LU-16524 sec: add fscrypt_admin rbac role

The purpose of the new fscrypt_admin rbac role is to control admin
tasks related to fscrypt. When not set, it is forbidden to all users
including root to modify existing protectors or policies, or create
new ones. But it remains possible to lock and unlock encrypted
directories.

Internally, this is achieved by marking fscrypt metadata files and
directories, i.e. everything under ROOT/.fscrypt, with a special mdt
object flag LOHA_FSCRYPT_MD.
Upon request processing, the mdt layer returns -EPERM if the flag
LOHA_FSCRYPT_MD is found on an object that is the target of a modify
request.
The LUSTRE_IMMUTABLE_FL flag is also returned to clients for such
objects.

sanity-sec test_64f is added to exercise the new fscrypt_admin flag.

Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: I99956499133994444ccd88e33340067790a182ce
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/50184
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Patrick Farrell <pfarrell@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>

diff --git a/lustre/doc/lctl-nodemap-modify.8 b/lustre/doc/lctl-nodemap-modify.8
index caa9df1..c3e127b 100644 (file)
--- a/lustre/doc/lctl-nodemap-modify.8
+++ b/lustre/doc/lctl-nodemap-modify.8
@@ -89,6 +89,10 @@ Defaults to all, which means all roles are allowed. Other possible values
 - chlg_ops, to allow access to Lustre Changelogs.
 - dne_ops, to allow operations related to DNE (e.g. 'lfs mkdir').
 - file_perms, to allow modifications of file permissions and owners.
+- fscrypt_admin, to allow fscrypt related admin tasks (create or modify
+protectors/policies). Note that even without this role, it is still possible
+to lock or unlock encrypted directories, as these operations only need read
+access to fscrypt metadata.
 - quota_ops, to allow quota modifications.
 Apart from all, any role not explicitly specified is forbidden. And to forbid
 all roles, use 'none' value.

diff --git a/lustre/include/lu_object.h b/lustre/include/lu_object.h
index 8c5a979..fe03fd2 100644 (file)
--- a/lustre/include/lu_object.h
+++ b/lustre/include/lu_object.h
@@ -508,6 +508,7 @@ enum lu_object_header_attr {
        LOHA_EXISTS             = BIT(0),
        LOHA_REMOTE             = BIT(1),
        LOHA_HAS_AGENT_ENTRY    = BIT(2),
+       LOHA_FSCRYPT_MD         = BIT(3),
        /**
         * UNIX file type is stored in S_IFMT bits.
         */

diff --git a/lustre/include/lustre_nodemap.h b/lustre/include/lustre_nodemap.h
index 59f227d..bfb29e7 100644 (file)
--- a/lustre/include/lustre_nodemap.h
+++ b/lustre/include/lustre_nodemap.h
@@ -40,11 +40,12 @@ static const struct nodemap_rbac_name {
        enum nodemap_rbac_roles nrn_mode;
        const char             *nrn_name;
 } nodemap_rbac_names[] = {
-       { NODEMAP_RBAC_FILE_PERMS, "file_perms" },
-       { NODEMAP_RBAC_DNE_OPS,    "dne_ops"    },
-       { NODEMAP_RBAC_QUOTA_OPS,  "quota_ops"  },
-       { NODEMAP_RBAC_BYFID_OPS,  "byfid_ops"  },
-       { NODEMAP_RBAC_CHLG_OPS,   "chlg_ops"   },
+       { NODEMAP_RBAC_FILE_PERMS,      "file_perms"    },
+       { NODEMAP_RBAC_DNE_OPS,         "dne_ops"       },
+       { NODEMAP_RBAC_QUOTA_OPS,       "quota_ops"     },
+       { NODEMAP_RBAC_BYFID_OPS,       "byfid_ops"     },
+       { NODEMAP_RBAC_CHLG_OPS,        "chlg_ops"      },
+       { NODEMAP_RBAC_FSCRYPT_ADMIN,   "fscrypt_admin" },
 };
 
