptlrpc/wiretest.c b/lustre/ptlrpc/wiretest.c
index 046e83d..875968d 100644 (file)
--- a/lustre/ptlrpc/wiretest.c
+++ b/lustre/ptlrpc/wiretest.c
@@ -6036,7 +6036,9 @@ void lustre_assert_wire_constants(void)
                (unsigned)NODEMAP_RBAC_CHLG_OPS);
        LASSERTF(NODEMAP_RBAC_FSCRYPT_ADMIN == 0x00000020UL, "found 0x%.8xUL\n",
                (unsigned)NODEMAP_RBAC_FSCRYPT_ADMIN);
-       LASSERTF(NODEMAP_RBAC_NONE == 0xffffffc0UL, "found 0x%.8xUL\n",
+       LASSERTF(NODEMAP_RBAC_SERVER_UPCALL == 0x00000040UL, "found 0x%.8xUL\n",
+                (unsigned)NODEMAP_RBAC_SERVER_UPCALL);
+       LASSERTF(NODEMAP_RBAC_NONE == 0xffffff80UL, "found 0x%.8xUL\n",
                (unsigned)NODEMAP_RBAC_NONE);
        LASSERTF(NODEMAP_RBAC_ALL == 0xffffffffUL, "found 0x%.8xUL\n",
                (unsigned)NODEMAP_RBAC_ALL);

diff --git a/lustre/tests/sanity-sec.sh b/lustre/tests/sanity-sec.sh
index e0c914b..5d07547 100755 (executable)
--- a/lustre/tests/sanity-sec.sh
+++ b/lustre/tests/sanity-sec.sh
@@ -5760,6 +5760,7 @@ test_64a() {
                    byfid_ops \
                    chlg_ops \
                    fscrypt_admin \
+                   server_upcall \
                    ;
        do
                [[ "$rbac" =~ "$role" ]] ||

diff --git a/lustre/utils/wirecheck.c b/lustre/utils/wirecheck.c
index f53fec8..245a368 100644 (file)
--- a/lustre/utils/wirecheck.c
+++ b/lustre/utils/wirecheck.c
@@ -2835,6 +2835,7 @@ static void check_nodemap_key(void)
        CHECK_VALUE_X(NODEMAP_RBAC_BYFID_OPS);
        CHECK_VALUE_X(NODEMAP_RBAC_CHLG_OPS);
        CHECK_VALUE_X(NODEMAP_RBAC_FSCRYPT_ADMIN);
+       CHECK_VALUE_X(NODEMAP_RBAC_SERVER_UPCALL);
        CHECK_VALUE_X(NODEMAP_RBAC_NONE);
        CHECK_VALUE_X(NODEMAP_RBAC_ALL);
 }

diff --git a/lustre/utils/wiretest.c b/lustre/utils/wiretest.c
index 7a5d39e..a3e8108 100644 (file)
--- a/lustre/utils/wiretest.c
+++ b/lustre/utils/wiretest.c
@@ -6071,7 +6071,9 @@ void lustre_assert_wire_constants(void)
                (unsigned)NODEMAP_RBAC_CHLG_OPS);
        LASSERTF(NODEMAP_RBAC_FSCRYPT_ADMIN == 0x00000020UL, "found 0x%.8xUL\n",
                (unsigned)NODEMAP_RBAC_FSCRYPT_ADMIN);
-       LASSERTF(NODEMAP_RBAC_NONE == 0xffffffc0UL, "found 0x%.8xUL\n",
+       LASSERTF(NODEMAP_RBAC_SERVER_UPCALL == 0x00000040UL, "found 0x%.8xUL\n",
+                (unsigned)NODEMAP_RBAC_SERVER_UPCALL);
+       LASSERTF(NODEMAP_RBAC_NONE == 0xffffff80UL, "found 0x%.8xUL\n",
                (unsigned)NODEMAP_RBAC_NONE);
        LASSERTF(NODEMAP_RBAC_ALL == 0xffffffffUL, "found 0x%.8xUL\n",
                (unsigned)NODEMAP_RBAC_ALL);