LU-17930 gss: node principal expectations

When a credentials cache exists for Kerberos, lgss_keyring looks into
it to find a valid entry. The cache's principal must match the
expected role for the GSS request being processed:
- LGSS_ROOT_CRED_MDT: expect "lustre_mds" principal;
- LGSS_ROOT_CRED_OST: expect "lustre_oss" principal;
- LGSS_ROOT_CRED_ROOT: expect "lustre_root" or "host" principal.
And there is the special case of the GSS request on the MGC, for which
by convention all 3 roles are applied at the same time.

Test-Parameters: trivial
Test-Parameters: kerberos=true testlist=sanity-krb5
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: I4c46b03bb012c5f56bd26efdfaa6dab5fc7de31a
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/55392
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Aurelien Degremont <adegremont@nvidia.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>

diff --git a/lustre/utils/gss/lgss_krb5_utils.c b/lustre/utils/gss/lgss_krb5_utils.c
index bf58d17..5af8e6f 100644 (file)
--- a/lustre/utils/gss/lgss_krb5_utils.c
+++ b/lustre/utils/gss/lgss_krb5_utils.c
@@ -233,7 +233,7 @@ static int lkrb5_cc_check_tgt_princ(krb5_context ctx,
                             unsigned int flag,
                             uint64_t self_nid)
 {
-       const char     *princ_name;
+       unsigned int cred_type = 0;
 
        logmsg(LL_DEBUG, "principal: realm %.*s, type %d, size %d, name %.*s\n",
               krb5_princ_realm(ctx, princ)->length,
@@ -259,23 +259,49 @@ static int lkrb5_cc_check_tgt_princ(krb5_context ctx,
                return -1;
        }
 
-       /* check principal name, give priority to MDT/OST cred over ROOT */
-       if (flag & LGSS_ROOT_CRED_MDT)
-               princ_name = LGSS_SVC_MDS_STR;
-       else if (flag & LGSS_ROOT_CRED_OST)
-               princ_name = LGSS_SVC_OSS_STR;
-       else if (flag & LGSS_ROOT_CRED_ROOT)
-               princ_name = LGSS_USR_ROOT_STR;
-       else
-               return -1;
-
-       if (lgss_krb5_strcmp(krb5_princ_name(ctx, princ), princ_name) &&
-           (strcmp(princ_name, LGSS_USR_ROOT_STR) ||
-           lgss_krb5_strcmp(krb5_princ_name(ctx, princ), LGSS_SVC_HOST_STR))) {
-               logmsg(LL_WARN, "%.*s: we expect %s instead\n",
+       /* check principal name against flag for cred type */
+       if (lgss_krb5_strcmp(krb5_princ_name(ctx, princ),
+                            LGSS_SVC_HOST_STR) == 0 ||
+           lgss_krb5_strcmp(krb5_princ_name(ctx, princ),
+                            LGSS_USR_ROOT_STR) == 0)
+               cred_type = LGSS_ROOT_CRED_ROOT;
+       else if (lgss_krb5_strcmp(krb5_princ_name(ctx, princ),
+                                 LGSS_SVC_MGS_STR) == 0)
+               cred_type = LGSS_ROOT_CRED_ROOT |
+                            LGSS_ROOT_CRED_MDT |
+                            LGSS_ROOT_CRED_OST;
+       else if (lgss_krb5_strcmp(krb5_princ_name(ctx, princ),
+                                 LGSS_SVC_MDS_STR) == 0)
+               cred_type = LGSS_ROOT_CRED_MDT;
+       else if (lgss_krb5_strcmp(krb5_princ_name(ctx, princ),
+                                 LGSS_SVC_OSS_STR) == 0)
+               cred_type = LGSS_ROOT_CRED_OST;
+
+       if (!(flag & cred_type)) {
+               char wanted[50];
+               char *buf = wanted;
+
+               if (flag & LGSS_ROOT_CRED_MDT)
+                       buf += snprintf(buf, sizeof(wanted) - (buf - wanted),
+                                       "%s", LGSS_SVC_MDS_STR);
+               if (flag & LGSS_ROOT_CRED_OST)
+                       buf += snprintf(buf, sizeof(wanted) - (buf - wanted),
+                                       "%s%s",
+                                      buf == wanted ? "" : ",",
+                                      LGSS_SVC_OSS_STR);
+               if (flag & LGSS_ROOT_CRED_ROOT) {
+                       buf += snprintf(buf, sizeof(wanted) - (buf - wanted),
+                                       "%s%s",
+                                       buf == wanted ? "" : ",",
+                                       LGSS_USR_ROOT_STR);
+                       snprintf(buf, sizeof(wanted) - (buf - wanted), ",%s",
+                                LGSS_SVC_HOST_STR);
+               }
+               logmsg(LL_WARN,
+                      "Found in cc principal %.*s, but expecting one of %s instead\n",
                       krb5_princ_name(ctx, princ)->length,
                       krb5_princ_name(ctx, princ)->data,
-                      princ_name);
+                      wanted);
                return -1;
        }