From 1335eb1d599ceb6423de6800e0995614cdb37bd8 Mon Sep 17 00:00:00 2001 From: Sebastien Buisson Date: Thu, 5 Jan 2023 15:06:39 +0100 Subject: [PATCH] LU-16445 sec: make nodemap root squash independent of map_mode When the admin property is set to 0 on a nodemap, the root user must be squashed, even if the map_mode property specifies to not map uids or gids. Enhance sanity-sec test_17 to exercise this use case. Signed-off-by: Sebastien Buisson Change-Id: I1b41caa1ccc6e544ce9fac45b47d0c4c129221f7 Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/49561 Tested-by: jenkins Tested-by: Maloo Reviewed-by: Andreas Dilger Reviewed-by: Etienne AUJAMES Reviewed-by: Oleg Drokin --- lustre/ptlrpc/nodemap_handler.c | 13 ++++++------- lustre/tests/sanity-sec.sh | 9 +++++++++ 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/lustre/ptlrpc/nodemap_handler.c b/lustre/ptlrpc/nodemap_handler.c index ec1008a..58f1046 100644 --- a/lustre/ptlrpc/nodemap_handler.c +++ b/lustre/ptlrpc/nodemap_handler.c @@ -669,6 +669,12 @@ __u32 nodemap_map_id(struct lu_nodemap *nodemap, if (unlikely(nodemap == NULL)) goto out; + if (id == 0) { + if (nodemap->nmf_allow_root_access) + goto out; + goto squash; + } + if (id_type == NODEMAP_UID && !(nodemap->nmf_map_mode & NODEMAP_MAP_UID)) goto out; @@ -681,13 +687,6 @@ __u32 nodemap_map_id(struct lu_nodemap *nodemap, !(nodemap->nmf_map_mode & NODEMAP_MAP_PROJID)) goto out; - if (id == 0) { - if (nodemap->nmf_allow_root_access) - goto out; - else - goto squash; - } - if (nodemap->nmf_trust_client_ids) goto out; diff --git a/lustre/tests/sanity-sec.sh b/lustre/tests/sanity-sec.sh index b0e74db..ad53adb 100755 --- a/lustre/tests/sanity-sec.sh +++ b/lustre/tests/sanity-sec.sh @@ -1576,6 +1576,9 @@ test_17() { [ "$MDS1_VERSION" -lt $(version_code 2.11.55) ]; then skip "Need MDS >= 2.11.55" fi + local check_proj=true + + (( $MDS1_VERSION >= $(version_code 2.14.52) )) || check_proj=false nodemap_version_check || return 0 nodemap_test_setup @@ -1583,6 +1586,12 @@ test_17() { trap nodemap_test_cleanup EXIT nodemap_clients_admin_trusted 0 1 test_fops trusted_noadmin 1 + if $check_proj; then + do_facet mgs $LCTL nodemap_modify --name c0 \ + --property map_mode --value projid + wait_nm_sync c0 map_mode + fi + test_fops trusted_noadmin 1 nodemap_test_cleanup } run_test 17 "test nodemap trusted_noadmin fileops" -- 1.8.3.1