 struct nodemap_pde {

diff --git a/lustre/include/md_object.h b/lustre/include/md_object.h
index f849fee..167a0f1 100644 (file)
--- a/lustre/include/md_object.h
+++ b/lustre/include/md_object.h
@@ -722,6 +722,7 @@ struct lu_ucred {
        int                      uc_rbac_quota_ops:1;
        int                      uc_rbac_byfid_ops:1;
        int                      uc_rbac_chlg_ops:1;
+       int                      uc_rbac_fscrypt_admin:1;
 };
 
 struct lu_ucred *lu_ucred(const struct lu_env *env);

diff --git a/lustre/include/uapi/linux/lustre/lustre_idl.h b/lustre/include/uapi/linux/lustre/lustre_idl.h
index 5e17270..82f86ca 100644 (file)
--- a/lustre/include/uapi/linux/lustre/lustre_idl.h
+++ b/lustre/include/uapi/linux/lustre/lustre_idl.h
@@ -3715,16 +3715,18 @@ enum nodemap_mapping_modes {
 };
 
 enum nodemap_rbac_roles {
-       NODEMAP_RBAC_FILE_PERMS = 0x00000001,
-       NODEMAP_RBAC_DNE_OPS    = 0x00000002,
-       NODEMAP_RBAC_QUOTA_OPS  = 0x00000004,
-       NODEMAP_RBAC_BYFID_OPS  = 0x00000008,
-       NODEMAP_RBAC_CHLG_OPS   = 0x00000010,
-       NODEMAP_RBAC_NONE       = (__u32)~(NODEMAP_RBAC_FILE_PERMS |
-                                          NODEMAP_RBAC_DNE_OPS    |
-                                          NODEMAP_RBAC_QUOTA_OPS  |
-                                          NODEMAP_RBAC_BYFID_OPS  |
-                                          NODEMAP_RBAC_CHLG_OPS),
+       NODEMAP_RBAC_FILE_PERMS         = 0x00000001,
+       NODEMAP_RBAC_DNE_OPS            = 0x00000002,
+       NODEMAP_RBAC_QUOTA_OPS          = 0x00000004,
+       NODEMAP_RBAC_BYFID_OPS          = 0x00000008,
+       NODEMAP_RBAC_CHLG_OPS           = 0x00000010,
+       NODEMAP_RBAC_FSCRYPT_ADMIN      = 0x00000020,
+       NODEMAP_RBAC_NONE       = (__u32)~(NODEMAP_RBAC_FILE_PERMS      |
+                                          NODEMAP_RBAC_DNE_OPS |
+                                          NODEMAP_RBAC_QUOTA_OPS       |
+                                          NODEMAP_RBAC_BYFID_OPS       |
+                                          NODEMAP_RBAC_CHLG_OPS        |
+                                          NODEMAP_RBAC_FSCRYPT_ADMIN),
        NODEMAP_RBAC_ALL        = 0xFFFFFFFF, /* future caps ON by default */
 };
 

diff --git a/lustre/lod/lod_object.c b/lustre/lod/lod_object.c
index d157e8b..963fb3c 100644 (file)
--- a/lustre/lod/lod_object.c
+++ b/lustre/lod/lod_object.c
@@ -5783,6 +5783,15 @@ static void lod_ah_init(const struct lu_env *env,
                                (lc->ldo_dir_hash_type & LMV_HASH_FLAG_KNOWN) |
                                d->lod_mdt_descs.ltd_lmv_desc.ld_pattern;
 
+               /* make sure all fscrypt metadata stays on same mdt */
+               if (child->do_lu.lo_header->loh_attr & LOHA_FSCRYPT_MD) {
+                       lc->ldo_dir_stripe_count = 0;
+                       lds->lds_dir_def_stripe_offset =
+                               lod2lu_dev(d)->ld_site->ld_seq_site->ss_node_id;
+                       lds->lds_dir_def_striping_set = 1;
+                       lc->ldo_def_striping = lds;
+               }
+
                CDEBUG(D_INFO, "final dir stripe_count=%hu offset=%d hash=%u\n",
                       lc->ldo_dir_stripe_count,
                       (int)lc->ldo_dir_stripe_offset, lc->ldo_dir_hash_type);

diff --git a/lustre/mdt/mdt_coordinator.c b/lustre/mdt/mdt_coordinator.c
index f212c25..2ac5853 100644 (file)
--- a/lustre/mdt/mdt_coordinator.c
+++ b/lustre/mdt/mdt_coordinator.c
@@ -1036,6 +1036,7 @@ int hsm_init_ucred(struct lu_ucred *uc)
        uc->uc_rbac_quota_ops = 1;
        uc->uc_rbac_byfid_ops = 1;
        uc->uc_rbac_chlg_ops = 1;
+       uc->uc_rbac_fscrypt_admin = 1;
 
