'Re: [lustre-discuss] Disable identity_upcall and ACL'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       lustre-discuss
Subject:    Re: [lustre-discuss] Disable identity_upcall and ACL
From:       "Degremont, Aurelien" <degremoa () amazon ! com>
Date:       2019-01-15 21:22:44
Message-ID: 2DB3AFB6-6027-4EEE-9304-1F54FDC167DE () amazon ! com
[Download RAW message or body]

Thanks for the clarifications.

AurÃ©lien

ï»¿Le 14/01/2019 01:36,  « Andreas Dilger  » <adilger@whamcloud.com> a Ã©crit :

    On Jan 10, 2019, at 04:52, Degremont, Aurelien <degremoa@amazon.com> wrote:
    > 
    > 
    > Le 09/01/2019 21:39,  « Andreas Dilger  » <adilger@whamcloud.com> a Ã©crit :
    > 
    >> If admins completely trust the client nodes (e.g. they are on a secure
    >> network) or they completely _distrust_ them (e.g. subdirectory mounts
    >> with nodemaps/idmaps and Kerberos/SSK to identify them), or the data
    >> just isn't that secret, then allowing the client to handle the group
    >> lookups instead of the MDS is mostly OK.  
    >> 
    >> The main issue is for new, uncached lookups from the client.  Since the
    >> RPC only includes the UID, GID, and maybe one supplementary GID, it is
    >> possible that the MDS (without the identity_upcall) may deny the lookup
    >> because the request does not contain any IDs that would allow file access.
    > 
    > According to struct mdt_body there is room for only one suppgid.
    > But the value is not always packed in mdc, depending on the call.
    > So that means that hopefully between 0 and 1 supplementary group will be passed \
to MDT, if I read the code correctly.  > 
    >> I guess the other question is why you are interested to get rid of it,
    >> or what issue you are seeing with it enabled?
    > 
    > If identity_upcall is enabled, you need an up to date group database available \
on MDS.  This is not always the case. I'm trusting the clients in this case. I would \
be interesting in having the MDT doing no credential checks and letting the clients \
(VFS) do all the validations. MDT is already trusting client when it is sending uid \
and gid.  > 
    > So, coming back to my original question, the ACL warning message in MDT is not \
really limited to ACL but more generally to any supplementary groups checks. Some \
accesses could be denied if they rely on supplementary groups (likely not the first \
one) and could be wrongly granted or denied if based on ACL. Correct?  
    Correct.
    
    > Permission checks for primary uid/gid is always correct, whatever \
identity_upcall value?  
    Yes, definitely.  If the client "knows" the right suppgid then it will send it to \
the MDS as well, but otherwise it just picks the first one.  
    Cheers, Andreas
    ---
    Andreas Dilger
    Principal Lustre Architect
    Whamcloud
    
    
    
    
    
    
    
    

_______________________________________________
lustre-discuss mailing list
lustre-discuss@lists.lustre.org
http://lists.lustre.org/listinfo.cgi/lustre-discuss-lustre.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic