From: Sebastien Buisson Date: Thu, 5 Jan 2023 14:06:39 +0000 (+0100) Subject: LU-16445 sec: make nodemap root squash independent of map_mode X-Git-Tag: 2.15.54~49 X-Git-Url: https://git.whamcloud.com/?a=commitdiff_plain;h=1335eb1d599ceb6423de6800e0995614cdb37bd8;p=fs%2Flustre-release.git LU-16445 sec: make nodemap root squash independent of map_mode When the admin property is set to 0 on a nodemap, the root user must be squashed, even if the map_mode property specifies to not map uids or gids. Enhance sanity-sec test_17 to exercise this use case. Signed-off-by: Sebastien Buisson Change-Id: I1b41caa1ccc6e544ce9fac45b47d0c4c129221f7 Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/49561 Tested-by: jenkins Tested-by: Maloo Reviewed-by: Andreas Dilger Reviewed-by: Etienne AUJAMES Reviewed-by: Oleg Drokin --- diff --git a/lustre/ptlrpc/nodemap_handler.c b/lustre/ptlrpc/nodemap_handler.c index ec1008a..58f1046 100644 --- a/lustre/ptlrpc/nodemap_handler.c +++ b/lustre/ptlrpc/nodemap_handler.c @@ -669,6 +669,12 @@ __u32 nodemap_map_id(struct lu_nodemap *nodemap, if (unlikely(nodemap == NULL)) goto out; + if (id == 0) { + if (nodemap->nmf_allow_root_access) + goto out; + goto squash; + } + if (id_type == NODEMAP_UID && !(nodemap->nmf_map_mode & NODEMAP_MAP_UID)) goto out; @@ -681,13 +687,6 @@ __u32 nodemap_map_id(struct lu_nodemap *nodemap, !(nodemap->nmf_map_mode & NODEMAP_MAP_PROJID)) goto out; - if (id == 0) { - if (nodemap->nmf_allow_root_access) - goto out; - else - goto squash; - } - if (nodemap->nmf_trust_client_ids) goto out; diff --git a/lustre/tests/sanity-sec.sh b/lustre/tests/sanity-sec.sh index b0e74db..ad53adb 100755 --- a/lustre/tests/sanity-sec.sh +++ b/lustre/tests/sanity-sec.sh @@ -1576,6 +1576,9 @@ test_17() { [ "$MDS1_VERSION" -lt $(version_code 2.11.55) ]; then skip "Need MDS >= 2.11.55" fi + local check_proj=true + + (( $MDS1_VERSION >= $(version_code 2.14.52) )) || check_proj=false nodemap_version_check || return 0 nodemap_test_setup @@ -1583,6 +1586,12 @@ test_17() { trap nodemap_test_cleanup EXIT nodemap_clients_admin_trusted 0 1 test_fops trusted_noadmin 1 + if $check_proj; then + do_facet mgs $LCTL nodemap_modify --name c0 \ + --property map_mode --value projid + wait_nm_sync c0 map_mode + fi + test_fops trusted_noadmin 1 nodemap_test_cleanup } run_test 17 "test nodemap trusted_noadmin fileops"