git://git.whamcloud.com - fs/lustre-release.git/commit

author	Sebastien Buisson <sbuisson@ddn.com>
	Thu, 7 Sep 2023 07:28:45 +0000 (09:28 +0200)
committer	Oleg Drokin <green@whamcloud.com>
	Wed, 25 Oct 2023 18:07:26 +0000 (18:07 +0000)
commit	8d828762d18ffaa2945bde56039127d0e75aceb3
tree	9045429d1e568e266a36e9b5903f2b7b6656c3d1	tree \| snapshot
parent	5a0f59d05147ee32e10d8db606c6da17d4099721	commit \| diff

LU-17015 gss: support large kerberos token for rpc sec init

If the current Kerberos setup is using large token, like when PAC
feature is enabled for Kerberos, authentication can fail due to server
side unable to exchange token between kernel and userspace.
This limitation is inherent to the sunrpc cache mechanism, that can
only handle tokens up to PAGE_SIZE.

For RPC sec init phase, use Lustre's upcall cache mechanism
instead of deprecated kernel's sunrpc cache. The upcall calls a new
userspace command 'l_getauth', that fowards the sec init request to
the lsvcgssd daemon via Unix domain sockets.

Test-Parameters: kerberos=true testlist=sanity-krb5
Change-Id: I709cd79894a5a13fc4cdfab2109c86f2230db3b8
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/52224
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Aurelien Degremont <adegremont@nvidia.com>

libcfs/libcfs/crypto/fname.c		diff \| blob \| history
libcfs/libcfs/crypto/llcrypt_private.h		diff \| blob \| history
lustre/include/lustre_sec.h		diff \| blob \| history
lustre/include/uapi/linux/lustre/lgss.h		diff \| blob \| history
lustre/include/uapi/linux/lustre/lustre_disk.h		diff \| blob \| history
lustre/include/uapi/linux/lustre/lustre_idl.h		diff \| blob \| history
lustre/include/upcall_cache.h		diff \| blob \| history
lustre/obdclass/Makefile.in		diff \| blob \| history
lustre/obdclass/upcall_cache.c		diff \| blob \| history
lustre/ptlrpc/gss/gss_api.h		diff \| blob \| history
lustre/ptlrpc/gss/gss_internal.h		diff \| blob \| history
lustre/ptlrpc/gss/gss_svc_upcall.c		diff \| blob \| history
lustre/ptlrpc/gss/lproc_gss.c		diff \| blob \| history
lustre/ptlrpc/wiretest.c		diff \| blob \| history
lustre/tests/sanity-sec.sh		diff \| blob \| history
lustre/tests/test-framework.sh		diff \| blob \| history
lustre/utils/gss/.gitignore		diff \| blob \| history
lustre/utils/gss/Makefile.am		diff \| blob \| history
lustre/utils/gss/l_getauth.c	[new file with mode: 0644]	blob
lustre/utils/gss/lsupport.h		diff \| blob \| history
lustre/utils/gss/svcgssd.c		diff \| blob \| history
lustre/utils/gss/svcgssd.h		diff \| blob \| history
lustre/utils/gss/svcgssd_main_loop.c		diff \| blob \| history
lustre/utils/gss/svcgssd_proc.c		diff \| blob \| history
lustre/utils/wirecheck.c		diff \| blob \| history
lustre/utils/wiretest.c		diff \| blob \| history