From: Andreas Dilger <andreas.dilger@intel.com>
Date: Wed, 23 Nov 2016 19:55:40 +0000 (-0700)
Subject: LU-8813 gss: allow svcgssd to start without "-k"
X-Git-Tag: 2.9.51~66
X-Git-Url: https://git.whamcloud.com/?p=fs%2Flustre-release.git;a=commitdiff_plain;h=faf53524cdb90eee45e9425e529a7a6868679c56;ds=inline

LU-8813 gss: allow svcgssd to start without "-k"

Previous versions of svcgssd did not require the "-k" option when
running in Kerberos mode (the only mode available).  If none of
the -k, -s, or -z options are given for enabling security flavours
then assume "-k" for compatibility reasons.

This will generate a warning before 3.1 is released, at which point
it will turn into an error.

Make the use of -s an error if SSK is not available.

Test-Parameters: trivial testlist=sanity-sec
Signed-off-by: Andreas Dilger <andreas.dilger@intel.com>
Change-Id: I9b7389bbca56d6717f02b21f57da52adc4602971
Reviewed-on: https://review.whamcloud.com/23925
Tested-by: Jenkins
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: Andrew Perepechko <andrew.perepechko@seagate.com>
Reviewed-by: Sebastien Buisson <sbuisson@ddn.com>
Reviewed-by: Jeremy Filizetti <jeremy.filizetti@gmail.com>
Reviewed-by: John L. Hammond <john.hammond@intel.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>
---

diff --git a/lustre/utils/gss/svcgssd.c b/lustre/utils/gss/svcgssd.c
index 85d1bd7..fbce198 100644
--- a/lustre/utils/gss/svcgssd.c
+++ b/lustre/utils/gss/svcgssd.c
@@ -58,6 +58,7 @@
 #include "gss_util.h"
 #include "err_util.h"
 #include "lsupport.h"
+#include "lustre_ver.h"
 
 int null_enabled;
 int krb_enabled;
@@ -192,11 +193,11 @@ usage(FILE *fp, char *progname)
 	fprintf(stderr, "-g      - Service MGS\n");
 	fprintf(stderr, "-k      - Enable kerberos support\n");
 #ifdef HAVE_OPENSSL_SSK
-	fprintf(stderr, "-s      - Enable shared key support\n");
+	fprintf(stderr, "-s      - Enable shared secret key support\n");
 #endif
 	fprintf(stderr, "-z      - Enable gssnull support\n");
 
-	exit(1);
+	exit(fp == stderr);
 }
 
 int
@@ -242,8 +243,9 @@ main(int argc, char *argv[])
 #ifdef HAVE_OPENSSL_SSK
 			sk_enabled = 1;
 #else
-			printerr(0, "ERROR: Request for sk but service "
-				 "support not enabled\n");
+			fprintf(stderr, "error: request for SSK but service "
+				"support not enabled\n");
+			usage(stderr, argv[0]);
 #endif
 			break;
 		case 'z':
@@ -260,6 +262,17 @@ main(int argc, char *argv[])
 	else
 		progname = argv[0];
 
+	if (!sk_enabled && !krb_enabled && !null_enabled) {
+#if LUSTRE_VERSION_CODE < OBD_OCD_VERSION(3, 0, 53, 0)
+		fprintf(stderr, "warning: no -k, -s, or -z option given, "
+			"assume -k for backward compatibility\n");
+		krb_enabled = 1;
+#else
+		fprintf(stderr, "error: need one of -k, -s, or -z options\n");
+		usage(stderr, argv[0]);
+
+#endif
+	}
 	initerr(progname, verbosity, fg);
 
 	/* For kerberos use gss mechanisms but ignore for sk and null */