[lustre-discuss] Disable identity_upcall and ACL

Andreas Dilger adilger at whamcloud.com
Sun Jan 13 22:35:54 PST 2019


On Jan 10, 2019, at 04:52, Degremont, Aurelien <degremoa at amazon.com> wrote:
> 
> 
> Le 09/01/2019 21:39, « Andreas Dilger » <adilger at whamcloud.com> a écrit :
> 
>> If admins completely trust the client nodes (e.g. they are on a secure
>> network) or they completely _distrust_ them (e.g. subdirectory mounts
>> with nodemaps/idmaps and Kerberos/SSK to identify them), or the data
>> just isn't that secret, then allowing the client to handle the group
>> lookups instead of the MDS is mostly OK.  
>> 
>> The main issue is for new, uncached lookups from the client.  Since the
>> RPC only includes the UID, GID, and maybe one supplementary GID, it is
>> possible that the MDS (without the identity_upcall) may deny the lookup
>> because the request does not contain any IDs that would allow file access.
> 
> According to struct mdt_body there is room for only one suppgid.
> But the value is not always packed in mdc, depending on the call.
> So that means that hopefully between 0 and 1 supplementary group will be passed to MDT, if I read the code correctly.
> 
>> I guess the other question is why you are interested to get rid of it,
>> or what issue you are seeing with it enabled?
> 
> If identity_upcall is enabled, you need an up to date group database available on MDS.  This is not always the case. I'm trusting the clients in this case. I would be interesting in having the MDT doing no credential checks and letting the clients (VFS) do all the validations. MDT is already trusting client when it is sending uid and gid.
> 
> So, coming back to my original question, the ACL warning message in MDT is not really limited to ACL but more generally to any supplementary groups checks. Some accesses could be denied if they rely on supplementary groups (likely not the first one) and could be wrongly granted or denied if based on ACL. Correct?

Correct.

> Permission checks for primary uid/gid is always correct, whatever identity_upcall value?

Yes, definitely.  If the client "knows" the right suppgid then it will send it to the MDS as well, but otherwise it just picks the first one.

Cheers, Andreas
---
Andreas Dilger
Principal Lustre Architect
Whamcloud









More information about the lustre-discuss mailing list