        RETURN(0);
 }

diff --git a/lustre/mdt/mdt_handler.c b/lustre/mdt/mdt_handler.c
index 9af1a5d..ed538bf 100644 (file)
--- a/lustre/mdt/mdt_handler.c
+++ b/lustre/mdt/mdt_handler.c
@@ -1468,6 +1468,13 @@ static int mdt_getattr_internal(struct mdt_thread_info *info,
                RETURN(rc);
        }
 
+       /* return immutable attr on fscrypt metadata files
+        * if fscrypt admin is not permitted
+        */
+       if (o->mot_obj.lo_header->loh_attr & LOHA_FSCRYPT_MD &&
+           !mdt_ucred(info)->uc_rbac_fscrypt_admin)
+               la->la_flags |= LUSTRE_IMMUTABLE_FL;
+
        /* if file is released, check if a restore is running */
        if (ma->ma_valid & MA_HSM) {
                repbody->mbo_valid |= OBD_MD_TSTATE;
@@ -1685,12 +1692,18 @@ static int mdt_getattr(struct tgt_session_info *tsi)
 
        info->mti_cross_ref = !!(reqbody->mbo_valid & OBD_MD_FLCROSSREF);
 
+       rc = mdt_init_ucred(info, reqbody);
+       if (rc)
+               GOTO(out_shrink, rc);
+
        rc = mdt_getattr_internal(info, obj, 0);
        if (unlikely(rc))
-               GOTO(out_shrink, rc);
+               GOTO(out_ucred, rc);
 
        rc = mdt_pack_encctx_in_reply(info, obj);
        EXIT;
+out_ucred:
+       mdt_exit_ucred(info);
 out_shrink:
        mdt_client_compatibility(info);
        rc2 = mdt_fix_reply(info);
@@ -2038,6 +2051,7 @@ static int mdt_getattr_name_lock(struct mdt_thread_info *info,
        struct mdt_lock_handle *lhp = NULL;
        struct ldlm_lock *lock;
        struct req_capsule *pill = info->mti_pill;
+       bool fscrypt_md = false;
        __u64 try_bits = 0;
        bool is_resent;
        int ma_need = 0;
@@ -2148,6 +2162,13 @@ static int mdt_getattr_name_lock(struct mdt_thread_info *info,
                CDEBUG(D_INODE, "getattr with lock for "DFID"/"DNAME", "
                       "ldlm_rep = %p\n", PFID(mdt_object_fid(parent)),
                       PNAME(lname), ldlm_rep);
+
+               if (parent->mot_obj.lo_header->loh_attr & LOHA_FSCRYPT_MD ||
+                   (fid_is_root(mdt_object_fid(parent)) &&
+                    lname->ln_namelen == strlen(dot_fscrypt_name) &&
+                    strncmp(lname->ln_name, dot_fscrypt_name,
+                            lname->ln_namelen) == 0))
+                       fscrypt_md = true;
        } else {
                reqbody = req_capsule_client_get(pill, &RMF_MDT_BODY);
                if (unlikely(reqbody == NULL))
@@ -2338,6 +2359,9 @@ static int mdt_getattr_name_lock(struct mdt_thread_info *info,
                        GOTO(out_child, rc);
        }
 
