From: Sebastien Buisson <sbuisson@ddn.com>
Date: Mon, 5 Oct 2020 12:14:09 +0000 (+0900)
Subject: LU-13498 sec: fix credentials with nodemap and SSK
X-Git-Tag: 2.13.57~139
X-Git-Url: https://git.whamcloud.com/gitweb?a=commitdiff_plain;h=2bf6442d7d9bd452153e6b1ea08ddaae3dfb3716;p=fs%2Flustre-release.git

LU-13498 sec: fix credentials with nodemap and SSK

When SSK is enabled, credentials are evaluated in new_init_ucred().
In case a nodemap entry is defined with squash UID/GID, it must
prevail over normally mapped UID/GID.

Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: I1adfd98759e5b98ec78f0477846e1820fed5d8b3
Reviewed-on: https://review.whamcloud.com/40140
Tested-by: jenkins <devops@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Lai Siyao <lai.siyao@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
---

diff --git a/lustre/mdt/mdt_lib.c b/lustre/mdt/mdt_lib.c
index 24bc1e8..87c4a61 100644
--- a/lustre/mdt/mdt_lib.c
+++ b/lustre/mdt/mdt_lib.c
@@ -214,9 +214,6 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type,
 			RETURN(-EACCES);
 		}
 
-		ucred->uc_fsuid = nodemap->nm_squash_uid;
-		ucred->uc_fsgid = nodemap->nm_squash_gid;
-		ucred->uc_cap = 0;
 		ucred->uc_suppgids[0] = -1;
 		ucred->uc_suppgids[1] = -1;
 	}
@@ -318,13 +315,20 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type,
 
 	ucred->uc_uid = pud->pud_uid;
 	ucred->uc_gid = pud->pud_gid;
-	ucred->uc_fsuid = pud->pud_fsuid;
-	ucred->uc_fsgid = pud->pud_fsgid;
+
+	if (nodemap && ucred->uc_o_uid == nodemap->nm_squash_uid) {
+		ucred->uc_fsuid = nodemap->nm_squash_uid;
+		ucred->uc_fsgid = nodemap->nm_squash_gid;
+		ucred->uc_cap = 0;
+	} else {
+		ucred->uc_fsuid = pud->pud_fsuid;
+		ucred->uc_fsgid = pud->pud_fsgid;
+		ucred->uc_cap = pud->pud_cap;
+	}
 
 	/* process root_squash here. */
 	mdt_root_squash(info, peernid);
 
-	ucred->uc_cap = pud->pud_cap;
 	ucred->uc_valid = UCRED_NEW;
 	ucred_set_jobid(info, ucred);
 	ucred_set_nid(info, ucred);