From 4b96af4a8f003c6aed4f283d9405eca7035e6d7c Mon Sep 17 00:00:00 2001
From: Sebastien Buisson <sbuisson@ddn.com>
Date: Fri, 4 Mar 2022 16:45:59 +0100
Subject: [PATCH] LU-13343 gss: no sec flavor on loopback connection

When using a local client, i.e. a client mounted on a server node,
there is no benefit from a security standpoint to enforce an SSK or
KRB flavor, since the data does not go over the network.
So force the 'null' security flavor for connections on 0@lo,
independently of the currently defined srpc flavor.

Lustre-change: https://review.whamcloud.com/46704
Lustre-commit: e3e91ea95fd96a5eafc598e3812390b4cbac05c3

Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: If25d69bb1e67735cb0544ca954e49175f7471248
Reviewed-by: Aurelien Degremont <adegremont@nvidia.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: James Simmons <jsimmons@infradead.org>
Reviewed-on: https://review.whamcloud.com/c/ex/lustre-release/+/51610
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
---
 lustre/lmv/lmv_obd.c           |  1 +
 lustre/lov/lov_obd.c           | 59 ++++++++++++++++++++++--------------------
 lustre/ptlrpc/sec_config.c     |  4 +++
 lustre/tests/recovery-small.sh |  6 -----
 lustre/tests/test-framework.sh |  6 +++++
 5 files changed, 42 insertions(+), 34 deletions(-)

diff --git a/lustre/lmv/lmv_obd.c b/lustre/lmv/lmv_obd.c
index 11a65f8..ec77710 100644
--- a/lustre/lmv/lmv_obd.c
+++ b/lustre/lmv/lmv_obd.c
@@ -482,6 +482,7 @@ out_disc:
 			continue;
 
 		--lmv->lmv_mdt_descs.ltd_lmv_desc.ld_active_tgt_count;
+		obd_register_observer(tgt->ltd_exp->exp_obd, NULL);
 		obd_disconnect(tgt->ltd_exp);
 	}
 
diff --git a/lustre/lov/lov_obd.c b/lustre/lov/lov_obd.c
index 5d325c8..670993a 100644
--- a/lustre/lov/lov_obd.c
+++ b/lustre/lov/lov_obd.c
@@ -126,24 +126,26 @@ int lov_connect_osc(struct obd_device *obd, u32 index, int activate,
 	if (lov->lov_tgts[index] == NULL)
 		RETURN(-EINVAL);
 
-        tgt_uuid = &lov->lov_tgts[index]->ltd_uuid;
-        tgt_obd = lov->lov_tgts[index]->ltd_obd;
+	tgt_uuid = &lov->lov_tgts[index]->ltd_uuid;
+	tgt_obd = lov->lov_tgts[index]->ltd_obd;
 
-        if (!tgt_obd->obd_set_up) {
-                CERROR("Target %s not set up\n", obd_uuid2str(tgt_uuid));
-                RETURN(-EINVAL);
-        }
+	if (!tgt_obd->obd_set_up) {
+		rc = -EINVAL;
+		CERROR("%s: target not set up: rc = %d\n",
+		       obd_uuid2str(tgt_uuid), rc);
+		RETURN(rc);
+	}
 
-        /* override the sp_me from lov */
-        tgt_obd->u.cli.cl_sp_me = lov->lov_sp_me;
+	/* override the sp_me from lov */
+	tgt_obd->u.cli.cl_sp_me = lov->lov_sp_me;
 
-        if (data && (data->ocd_connect_flags & OBD_CONNECT_INDEX))
-                data->ocd_index = index;
+	if (data && (data->ocd_connect_flags & OBD_CONNECT_INDEX))
+		data->ocd_index = index;
 
-        /*
-         * Divine LOV knows that OBDs under it are OSCs.
-         */
-        imp = tgt_obd->u.cli.cl_import;
+	/*
+	 * Divine LOV knows that OBDs under it are OSCs.
+	 */
+	imp = tgt_obd->u.cli.cl_import;
 
 	if (activate) {
 		tgt_obd->obd_no_recov = 0;
@@ -152,12 +154,12 @@ int lov_connect_osc(struct obd_device *obd, u32 index, int activate,
 		ptlrpc_activate_import(imp, false);
 	}
 
