From 5bf6be3f9a7ad475ff3d7d8255ee54f95c7832b2 Mon Sep 17 00:00:00 2001 From: Sebastien Buisson Date: Mon, 6 Jan 2025 17:12:56 +0100 Subject: [PATCH] LU-18591 sec: remove support for idmap.conf Patch "LU-16630 sec: improve Kerberos cross-realm trust remapping" added a warning message that idmap.conf is deprecated. With this patch, we go one step further and remove support for idmap.conf. This means l_idmap is also removed. Cross-realm trust remapping should be carried out via a mechanism provided by Kerberos, such as auth_to_local or equivalent. Test-Parameters: trivial Test-Parameters: kerberos=true testlist=sanity-krb5 Signed-off-by: Sebastien Buisson Change-Id: I0ab2f3a12d47f55756094043b0ec2b19d8634de1 Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/57651 Reviewed-by: Andreas Dilger Reviewed-by: Aurelien Degremont Reviewed-by: Oleg Drokin Tested-by: jenkins Tested-by: Maloo --- lustre/utils/gss/.gitignore | 1 - lustre/utils/gss/Makefile.am | 11 +- lustre/utils/gss/l_idmap.c | 39 ------- lustre/utils/gss/lsupport.c | 211 ----------------------------------- lustre/utils/gss/lsupport.h | 5 - lustre/utils/gss/svcgssd.c | 3 - lustre/utils/gss/svcgssd_main_loop.c | 3 - lustre/utils/gss/svcgssd_proc.c | 3 - 8 files changed, 1 insertion(+), 275 deletions(-) delete mode 100644 lustre/utils/gss/l_idmap.c diff --git a/lustre/utils/gss/.gitignore b/lustre/utils/gss/.gitignore index a28ef0b..96c9afd 100644 --- a/lustre/utils/gss/.gitignore +++ b/lustre/utils/gss/.gitignore @@ -1,6 +1,5 @@ /Makefile.in /lsvcgssd -/l_idmap /lgss_keyring /lgss_sk /l_getauth diff --git a/lustre/utils/gss/Makefile.am b/lustre/utils/gss/Makefile.am index da3566d..c57b552 100644 --- a/lustre/utils/gss/Makefile.am +++ b/lustre/utils/gss/Makefile.am @@ -4,7 +4,7 @@ AM_CFLAGS := -fPIC \ -D_LARGEFILE64_SOURCE=1 -D_FILE_OFFSET_BITS=64 -DLUSTRE_UTILS=1 \ -D_GNU_SOURCE -sbin_PROGRAMS = l_idmap +sbin_PROGRAMS = if GSS_KEYRING sbin_PROGRAMS += lsvcgssd lgss_keyring l_getauth @@ -50,15 +50,6 @@ if GSS_SSK lsvcgssd_LDADD += -lcrypto -lssl endif -l_idmap_SOURCES = \ - l_idmap.c \ - lsupport.c \ - err_util.c \ - \ - lsupport.h - -l_idmap_LDADD = $(top_builddir)/lustre/utils/liblustreapi.la $(KRBLIBS) - l_getauth_SOURCES = \ l_getauth.c \ lsupport.c \ diff --git a/lustre/utils/gss/l_idmap.c b/lustre/utils/gss/l_idmap.c deleted file mode 100644 index 9fcf8a5..0000000 --- a/lustre/utils/gss/l_idmap.c +++ /dev/null @@ -1,39 +0,0 @@ -#include -#include -#include -#include -/* For basename() */ -#include -#include "lsupport.h" - -int main(int argc, char **argv) -{ - lnet_nid_t nid; - uid_t uid; - int rc; - - if (argc < 3) { - printf("Usage:\n" - "%s \n", - basename(argv[0])); - return 1; - } - - nid = libcfs_str2nid(argv[2]); - if (nid == LNET_NID_ANY) { - printf("parse nid %s failed\n", argv[2]); - return 1; - } - rc = lookup_mapping(argv[1], nid, &uid); - if (rc == -1) { - printf("lookup mapping failed\n"); - return 1; - } - - printf("principal: %s\n" - "nid: %#llx\n" - "uid: %u\n", - argv[1], nid, uid); - - return 0; -} diff --git a/lustre/utils/gss/lsupport.c b/lustre/utils/gss/lsupport.c index e975761..4126fee 100644 --- a/lustre/utils/gss/lsupport.c +++ b/lustre/utils/gss/lsupport.c @@ -411,70 +411,6 @@ int lnet_nid2hostname(lnet_nid_t nid, char *buf, int buflen) buf, buflen); } - -/**************************************** - * user