git://git.whamcloud.com - fs/lustre-release.git/commit

author	Sebastien Buisson <sbuisson@ddn.com>
	Thu, 7 Sep 2023 07:28:45 +0000 (09:28 +0200)
committer	Andreas Dilger <adilger@whamcloud.com>
	Sat, 14 Oct 2023 10:48:14 +0000 (10:48 +0000)
commit	4daf43ac3c2da018d3f3aa493ccfeec6d55218f9
tree	f6f8ef858e07e7e822491011f923d75e1fb34d04	tree \| snapshot
parent	4515e5365fef9c5abcb37eaad69e870b72986398	commit \| diff

LU-17015 gss: support large kerberos token for rpc sec init

If the current Kerberos setup is using large token, like when PAC
feature is enabled for Kerberos, authentication can fail due to server
side unable to exchange token between kernel and userspace.
This limitation is inherent to the sunrpc cache mechanism, that can
only handle tokens up to PAGE_SIZE.

For RPC sec init phase, use Lustre's upcall cache mechanism
instead of deprecated kernel's sunrpc cache. The upcall calls a new
userspace command 'l_getauth', that fowards the sec init request to
the lsvcgssd daemon via Unix domain sockets.

Lustre-change: https://review.whamcloud.com/52224
Lustre-commit: TBD (from 8acd059ee2b8d1e4c48c3d9dbb380bca75e1b3be)

Test-Parameters: kerberos=true testlist=sanity-krb5
Change-Id: I709cd79894a5a13fc4cdfab2109c86f2230db3b8
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Reviewed-on: https://review.whamcloud.com/c/ex/lustre-release/+/52653
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>

libcfs/libcfs/crypto/fname.c		diff \| blob \| history
libcfs/libcfs/crypto/llcrypt_private.h		diff \| blob \| history
lustre/include/lustre_sec.h		diff \| blob \| history
lustre/include/uapi/linux/lustre/lgss.h		diff \| blob \| history
lustre/include/uapi/linux/lustre/lustre_disk.h		diff \| blob \| history
lustre/include/uapi/linux/lustre/lustre_idl.h		diff \| blob \| history
lustre/include/upcall_cache.h		diff \| blob \| history
lustre/obdclass/Makefile.in		diff \| blob \| history
lustre/obdclass/upcall_cache.c		diff \| blob \| history
lustre/ptlrpc/gss/gss_api.h		diff \| blob \| history
lustre/ptlrpc/gss/gss_internal.h		diff \| blob \| history
lustre/ptlrpc/gss/gss_svc_upcall.c		diff \| blob \| history
lustre/ptlrpc/gss/lproc_gss.c		diff \| blob \| history
lustre/ptlrpc/wiretest.c		diff \| blob \| history
lustre/tests/sanity-sec.sh		diff \| blob \| history
lustre/tests/test-framework.sh		diff \| blob \| history
lustre/utils/gss/.gitignore		diff \| blob \| history
lustre/utils/gss/Makefile.am		diff \| blob \| history
lustre/utils/gss/l_getauth.c	[new file with mode: 0644]	blob
lustre/utils/gss/lsupport.h		diff \| blob \| history
lustre/utils/gss/svcgssd.c		diff \| blob \| history
lustre/utils/gss/svcgssd.h		diff \| blob \| history
lustre/utils/gss/svcgssd_main_loop.c		diff \| blob \| history
lustre/utils/gss/svcgssd_proc.c		diff \| blob \| history
lustre/utils/wirecheck.c		diff \| blob \| history
lustre/utils/wiretest.c		diff \| blob \| history