git://git.whamcloud.com - fs/lustre-release.git/commit

EX-4333 sec: support supplementary groups from client

The usual way to support more than 2 supplementary groups is to
resort to the server side's identity upcall. This identity upcall
retrieves all user's credentials, including all supplementary groups,
and stores them in cache. But this access to user's credentials from
server side is not always an option.

As an alternative to the server side's identity upcall, we implement
a retry mechanism for intent locking. The client can provide at most
2 supplementary groups in the request sent to the MDS, but sometimes
it does not know which ones are useful for credentials calculation on
server side. For instance in case of lookup, the client does not have
the child inode yet when it sends the intent lock request.
Hopefully, the server can hint at the useful groups, by putting in the
request reply the target inode's GID, and also its ACL. So, in case
the server replies -EACCES, we check the user's credentials against
those, and try again the intent lock request if we find a matching
supplementary group.

On server side, we add a new identity_upcall value named "INTERNAL".
It implements a particular behavior which does not involve an actual
upcall, but instead the cache is filled with supplementary groups read
from the client request, cumulatively at each request.

A problem with the 'runas' utility was found during testing. If no
supplementary group is provided via the '-G' option, then it needs at
least to set the given GID as a supplementary group. Otherwise the
supplementary groups of the invoking user would be silently inherited.
For instance, if root user calls 'runas -u 500 -g 500 $CMD', we must
not execute $CMD with UID:GID 500:500 and supplementary group 0, as
it would make the user executing $CMD part of the superuser group.

Test-Parameters: testgroup=review-dne-part-1 env=L_GETIDENTITY=INTERNAL
Test-Parameters: testgroup=review-dne-part-2 env=L_GETIDENTITY=INTERNAL
Test-Parameters: testgroup=review-dne-selinux-ssk-part-1 env=L_GETIDENTITY=INTERNAL
Test-Parameters: testgroup=review-dne-selinux-ssk-part-2 env=L_GETIDENTITY=INTERNAL
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: I4608bb766a70ca12a2142a0e2687813f3a4b9100
Reviewed-on: https://review.whamcloud.com/46493
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Lai Siyao <lai.siyao@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>

author	Sebastien Buisson <sbuisson@ddn.com>
	Thu, 10 Feb 2022 16:14:02 +0000 (17:14 +0100)
committer	Andreas Dilger <adilger@whamcloud.com>
	Thu, 31 Mar 2022 06:37:08 +0000 (06:37 +0000)
commit	fb0082bba13ea2fc4c9ad780db8968bb086c6061
tree	4fd65fa39e619811359b574a1379efc15f050e35	tree \| snapshot
parent	04e176650a0ce911d2814110791dfd96928299b7	commit \| diff

lustre/include/lustre_idmap.h		diff \| blob \| history
lustre/llite/file.c		diff \| blob \| history
lustre/llite/llite_internal.h		diff \| blob \| history
lustre/llite/namei.c		diff \| blob \| history
lustre/llite/xattr_cache.c		diff \| blob \| history
lustre/mdt/mdt_identity.c		diff \| blob \| history
lustre/mdt/mdt_internal.h		diff \| blob \| history
lustre/mdt/mdt_lib.c		diff \| blob \| history
lustre/obdclass/idmap.c		diff \| blob \| history
lustre/obdclass/upcall_cache.c		diff \| blob \| history
lustre/tests/runas.c		diff \| blob \| history
lustre/tests/sanity-pcc.sh		diff \| blob \| history
lustre/tests/test-framework.sh		diff \| blob \| history