[prev in list] [next in list] [prev in thread] [next in thread]
List: lustre-discuss
Subject: Re: [lustre-discuss] Disable identity_upcall and ACL
From: "Degremont, Aurelien" <degremoa () amazon ! com>
Date: 2019-01-15 21:22:44
Message-ID: 2DB3AFB6-6027-4EEE-9304-1F54FDC167DE () amazon ! com
[Download RAW message or body]
Thanks for the clarifications.
Aurélien
Le 14/01/2019 01:36, « Andreas Dilger » <adilger@whamcloud.com> a écrit :
On Jan 10, 2019, at 04:52, Degremont, Aurelien <degremoa@amazon.com> wrote:
>
>
> Le 09/01/2019 21:39, « Andreas Dilger » <adilger@whamcloud.com> a écrit :
>
>> If admins completely trust the client nodes (e.g. they are on a secure
>> network) or they completely _distrust_ them (e.g. subdirectory mounts
>> with nodemaps/idmaps and Kerberos/SSK to identify them), or the data
>> just isn't that secret, then allowing the client to handle the group
>> lookups instead of the MDS is mostly OK.
>>
>> The main issue is for new, uncached lookups from the client. Since the
>> RPC only includes the UID, GID, and maybe one supplementary GID, it is
>> possible that the MDS (without the identity_upcall) may deny the lookup
>> because the request does not contain any IDs that would allow file access.
>
> According to struct mdt_body there is room for only one suppgid.
> But the value is not always packed in mdc, depending on the call.
> So that means that hopefully between 0 and 1 supplementary group will be passed \
to MDT, if I read the code correctly. >
>> I guess the other question is why you are interested to get rid of it,
>> or what issue you are seeing with it enabled?
>
> If identity_upcall is enabled, you need an up to date group database available \
on MDS. This is not always the case. I'm trusting the clients in this case. I would \
be interesting in having the MDT doing no credential checks and letting the clients \
(VFS) do all the validations. MDT is already trusting client when it is sending uid \
and gid. >
> So, coming back to my original question, the ACL warning message in MDT is not \
really limited to ACL but more generally to any supplementary groups checks. Some \
accesses could be denied if they rely on supplementary groups (likely not the first \
one) and could be wrongly granted or denied if based on ACL. Correct?
Correct.
> Permission checks for primary uid/gid is always correct, whatever \
identity_upcall value?
Yes, definitely. If the client "knows" the right suppgid then it will send it to \
the MDS as well, but otherwise it just picks the first one.
Cheers, Andreas
---
Andreas Dilger
Principal Lustre Architect
Whamcloud
_______________________________________________
lustre-discuss mailing list
lustre-discuss@lists.lustre.org
http://lists.lustre.org/listinfo.cgi/lustre-discuss-lustre.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic