LU-8813 gss: allow svcgssd to start without "-k"

Previous versions of svcgssd did not require the "-k" option when
running in Kerberos mode (the only mode available).  If none of
the -k, -s, or -z options are given for enabling security flavours
then assume "-k" for compatibility reasons.

This will generate a warning before 3.1 is released, at which point
it will turn into an error.

Make the use of -s an error if SSK is not available.

Test-Parameters: trivial testlist=sanity-sec
Signed-off-by: Andreas Dilger <andreas.dilger@intel.com>
Change-Id: I9b7389bbca56d6717f02b21f57da52adc4602971
Reviewed-on: https://review.whamcloud.com/23925
Tested-by: Jenkins
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: Andrew Perepechko <andrew.perepechko@seagate.com>
Reviewed-by: Sebastien Buisson <sbuisson@ddn.com>
Reviewed-by: Jeremy Filizetti <jeremy.filizetti@gmail.com>
Reviewed-by: John L. Hammond <john.hammond@intel.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>

diff --git a/lustre/utils/gss/svcgssd.c b/lustre/utils/gss/svcgssd.c
index 85d1bd7..fbce198 100644 (file)
--- a/lustre/utils/gss/svcgssd.c
+++ b/lustre/utils/gss/svcgssd.c
@@ -58,6 +58,7 @@
 #include "gss_util.h"
 #include "err_util.h"
 #include "lsupport.h"
 #include "gss_util.h"
 #include "err_util.h"
 #include "lsupport.h"

+#include "lustre_ver.h"

 
 int null_enabled;
 int krb_enabled;
 
 int null_enabled;
 int krb_enabled;


@@ -192,11 +193,11 @@ usage(FILE *fp, char *progname)
        fprintf(stderr, "-g      - Service MGS\n");
        fprintf(stderr, "-k      - Enable kerberos support\n");
 #ifdef HAVE_OPENSSL_SSK
        fprintf(stderr, "-g      - Service MGS\n");
        fprintf(stderr, "-k      - Enable kerberos support\n");
 #ifdef HAVE_OPENSSL_SSK

-       fprintf(stderr, "-s      - Enable shared key support\n");
+       fprintf(stderr, "-s      - Enable shared secret key support\n");

 #endif
        fprintf(stderr, "-z      - Enable gssnull support\n");
 
 #endif
        fprintf(stderr, "-z      - Enable gssnull support\n");
 

-       exit(1);
+       exit(fp == stderr);

 }
 
 int
 }
 
 int


@@ -242,8 +243,9 @@ main(int argc, char *argv[])
 #ifdef HAVE_OPENSSL_SSK
                        sk_enabled = 1;
 #else
 #ifdef HAVE_OPENSSL_SSK
                        sk_enabled = 1;
 #else

-                       printerr(0, "ERROR: Request for sk but service "
-                                "support not enabled\n");
+                       fprintf(stderr, "error: request for SSK but service "
+                               "support not enabled\n");
+                       usage(stderr, argv[0]);

 #endif
                        break;
                case 'z':
 #endif
                        break;
                case 'z':


@@ -260,6 +262,17 @@ main(int argc, char *argv[])
        else
                progname = argv[0];
 
        else
                progname = argv[0];
 

+       if (!sk_enabled && !krb_enabled && !null_enabled) {
+#if LUSTRE_VERSION_CODE < OBD_OCD_VERSION(3, 0, 53, 0)
+               fprintf(stderr, "warning: no -k, -s, or -z option given, "
+                       "assume -k for backward compatibility\n");
+               krb_enabled = 1;
+#else
+               fprintf(stderr, "error: need one of -k, -s, or -z options\n");
+               usage(stderr, argv[0]);
+
+#endif
+       }

        initerr(progname, verbosity, fg);
 
        /* For kerberos use gss mechanisms but ignore for sk and null */
        initerr(progname, verbosity, fg);
 
        /* For kerberos use gss mechanisms but ignore for sk and null */