mapping database handling * - * (very rudiment) * - ****************************************/ - -#define MAPPING_GROW_SIZE 512 -#define MAX_LINE_LEN 256 - -struct user_map_item { - char *principal; /* NULL means match all */ - lnet_nid_t nid; - uid_t uid; -}; - -struct user_mapping { - int nitems; - struct user_map_item *items; -}; - -static struct user_mapping mapping; -/* FIXME to be finished: monitor change of mapping database */ -static int mapping_mtime; - -void cleanup_mapping(void) -{ - if (mapping.items) { - for (; mapping.nitems > 0; mapping.nitems--) - if (mapping.items[mapping.nitems-1].principal) - free(mapping.items[mapping.nitems-1].principal); - - free(mapping.items); - mapping.items = NULL; - } -} - -static int grow_mapping(int nitems) -{ - struct user_map_item *new; - int oldsize, newsize; - - oldsize = (mapping.nitems * sizeof(struct user_map_item) + - MAPPING_GROW_SIZE - 1) / MAPPING_GROW_SIZE; - newsize = (nitems * sizeof(struct user_map_item) + - MAPPING_GROW_SIZE - 1) / MAPPING_GROW_SIZE; - while (newsize <= oldsize) - return 0; - - newsize *= MAPPING_GROW_SIZE; - new = malloc(newsize); - if (!new) { - printerr(LL_ERR, "can't alloc mapping size %d\n", newsize); - return -1; - } - - if (mapping.items) { - memcpy(new, mapping.items, - mapping.nitems * sizeof(struct user_map_item)); - free(mapping.items); - } - mapping.items = new; - return 0; -} - uid_t parse_uid(char *uidstr) { struct passwd *pw; @@ -492,153 +428,6 @@ uid_t parse_uid(char *uidstr) return -1; } -static int read_mapping_db(void) -{ - char princ[MAX_LINE_LEN]; - char nid_str[MAX_LINE_LEN]; - char dest[MAX_LINE_LEN]; - char linebuf[MAX_LINE_LEN]; - char *line; - lnet_nid_t nid; - uid_t dest_uid; - FILE *f; - - /* cleanup old mappings */ - cleanup_mapping(); - - f = fopen(MAPPING_DATABASE_FILE, "r"); - if (!f) { - printerr(LL_ERR, "can't open mapping database: %s\n", - MAPPING_DATABASE_FILE); - return -1; - } - - while ((line = fgets(linebuf, MAX_LINE_LEN, f)) != NULL) { - char *name; - - if (sscanf(line, "%s %s %s", princ, nid_str, dest) != 3) { - printerr(LL_ERR, "mapping db: syntax error\n"); - continue; - } - - if (!strcmp(princ, "*")) { - name = NULL; - } else { - name = strdup(princ); - if (!name) { - printerr(LL_ERR, "fail to dup str %s\n", princ); - continue; - } - } - - if (!strcmp(nid_str, "*")) { - nid = LNET_NID_ANY; - } else { - nid = libcfs_str2nid(nid_str); - if (nid == LNET_NID_ANY) { - printerr(LL_ERR, "fail to parse nid %s\n", - nid_str); - if (name) - free(name); - continue; - } - } - - dest_uid = parse_uid(dest); - if (dest_uid == -1) { - printerr(LL_ERR, "no valid user: %s\n", dest); - if (name) - free(name); - continue; - } - - if (grow_mapping(mapping.nitems + 1)) { - printerr(LL_ERR, "fail to grow mapping to %d\n", - mapping.nitems + 1); - if (name) - free(name); - fclose(f); - return -1; - } - - mapping.items[mapping.nitems].principal = name; - mapping.items[mapping.nitems].nid = nid; - mapping.items[mapping.nitems].uid = dest_uid; - mapping.nitems++; - printerr(LL_WARN, "add mapping: %s(%s/0x%llx) ==> %d\n", - name, nid_str, nid, dest_uid); - } - - fclose(f); - return 0; -} - -static inline int mapping_changed(void) -{ - struct stat st; - - if (stat(MAPPING_DATABASE_FILE, &st) == -1) { - /* stat failed, treat it like doesn't exist or be removed */ - if (mapping_mtime == 0) - return 0; - - printerr(LL_ERR, "stat %s failed: %s\n", - MAPPING_DATABASE_FILE, strerror(errno)); - - mapping_mtime = 0; - return 1; - } - printerr(LL_WARN, - "Use of idmap.conf is deprecated.\nPlease consider switching to auth_to_local or equivalent as provided by Kerberos for cross-realm trust remapping.\n"); - - if (st.st_mtime != mapping_mtime) { - mapping_mtime = st.st_mtime; - return 1; - } - - return 0; -} - -void load_mapping(void) -{ - if (mapping_changed()) - (void)read_mapping_db(); -} - -int mapping_empty(void) -{ - return !mapping.nitems; -} - -int lookup_mapping(char *princ, lnet_nid_t nid, uid_t *uid) -{ - int n; - - *uid = -1; - - /* FIXME race condition here */ - if (mapping_changed()) { - if (read_mapping_db()) - printerr(LL_ERR, "all remote users will be denied\n"); - } - - for (n = 0; n < mapping.nitems; n++) { - struct user_map_item *entry = &mapping.items[n]; - - if (entry->nid != LNET_NID_ANY && entry->nid != nid) - continue; - if (!entry->principal || !strcasecmp(entry->principal, princ)) { - printerr(LL_WARN, "found mapping: %s ==> %d\n", - princ, entry->uid); - *uid = entry->uid; - return 0; - } - } - - printerr(LL_INFO, "no mapping for %s/%#Lx\n", princ, nid); - return -1; -} - /* realm of this node */ char *krb5_this_realm; diff --git a/lustre/utils/gss/lsupport.h b/lustre/utils/gss/lsupport.h index 6d565f8..e4a3c03 100644 --- a/lustre/utils/gss/lsupport.h +++ b/lustre/utils/gss/lsupport.h @@ -102,15 +102,10 @@ struct lgssd_upcall_data { #define GSSD_INTERFACE_VERSION_V1 (1) #define GSSD_DEFAULT_GETHOSTNAME_EX "/etc/lustre/nid2hostname" -#define MAPPING_DATABASE_FILE "/etc/lustre/idmap.conf" int getcanonname(const char *host, char *buf, int buflen); int lnet_nid2hostname(lnet_nid_t nid, char *buf, int buflen); -void cleanup_mapping(void); uid_t parse_uid(char *uidstr); -void load_mapping(void); -int mapping_empty(void); -int lookup_mapping(char *princ, lnet_nid_t nid, uid_t *uid); int gss_get_realm(char *realm); /* diff --git a/lustre/utils/gss/svcgssd.c b/lustre/utils/gss/svcgssd.c index 4711a49..d92288d 100644 --- a/lustre/utils/gss/svcgssd.c +++ b/lustre/utils/gss/svcgssd.c @@ -171,8 +171,6 @@ release_parent() static void sig_die(int signal) { - /* destroy krb5 machine creds */ - cleanup_mapping(); /* cleanup allocated strings for realms */ gssd_cleanup_realms(); /* remove socket */ @@ -351,7 +349,6 @@ err_krb: gssd_init_unique(GSSD_SVC); svcgssd_run(); - cleanup_mapping(); gssd_cleanup_realms(); printerr(LL_ERR, "svcgssd_run returned!\n"); abort(); diff --git a/lustre/utils/gss/svcgssd_main_loop.c b/lustre/utils/gss/svcgssd_main_loop.c index c3a0a4c..777cdb2 100644 --- a/lustre/utils/gss/svcgssd_main_loop.c +++ b/lustre/utils/gss/svcgssd_main_loop.c @@ -98,9 +98,6 @@ void svcgssd_run(void) printerr(LL_WARN, "will use default number of rounds for prime testing\n"); #endif - } else { - /* For krb, preload mapping table if any */ - load_mapping(); } again: diff --git a/lustre/utils/gss/svcgssd_proc.c b/lustre/utils/gss/svcgssd_proc.c index 3aa2d19..5250f0e 100644 --- a/lustre/utils/gss/svcgssd_proc.c +++ b/lustre/utils/gss/svcgssd_proc.c @@ -309,9 +309,6 @@ free: static int lookup_id(gss_name_t client_name, char *princ, lnet_nid_t nid, uid_t *uid) { - if (!mapping_empty()) - return lookup_mapping(princ, nid, uid); - return lookup_localname(client_name, princ, nid, uid); } -- 1.8.3.1