+       if (fscrypt_md)
+               child->mot_obj.lo_header->loh_attr |= LOHA_FSCRYPT_MD;
+
        /* finally, we can get attr for child. */
        rc = mdt_getattr_internal(info, child, ma_need);
        if (unlikely(rc != 0)) {
@@ -6725,6 +6749,7 @@ static int mdt_ctxt_add_dirty_flag(struct lu_env *env,
        mdt_ucred(info)->uc_rbac_quota_ops = 1;
        mdt_ucred(info)->uc_rbac_byfid_ops = 1;
        mdt_ucred(info)->uc_rbac_chlg_ops = 1;
+       mdt_ucred(info)->uc_rbac_fscrypt_admin = 1;
        rc = mdt_add_dirty_flag(info, mfd->mfd_object, &info->mti_attr);
 
        lu_context_exit(&ses);

diff --git a/lustre/mdt/mdt_lib.c b/lustre/mdt/mdt_lib.c
index 33eddf3..b147ae1 100644 (file)
--- a/lustre/mdt/mdt_lib.c
+++ b/lustre/mdt/mdt_lib.c
@@ -184,6 +184,7 @@ static void ucred_set_rbac_roles(struct mdt_thread_info *info,
        uc->uc_rbac_quota_ops = !!(rbac & NODEMAP_RBAC_QUOTA_OPS);
        uc->uc_rbac_byfid_ops = !!(rbac & NODEMAP_RBAC_BYFID_OPS);
        uc->uc_rbac_chlg_ops = !!(rbac & NODEMAP_RBAC_CHLG_OPS);
+       uc->uc_rbac_fscrypt_admin = !!(rbac & NODEMAP_RBAC_FSCRYPT_ADMIN);
 }
 
 static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type,

diff --git a/lustre/mdt/mdt_open.c b/lustre/mdt/mdt_open.c
index c698cc8..8a68273 100644 (file)
--- a/lustre/mdt/mdt_open.c
+++ b/lustre/mdt/mdt_open.c
@@ -1432,6 +1432,11 @@ int mdt_reint_open(struct mdt_thread_info *info, struct mdt_lock_handle *lhc)
                GOTO(out, result);
        }
 
+       if (!uc->uc_rbac_fscrypt_admin &&
+           parent->mot_obj.lo_header->loh_attr & LOHA_FSCRYPT_MD &&
+           open_flags & MDS_OPEN_CREAT)
+               GOTO(out_parent, result = -EPERM);
+
        result = mdt_check_enc(info, parent);
        if (result)
                GOTO(out_parent, result);

diff --git a/lustre/mdt/mdt_reint.c b/lustre/mdt/mdt_reint.c
index b16b197..f45a84b 100644 (file)
--- a/lustre/mdt/mdt_reint.c
+++ b/lustre/mdt/mdt_reint.c
@@ -510,6 +510,7 @@ static int mdt_create(struct mdt_thread_info *info)
        struct md_attr *ma = &info->mti_attr;
        struct mdt_reint_record *rr = &info->mti_rr;
        struct md_op_spec *spec = &info->mti_spec;
+       struct lu_ucred *uc = mdt_ucred(info);
        bool restripe = false;
        int rc;
 
@@ -524,7 +525,6 @@ static int mdt_create(struct mdt_thread_info *info)
        if (S_ISDIR(ma->ma_attr.la_mode) &&
            spec->u.sp_ea.eadata != NULL && spec->u.sp_ea.eadatalen != 0) {
                const struct lmv_user_md *lum = spec->u.sp_ea.eadata;
-               struct lu_ucred *uc = mdt_ucred(info);
                struct obd_export *exp = mdt_info_req(info)->rq_export;
 
                /* Only new clients can create remote dir( >= 2.4) and
@@ -579,6 +579,10 @@ static int mdt_create(struct mdt_thread_info *info)
        if (rc)
                GOTO(put_parent, rc);
 
+       if (!uc->uc_rbac_fscrypt_admin &&
+           parent->mot_obj.lo_header->loh_attr & LOHA_FSCRYPT_MD)
+               GOTO(put_parent, rc = -EPERM);
+
        /*
         * LU-10235: check if name exists locklessly first to avoid massive
         * lock recalls on existing directories.
@@ -630,6 +634,12 @@ static int mdt_create(struct mdt_thread_info *info)
        if (rc)
                GOTO(put_child, rc);
 
