LU-13498 sec: fix credentials with nodemap and SSK

When SSK is enabled, credentials are evaluated in new_init_ucred().
In case a nodemap entry is defined with squash UID/GID, it must
prevail over normally mapped UID/GID.

Lustre-change: https://review.whamcloud.com/40140
Lustre-commit: 2bf6442d7d9bd452153e6b1ea08ddaae3dfb3716

Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: I1adfd98759e5b98ec78f0477846e1820fed5d8b3
Reviewed-on: https://review.whamcloud.com/40960
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Lai Siyao <lai.siyao@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>

diff --git a/lustre/mdt/mdt_lib.c b/lustre/mdt/mdt_lib.c
index 2818339..d77e3ee 100644 (file)
--- a/lustre/mdt/mdt_lib.c
+++ b/lustre/mdt/mdt_lib.c
@@ -215,9 +215,6 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type,
                        RETURN(-EACCES);
                }
 
-               ucred->uc_fsuid = nodemap->nm_squash_uid;
-               ucred->uc_fsgid = nodemap->nm_squash_gid;
-               ucred->uc_cap = 0;
                ucred->uc_suppgids[0] = -1;
                ucred->uc_suppgids[1] = -1;
        }
@@ -319,8 +316,16 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type,
 
        ucred->uc_uid = pud->pud_uid;
        ucred->uc_gid = pud->pud_gid;
-       ucred->uc_fsuid = pud->pud_fsuid;
-       ucred->uc_fsgid = pud->pud_fsgid;
+
+       if (nodemap && ucred->uc_o_uid == nodemap->nm_squash_uid) {
+               ucred->uc_fsuid = nodemap->nm_squash_uid;
+               ucred->uc_fsgid = nodemap->nm_squash_gid;
+               ucred->uc_cap = 0;
+       } else {
+               ucred->uc_fsuid = pud->pud_fsuid;
+               ucred->uc_fsgid = pud->pud_fsgid;
+               ucred->uc_cap = pud->pud_cap;
+       }
 
        /* process root_squash here. */
        mdt_root_squash(info, peernid);