LU-9795 mdt: only set groups if GID is not squashed

In new_init_ucred(), only set groups for local client if GID is
not squashed. Otherwise, GID squashing would be by-passed.

Test-Parameters: testlist=sanity-sec envdefinitions=ONLY="17 18 19 20 21 22",SHARED_KEY=true
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: I56961c62a93d99e6a62c72cca7b4fa6e9b3388b9
Reviewed-on: https://review.whamcloud.com/33316
Tested-by: Jenkins
Reviewed-by: John L. Hammond <jhammond@whamcloud.com>
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: James Simmons <uja.ornl@yahoo.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>

diff --git a/lustre/mdt/mdt_lib.c b/lustre/mdt/mdt_lib.c
index dddf727..6e5fbf3 100644 (file)
--- a/lustre/mdt/mdt_lib.c
+++ b/lustre/mdt/mdt_lib.c
@@ -178,6 +178,7 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type,
        __u32 perm = 0;
        int setuid;
        int setgid;
+       bool is_nm_gid_squashed = false;
        int rc = 0;
 
        ENTRY;
@@ -220,6 +221,10 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type,
                ucred->uc_suppgids[0] = -1;
                ucred->uc_suppgids[1] = -1;
        }
+
+       if (nodemap && ucred->uc_o_gid == nodemap->nm_squash_gid)
+               is_nm_gid_squashed = true;
+
        nodemap_putref(nodemap);
 
        if (type == BODY_INIT) {
@@ -288,7 +293,8 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type,
        }
 
        if (perm & CFS_SETGRP_PERM) {
-               if (pud->pud_ngroups) {
+               /* only set groups if GID is not squashed */
+               if (pud->pud_ngroups && !is_nm_gid_squashed) {
                        /* setgroups for local client */
                        ucred->uc_ginfo = groups_alloc(pud->pud_ngroups);
                        if (!ucred->uc_ginfo) {
@@ -301,6 +307,8 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type,
                                                pud->pud_groups);
                        lustre_groups_sort(ucred->uc_ginfo);
                } else {
+                       ucred->uc_suppgids[0] = -1;
+                       ucred->uc_suppgids[1] = -1;
                        ucred->uc_ginfo = NULL;
                }
        } else {

diff --git a/lustre/tests/sanity-sec.sh b/lustre/tests/sanity-sec.sh
index 57311e2..fbdcaae 100755 (executable)
--- a/lustre/tests/sanity-sec.sh
+++ b/lustre/tests/sanity-sec.sh
@@ -1541,6 +1541,11 @@ test_16() {
 run_test 16 "test nodemap all_off fileops"
 
 test_17() {
+       if $SHARED_KEY &&
+       [ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.55) ]; then
+               skip "Need MDS >= 2.11.55"
+       fi
+
        nodemap_version_check || return 0
        nodemap_test_setup
 
@@ -1552,6 +1557,11 @@ test_17() {
 run_test 17 "test nodemap trusted_noadmin fileops"
 
 test_18() {
+       if $SHARED_KEY &&
+       [ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.55) ]; then
+               skip "Need MDS >= 2.11.55"
+       fi
+
        nodemap_version_check || return 0
        nodemap_test_setup
 
@@ -1563,6 +1573,11 @@ test_18() {
 run_test 18 "test nodemap mapped_noadmin fileops"
 
 test_19() {
+       if $SHARED_KEY &&
+       [ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.55) ]; then
+               skip "Need MDS >= 2.11.55"
+       fi
+
        nodemap_version_check || return 0
        nodemap_test_setup
 
@@ -1574,6 +1589,11 @@ test_19() {
 run_test 19 "test nodemap trusted_admin fileops"
 
 test_20() {
+       if $SHARED_KEY &&
+       [ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.55) ]; then
+               skip "Need MDS >= 2.11.55"
+       fi
+
        nodemap_version_check || return 0
        nodemap_test_setup
 
@@ -1585,6 +1605,11 @@ test_20() {
 run_test 20 "test nodemap mapped_admin fileops"
 
 test_21() {
+       if $SHARED_KEY &&
+       [ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.55) ]; then
+               skip "Need MDS >= 2.11.55"
+       fi
+
        nodemap_version_check || return 0
        nodemap_test_setup
 
@@ -1607,6 +1632,11 @@ test_21() {
 run_test 21 "test nodemap mapped_trusted_noadmin fileops"
 
 test_22() {
+       if $SHARED_KEY &&
+       [ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.55) ]; then
+               skip "Need MDS >= 2.11.55"
+       fi
+
        nodemap_version_check || return 0
        nodemap_test_setup