+       if (parent->mot_obj.lo_header->loh_attr & LOHA_FSCRYPT_MD ||
+           (rr->rr_name.ln_namelen == strlen(dot_fscrypt_name) &&
+            strncmp(rr->rr_name.ln_name, dot_fscrypt_name,
+                    rr->rr_name.ln_namelen) == 0))
+               child->mot_obj.lo_header->loh_attr |= LOHA_FSCRYPT_MD;
+
        /*
         * Do not perform lookup sanity check. We know that name does
         * not exist.
@@ -1113,6 +1123,7 @@ static int mdt_reint_unlink(struct mdt_thread_info *info,
        struct mdt_lock_handle *parent_lh;
        struct mdt_lock_handle *child_lh;
        struct ldlm_enqueue_info *einfo = &info->mti_einfo[0];
+       struct lu_ucred *uc  = mdt_ucred(info);
        __u64 lock_ibits;
        bool cos_incompat = false;
        int no_name = 0;
@@ -1144,6 +1155,10 @@ static int mdt_reint_unlink(struct mdt_thread_info *info,
                        GOTO(put_parent, rc);
        }
 
+       if (!uc->uc_rbac_fscrypt_admin &&
+           mp->mot_obj.lo_header->loh_attr & LOHA_FSCRYPT_MD)
+               GOTO(put_parent, rc = -EPERM);
+
        OBD_RACE(OBD_FAIL_MDS_REINT_OPEN);
        OBD_RACE(OBD_FAIL_MDS_REINT_OPEN2);
 relock:
@@ -1155,8 +1170,6 @@ relock:
                GOTO(put_parent, rc);
 
        if (info->mti_spec.sp_rm_entry) {
-               struct lu_ucred *uc  = mdt_ucred(info);
-
                if (!mdt_is_dne_client(req->rq_export))
                        /* Return -ENOTSUPP for old client */
                        GOTO(unlock_parent, rc = -ENOTSUPP);
@@ -2704,6 +2717,7 @@ static int mdt_reint_rename(struct mdt_thread_info *info,
        struct mdt_lock_handle *lh_newp = NULL;
        struct lu_fid *old_fid = &info->mti_tmp_fid1;
        struct lu_fid *new_fid = &info->mti_tmp_fid2;
+       struct lu_ucred *uc = mdt_ucred(info);
        __u64 lock_ibits;
        bool reverse = false, discard = false;
        bool cos_incompat;
@@ -2747,6 +2761,10 @@ static int mdt_reint_rename(struct mdt_thread_info *info,
        if (rc)
                GOTO(out_put_tgtdir, rc);
 
+       if (!uc->uc_rbac_fscrypt_admin &&
+           mtgtdir->mot_obj.lo_header->loh_attr & LOHA_FSCRYPT_MD)
+               GOTO(out_put_tgtdir, rc = -EPERM);
+
        /*
         * Note: do not enqueue rename lock for replay request, because
         * if other MDT holds rename lock, but being blocked to wait for

diff --git a/lustre/mdt/mdt_restripe.c b/lustre/mdt/mdt_restripe.c
index e6c2e0e..2c808e9 100644 (file)
--- a/lustre/mdt/mdt_restripe.c
+++ b/lustre/mdt/mdt_restripe.c
@@ -943,6 +943,7 @@ int mdt_restriper_start(struct mdt_device *mdt)
        uc->uc_rbac_quota_ops = 1;
        uc->uc_rbac_byfid_ops = 1;
        uc->uc_rbac_chlg_ops = 1;
+       uc->uc_rbac_fscrypt_admin = 1;
 
        task = kthread_create(mdt_restriper_main, info, "mdt_restriper_%03d",
                              mdt_seq_site(mdt)->ss_node_id);

diff --git a/lustre/obdecho/echo_client.c b/lustre/obdecho/echo_client.c
index 6084317..002bc6e 100644 (file)
--- a/lustre/obdecho/echo_client.c
+++ b/lustre/obdecho/echo_client.c
@@ -1837,6 +1837,7 @@ static void echo_ucred_init(struct lu_env *env)
        ucred->uc_rbac_quota_ops = 1;
        ucred->uc_rbac_byfid_ops = 1;
        ucred->uc_rbac_chlg_ops = 1;
+       ucred->uc_rbac_fscrypt_admin = 1;
 }
 
