[lustre-discuss] Disable identity_upcall and ACL

Degremont, Aurelien degremoa at amazon.com
Thu Jan 10 04:52:06 PST 2019

Le 09/01/2019 21:39, « Andreas Dilger » <adilger at whamcloud.com> a écrit :
    If admins completely trust the client nodes (e.g. they are on a secure
    network) or they completely _distrust_ them (e.g. subdirectory mounts
    with nodemaps/idmaps and Kerberos/SSK to identify them), or the data
    just isn't that secret, then allowing the client to handle the group
    lookups instead of the MDS is mostly OK.  
    The main issue is for new, uncached lookups from the client.  Since the
    RPC only includes the UID, GID, and maybe one supplementary GID, it is
    possible that the MDS (without the identity_upcall) may deny the lookup
    because the request does not contain any IDs that would allow file access.

According to struct mdt_body there is room for only one suppgid.
But the value is not always packed in mdc, depending on the call.
So that means that hopefully between 0 and 1 supplementary group will be passed to MDT, if I read the code correctly.

    I guess the other question is why you are interested to get rid of it, or
    what issue you are seeing with it enabled?

If identity_upcall is enabled, you need an up to date group database available on MDS.
This is not always the case. I'm trusting the clients in this case. I would be interesting in having the MDT doing no credential checks and letting the clients (VFS) do all the validations. MDT is already trusting client when it is sending uid and gid.

So, coming back to my original question, the ACL warning message in MDT is not really limited to ACL but more generally to any supplementary groups checks. Some accesses could be denied if they rely on supplementary groups (likely not the first one) and could be wrongly granted or denied if based on ACL. Correct?
Permission checks for primary uid/gid is always correct, whatever identity_upcall value?



More information about the lustre-discuss mailing list