From d83be78be789f1d0b04301cd088fb30deeed9b0a Mon Sep 17 00:00:00 2001
From: Sebastien Buisson <sbuisson@ddn.com>
Date: Tue, 11 Jun 2024 12:40:26 +0200
Subject: [PATCH] LU-17930 gss: node principal expectations

When a credentials cache exists for Kerberos, lgss_keyring looks into
it to find a valid entry. The cache's principal must match the
expected role for the GSS request being processed:
- LGSS_ROOT_CRED_MDT: expect "lustre_mds" principal;
- LGSS_ROOT_CRED_OST: expect "lustre_oss" principal;
- LGSS_ROOT_CRED_ROOT: expect "lustre_root" or "host" principal.
And there is the special case of the GSS request on the MGC, for which
by convention all 3 roles are applied at the same time.

Test-Parameters: trivial
Test-Parameters: kerberos=true testlist=sanity-krb5
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: I4c46b03bb012c5f56bd26efdfaa6dab5fc7de31a
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/55392
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Aurelien Degremont <adegremont@nvidia.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
---
 lustre/utils/gss/lgss_krb5_utils.c | 58 +++++++++++++++++++++++++++-----------
 1 file changed, 42 insertions(+), 16 deletions(-)

diff --git a/lustre/utils/gss/lgss_krb5_utils.c b/lustre/utils/gss/lgss_krb5_utils.c
index bf58d17..5af8e6f 100644
--- a/lustre/utils/gss/lgss_krb5_utils.c
+++ b/lustre/utils/gss/lgss_krb5_utils.c
@@ -233,7 +233,7 @@ static int lkrb5_cc_check_tgt_princ(krb5_context ctx,
 			     unsigned int flag,
 			     uint64_t self_nid)
 {
-	const char     *princ_name;
+	unsigned int cred_type = 0;
 
 	logmsg(LL_DEBUG, "principal: realm %.*s, type %d, size %d, name %.*s\n",
 	       krb5_princ_realm(ctx, princ)->length,
@@ -259,23 +259,49 @@ static int lkrb5_cc_check_tgt_princ(krb5_context ctx,
 		return -1;
 	}
 
-	/* check principal name, give priority to MDT/OST cred over ROOT */
-	if (flag & LGSS_ROOT_CRED_MDT)
-		princ_name = LGSS_SVC_MDS_STR;
-	else if (flag & LGSS_ROOT_CRED_OST)
-		princ_name = LGSS_SVC_OSS_STR;
-	else if (flag & LGSS_ROOT_CRED_ROOT)
-		princ_name = LGSS_USR_ROOT_STR;
-	else
-		return -1;
-
-	if (lgss_krb5_strcmp(krb5_princ_name(ctx, princ), princ_name) &&
-	    (strcmp(princ_name, LGSS_USR_ROOT_STR) ||
-	    lgss_krb5_strcmp(krb5_princ_name(ctx, princ), LGSS_SVC_HOST_STR))) {
-		logmsg(LL_WARN, "%.*s: we expect %s instead\n",
+	/* check principal name against flag for cred type */
+	if (lgss_krb5_strcmp(krb5_princ_name(ctx, princ),
+			     LGSS_SVC_HOST_STR) == 0 ||
+	    lgss_krb5_strcmp(krb5_princ_name(ctx, princ),
+			     LGSS_USR_ROOT_STR) == 0)
+		cred_type = LGSS_ROOT_CRED_ROOT;
+	else if (lgss_krb5_strcmp(krb5_princ_name(ctx, princ),
+				  LGSS_SVC_MGS_STR) == 0)
+		cred_type = LGSS_ROOT_CRED_ROOT |
+			     LGSS_ROOT_CRED_MDT |
+			     LGSS_ROOT_CRED_OST;
+	else if (lgss_krb5_strcmp(krb5_princ_name(ctx, princ),
+				  LGSS_SVC_MDS_STR) == 0)
+		cred_type = LGSS_ROOT_CRED_MDT;
+	else if (lgss_krb5_strcmp(krb5_princ_name(ctx, princ),
+				  LGSS_SVC_OSS_STR) == 0)
+		cred_type = LGSS_ROOT_CRED_OST;
+
+	if (!(flag & cred_type)) {
+		char wanted[50];
+		char *buf = wanted;
+
+		if (flag & LGSS_ROOT_CRED_MDT)
+			buf += snprintf(buf, sizeof(wanted) - (buf - wanted),
+					"%s", LGSS_SVC_MDS_STR);
+		if (flag & LGSS_ROOT_CRED_OST)
+			buf += snprintf(buf, sizeof(wanted) - (buf - wanted),
+					"%s%s",
+				       buf == wanted ? "" : ",",
+				       LGSS_SVC_OSS_STR);
+		if (flag & LGSS_ROOT_CRED_ROOT) {
+			buf += snprintf(buf, sizeof(wanted) - (buf - wanted),
+					"%s%s",
+					buf == wanted ? "" : ",",
+					LGSS_USR_ROOT_STR);
+			snprintf(buf, sizeof(wanted) - (buf - wanted), ",%s",
+				 LGSS_SVC_HOST_STR);
+		}
+		logmsg(LL_WARN,
+		       "Found in cc principal %.*s, but expecting one of %s instead\n",
 		       krb5_princ_name(ctx, princ)->length,
 		       krb5_princ_name(ctx, princ)->data,
-		       princ_name);
+		       wanted);
 		return -1;
 	}
 
-- 
1.8.3.1