From 6979d152e9dc384b471a4e01fcef7ca6b674a95b Mon Sep 17 00:00:00 2001 From: Sebastien Buisson Date: Thu, 5 Jan 2023 15:06:39 +0100 Subject: [PATCH] LU-16445 sec: make nodemap root squash independent of map_mode When the admin property is set to 0 on a nodemap, the root user must be squashed, even if the map_mode property specifies to not map uids or gids. Enhance sanity-sec test_17 to exercise this use case. Lustre-change: https://review.whamcloud.com/49561 Lustre-commit: 1335eb1d599ceb6423de6800e0995614cdb37bd8 Signed-off-by: Sebastien Buisson Change-Id: I1b41caa1ccc6e544ce9fac45b47d0c4c129221f7 Reviewed-by: Andreas Dilger Reviewed-by: Etienne AUJAMES Reviewed-on: https://review.whamcloud.com/c/ex/lustre-release/+/49797 Tested-by: jenkins Tested-by: Maloo --- lustre/ptlrpc/nodemap_handler.c | 13 ++++++------- lustre/tests/sanity-sec.sh | 9 +++++++++ 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/lustre/ptlrpc/nodemap_handler.c b/lustre/ptlrpc/nodemap_handler.c index 27f7ed7..dea50f7 100644 --- a/lustre/ptlrpc/nodemap_handler.c +++ b/lustre/ptlrpc/nodemap_handler.c @@ -670,6 +670,12 @@ __u32 nodemap_map_id(struct lu_nodemap *nodemap, if (unlikely(nodemap == NULL)) goto out; + if (id == 0) { + if (nodemap->nmf_allow_root_access) + goto out; + goto squash; + } + if (id_type == NODEMAP_UID && !(nodemap->nmf_map_mode & NODEMAP_MAP_UID)) goto out; @@ -682,13 +688,6 @@ __u32 nodemap_map_id(struct lu_nodemap *nodemap, !(nodemap->nmf_map_mode & NODEMAP_MAP_PROJID)) goto out; - if (id == 0) { - if (nodemap->nmf_allow_root_access) - goto out; - else - goto squash; - } - if (nodemap->nmf_trust_client_ids) goto out; diff --git a/lustre/tests/sanity-sec.sh b/lustre/tests/sanity-sec.sh index e157203..f12f5d0 100755 --- a/lustre/tests/sanity-sec.sh +++ b/lustre/tests/sanity-sec.sh @@ -1575,6 +1575,9 @@ test_17() { [ "$MDS1_VERSION" -lt $(version_code 2.11.55) ]; then skip "Need MDS >= 2.11.55" fi + local check_proj=true + + (( $MDS1_VERSION >= $(version_code 2.14.0.74) )) || check_proj=false nodemap_version_check || return 0 nodemap_test_setup @@ -1582,6 +1585,12 @@ test_17() { trap nodemap_test_cleanup EXIT nodemap_clients_admin_trusted 0 1 test_fops trusted_noadmin 1 + if $check_proj; then + do_facet mgs $LCTL nodemap_modify --name c0 \ + --property map_mode --value projid + wait_nm_sync c0 map_mode + fi + test_fops trusted_noadmin 1 nodemap_test_cleanup } run_test 17 "test nodemap trusted_noadmin fileops" -- 1.8.3.1