-        rc = obd_register_observer(tgt_obd, obd);
-        if (rc) {
-                CERROR("Target %s register_observer error %d\n",
-                       obd_uuid2str(tgt_uuid), rc);
-                RETURN(rc);
-        }
+	rc = obd_register_observer(tgt_obd, obd);
+	if (rc) {
+		CERROR("%s: target register_observer error: rc = %d\n",
+		       obd_uuid2str(tgt_uuid), rc);
+		RETURN(rc);
+	}
 
 	if (imp->imp_invalid) {
 		CDEBUG(D_CONFIG, "%s: not connecting - administratively disabled\n",
@@ -167,16 +169,17 @@ int lov_connect_osc(struct obd_device *obd, u32 index, int activate,
 
 	rc = obd_connect(NULL, &lov->lov_tgts[index]->ltd_exp, tgt_obd,
 			 &lov_osc_uuid, data, lov->lov_cache);
-        if (rc || !lov->lov_tgts[index]->ltd_exp) {
-                CERROR("Target %s connect error %d\n",
-                       obd_uuid2str(tgt_uuid), rc);
-                RETURN(-ENODEV);
-        }
+	if (rc || !lov->lov_tgts[index]->ltd_exp) {
+		CERROR("%s: target connect error: rc = %d\n",
+		       obd_uuid2str(tgt_uuid), rc);
+		obd_register_observer(tgt_obd, NULL);
+		RETURN(-ENODEV);
+	}
 
-        lov->lov_tgts[index]->ltd_reap = 0;
+	lov->lov_tgts[index]->ltd_reap = 0;
 
-        CDEBUG(D_CONFIG, "Connected tgt idx %d %s (%s) %sactive\n", index,
-               obd_uuid2str(tgt_uuid), tgt_obd->obd_name, activate ? "":"in");
+	CDEBUG(D_CONFIG, "Connected tgt idx %d %s (%s) %sactive\n", index,
+	       obd_uuid2str(tgt_uuid), tgt_obd->obd_name, activate ? "":"in");
 
 	if (lov->lov_tgts_kobj) {
 		/* Even if we failed, that's ok */
diff --git a/lustre/ptlrpc/sec_config.c b/lustre/ptlrpc/sec_config.c
index 22a230e..8f592a3 100644
--- a/lustre/ptlrpc/sec_config.c
+++ b/lustre/ptlrpc/sec_config.c
@@ -404,6 +404,10 @@ int sptlrpc_rule_set_choose(struct sptlrpc_rule_set *rset,
 	struct sptlrpc_rule *r;
 	int n;
 
+	if (nid == LNET_NID_LO_0)
+		/* do not enforce any sec flavor on loopback connection */
+		return 0;
+
 	for (n = 0; n < rset->srs_nrule; n++) {
 		r = &rset->srs_rules[n];
 
diff --git a/lustre/tests/recovery-small.sh b/lustre/tests/recovery-small.sh
index c34b328..cb16603 100755
--- a/lustre/tests/recovery-small.sh
+++ b/lustre/tests/recovery-small.sh
@@ -2950,9 +2950,6 @@ test_140a() {
 	[ $MDS1_VERSION -lt $(version_code 2.12.58) ] &&
 		skip "Need MDS version at least 2.13.50"
 
-	[ "$SHARED_KEY" = true ] &&
-		skip "server local client incompatible with SSK keys installed"
-
 	slr=$(do_facet mds1 \
 		$LCTL get_param -n mdt.$FSNAME-MDT0000.local_recovery)
 	stack_trap "do_facet mds1 $LCTL set_param \
@@ -2987,9 +2984,6 @@ test_140b() {
 	[ $MDS1_VERSION -lt $(version_code 2.12.58) ] &&
 		skip "Need MDS version at least 2.13.50"
 
-	[ "$SHARED_KEY" = true ] &&
-		skip "server local client incompatible with SSK keys installed"
-
 	slr=$(do_facet mds1 \
 		$LCTL get_param -n mdt.$FSNAME-MDT0000.local_recovery)
 	stack_trap "do_facet mds1 $LCTL set_param \
diff --git a/lustre/tests/test-framework.sh b/lustre/tests/test-framework.sh
index 9db7850..a0c7912 100755
--- a/lustre/tests/test-framework.sh
+++ b/lustre/tests/test-framework.sh
@@ -1138,6 +1138,12 @@ init_gss() {
 				$SK_PATH/$FSNAME.key >/dev/null 2>&1"
 			do_nodes $clients "find $SK_PATH/nodemap -name \*.key | \
 				xargs -IX lgss_sk -t client -m X >/dev/null 2>&1"
+			# also have a client key available on server side,
+			# for local client mount
+			do_nodes $(comma_list $(all_server_nodes)) \
+			"cp $SK_PATH/$FSNAME.key $SK_PATH/${FSNAME}_cli.key && \
+			 lgss_sk -t client -m \
+				$SK_PATH/${FSNAME}_cli.key >/dev/null 2>&1"
 		fi
 		# This is required for servers as well, if S2S in use
 		if $SK_S2S; then
-- 
1.8.3.1