 static void echo_ucred_fini(struct lu_env *env)

diff --git a/lustre/ptlrpc/wiretest.c b/lustre/ptlrpc/wiretest.c
index 3b68448..9601e1c 100644 (file)
--- a/lustre/ptlrpc/wiretest.c
+++ b/lustre/ptlrpc/wiretest.c
@@ -5790,7 +5790,9 @@ void lustre_assert_wire_constants(void)
                 (long long)NODEMAP_RBAC_BYFID_OPS);
        LASSERTF(NODEMAP_RBAC_CHLG_OPS == 0x00000010UL, "found 0x%.8llxUL\n",
                 (long long)NODEMAP_RBAC_CHLG_OPS);
-       LASSERTF(NODEMAP_RBAC_NONE == 0xFFFFFFE0UL, "found 0x%.8llxUL\n",
+       LASSERTF(NODEMAP_RBAC_FSCRYPT_ADMIN == 0x00000020UL, "found 0x%.8llxUL\n",
+                (long long)NODEMAP_RBAC_FSCRYPT_ADMIN);
+       LASSERTF(NODEMAP_RBAC_NONE == 0xFFFFFFC0UL, "found 0x%.8llxUL\n",
                 (long long)NODEMAP_RBAC_NONE);
        LASSERTF(NODEMAP_RBAC_ALL == 0xFFFFFFFFUL, "found 0x%.8llxUL\n",
                 (long long)NODEMAP_RBAC_ALL);

diff --git a/lustre/tests/sanity-sec.sh b/lustre/tests/sanity-sec.sh
index f60112d..b157fca 100755 (executable)
--- a/lustre/tests/sanity-sec.sh
+++ b/lustre/tests/sanity-sec.sh
@@ -5405,6 +5405,7 @@ test_64a() {
                    quota_ops \
                    byfid_ops \
                    chlg_ops \
+                   fscrypt_admin \
                    ;
        do
                [[ "$rbac" =~ "$role" ]] ||
@@ -5670,6 +5671,86 @@ test_64e() {
 }
 run_test 64e "Nodemap enforces chlg_ops RBAC roles"
 
+test_64f() {
+       local vaultdir=$DIR/$tdir/vault
+       local cli_enc
+       local policy
+       local protector
+
+       (( MDS1_VERSION >= $(version_code 2.15.54) )) ||
+               skip "Need MDS >= 2.15.54 for role-based controls"
+
+       cli_enc=$($LCTL get_param mdc.*.import | grep client_encryption)
+       [ -n "$cli_enc" ] || skip "Need enc support, skip fscrypt_admin role"
+        which fscrypt || skip "Need fscrypt, skip fscrypt_admin role"
+
+       stack_trap cleanup_64 EXIT
+       mkdir -p $DIR/$tdir || error "mkdir $DIR/$tdir failed"
+       setup_64
+
+       yes | fscrypt setup --force --verbose ||
+               echo "fscrypt global setup already done"
+       sed -i 's/\(.*\)policy_version\(.*\):\(.*\)\"[0-9]*\"\(.*\)/\1policy_version\2:\3"2"\4/' \
+               /etc/fscrypt.conf
+       yes | fscrypt setup --verbose $MOUNT ||
+               echo "fscrypt setup $MOUNT already done"
+       stack_trap "rm -rf $MOUNT/.fscrypt"
+
+       # file_perms is required because fscrypt uses chmod/chown
+       do_facet mgs $LCTL nodemap_modify --name c0 --property rbac \
+               --value fscrypt_admin,file_perms
+       wait_nm_sync c0 rbac
+
+       mkdir -p $vaultdir
+       set -vx
+       echo -e 'mypass\nmypass' | fscrypt encrypt --verbose \
+            --source=custom_passphrase --name=protector_64 $vaultdir ||
+               error "fscrypt encrypt $vaultdir failed"
+       fscrypt lock $vaultdir || error "fscrypt lock $vaultdir failed (1)"
+       policy=$(fscrypt status $vaultdir | awk '$1 == "Policy:"{print $2}')
+       [ -n "$policy" ] || error "could not get enc policy"
+       protector=$(fscrypt status $vaultdir |
+                 awk 'BEGIN {found=0} { if (found == 1) { print $1 }} \
+                       $1 == "PROTECTOR" {found=1}')
+       [ -n "$protector" ] || error "could not get enc protector"
+       set +vx
+
+       cancel_lru_locks
+       # file_perms is required because fscrypt uses chmod/chown
+       do_facet mgs $LCTL nodemap_modify --name c0 --property rbac \
+               --value file_perms
+       wait_nm_sync c0 rbac
+
+       set -vx
+       echo mypass | fscrypt unlock $vaultdir ||
+               error "fscrypt unlock $vaultdir failed"
+       fscrypt lock $vaultdir || error "fscrypt lock $vaultdir failed (2)"
+       fscrypt metadata destroy --protector=$MOUNT:$protector --force &&
+               error "destroy protector should fail"
+       fscrypt metadata destroy --policy=$MOUNT:$policy --force &&
+               error "destroy policy should fail"
+       mkdir -p ${vaultdir}2
+       echo -e 'mypass\nmypass' | fscrypt encrypt --verbose \
+               --source=custom_passphrase \
+               --name=protector_64bis ${vaultdir}2 &&
+                       error "fscrypt encrypt ${vaultdir}2 should fail"
+       set +vx
+
+       cancel_lru_locks
+       do_facet mgs $LCTL nodemap_modify --name c0 --property rbac  --value all
+       wait_nm_sync c0 rbac
+
+       set -vx
+       fscrypt metadata destroy --protector=$MOUNT:$protector --force ||
+               error "destroy protector failed"
+       fscrypt metadata destroy --policy=$MOUNT:$policy --force ||
+               error "destroy policy failed"
+       set +vx
+
+       rm -rf ${vaultdir}*
+}
+run_test 64f "Nodemap enforces fscrypt_admin RBAC roles"
+
 log "cleanup: ======================================================"
 
