LU-13498 sec: fix credentials with nodemap and SSK

When SSK is enabled, credentials are evaluated in new_init_ucred().
In case a nodemap entry is defined with squash UID/GID, it must
prevail over normally mapped UID/GID.

Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: I1adfd98759e5b98ec78f0477846e1820fed5d8b3
Reviewed-on: https://review.whamcloud.com/40140
Tested-by: jenkins <devops@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Lai Siyao <lai.siyao@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>

diff --git a/lustre/mdt/mdt_lib.c b/lustre/mdt/mdt_lib.c
index 24bc1e8..87c4a61 100644 (file)
--- a/lustre/mdt/mdt_lib.c
+++ b/lustre/mdt/mdt_lib.c
@@ -214,9 +214,6 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type,
                        RETURN(-EACCES);
                }
 
-               ucred->uc_fsuid = nodemap->nm_squash_uid;
-               ucred->uc_fsgid = nodemap->nm_squash_gid;
-               ucred->uc_cap = 0;
                ucred->uc_suppgids[0] = -1;
                ucred->uc_suppgids[1] = -1;
        }
@@ -318,13 +315,20 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type,
 
        ucred->uc_uid = pud->pud_uid;
        ucred->uc_gid = pud->pud_gid;
-       ucred->uc_fsuid = pud->pud_fsuid;
-       ucred->uc_fsgid = pud->pud_fsgid;
+
+       if (nodemap && ucred->uc_o_uid == nodemap->nm_squash_uid) {
+               ucred->uc_fsuid = nodemap->nm_squash_uid;
+               ucred->uc_fsgid = nodemap->nm_squash_gid;
+               ucred->uc_cap = 0;
+       } else {
+               ucred->uc_fsuid = pud->pud_fsuid;
+               ucred->uc_fsgid = pud->pud_fsgid;
+               ucred->uc_cap = pud->pud_cap;
+       }
 
        /* process root_squash here. */
        mdt_root_squash(info, peernid);
 
-       ucred->uc_cap = pud->pud_cap;
        ucred->uc_valid = UCRED_NEW;
        ucred_set_jobid(info, ucred);
        ucred_set_nid(info, ucred);