 sec_unsetup() {

diff --git a/lustre/utils/wirecheck.c b/lustre/utils/wirecheck.c
index dbb5c2c..faf8a65 100644 (file)
--- a/lustre/utils/wirecheck.c
+++ b/lustre/utils/wirecheck.c
@@ -2752,6 +2752,7 @@ static void check_nodemap_key(void)
        CHECK_VALUE_X(NODEMAP_RBAC_QUOTA_OPS);
        CHECK_VALUE_X(NODEMAP_RBAC_BYFID_OPS);
        CHECK_VALUE_X(NODEMAP_RBAC_CHLG_OPS);
+       CHECK_VALUE_X(NODEMAP_RBAC_FSCRYPT_ADMIN);
        CHECK_VALUE_X(NODEMAP_RBAC_NONE);
        CHECK_VALUE_X(NODEMAP_RBAC_ALL);
 }

diff --git a/lustre/utils/wiretest.c b/lustre/utils/wiretest.c
index 2c7f4be..d242db4 100644 (file)
--- a/lustre/utils/wiretest.c
+++ b/lustre/utils/wiretest.c
@@ -5818,7 +5818,9 @@ void lustre_assert_wire_constants(void)
                 (long long)NODEMAP_RBAC_BYFID_OPS);
        LASSERTF(NODEMAP_RBAC_CHLG_OPS == 0x00000010UL, "found 0x%.8llxUL\n",
                 (long long)NODEMAP_RBAC_CHLG_OPS);
-       LASSERTF(NODEMAP_RBAC_NONE == 0xFFFFFFE0UL, "found 0x%.8llxUL\n",
+       LASSERTF(NODEMAP_RBAC_FSCRYPT_ADMIN == 0x00000020UL, "found 0x%.8llxUL\n",
+                (long long)NODEMAP_RBAC_FSCRYPT_ADMIN);
+       LASSERTF(NODEMAP_RBAC_NONE == 0xFFFFFFC0UL, "found 0x%.8llxUL\n",
                 (long long)NODEMAP_RBAC_NONE);
        LASSERTF(NODEMAP_RBAC_ALL == 0xFFFFFFFFUL, "found 0x%.8llxUL\n",
                 (long long)NODEMAP_RBAC_ALL);