reef: mds/client: check the cephx mds auth access in client side#54468
Merged
reef: mds/client: check the cephx mds auth access in client side#54468
Conversation
Member
Author
|
jenkins retest this please |
14 tasks
|
This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved |
Member
Author
|
Rebased it. |
batrick
requested changes
Mar 26, 2024
Fixes: https://tracker.ceph.com/issues/57154 Signed-off-by: Xiubo Li <xiubli@redhat.com> (cherry picked from commit 5b6634c)
Will send this to clients. Fixes: https://tracker.ceph.com/issues/57154 Signed-off-by: Xiubo Li <xiubli@redhat.com> (cherry picked from commit 53caf31)
Need to add writeable/readable members and send them back to clients. Fixes: https://tracker.ceph.com/issues/57154 Signed-off-by: Xiubo Li <xiubli@redhat.com> (cherry picked from commit 6e4a644)
It will include the uid/gids and path in each cap_auth. Fixes: https://tracker.ceph.com/issues/57154 Signed-off-by: Xiubo Li <xiubli@redhat.com> (cherry picked from commit 213a27a)
Fixes: https://tracker.ceph.com/issues/57154 Signed-off-by: Xiubo Li <xiubli@redhat.com> (cherry picked from commit c1cbb9a) Conflicts: src/mds/MDSAuthCaps.h: missed dependency commit 23f1fdb ("AuthMonitor: allow "fs authorize" to update caps")
Fixes: https://tracker.ceph.com/issues/57154 Signed-off-by: Xiubo Li <xiubli@redhat.com> (cherry picked from commit 27f73a9)
Make it to be easier to debug when searching the debug logs. Fixes: https://tracker.ceph.com/issues/57154 Signed-off-by: Xiubo Li <xiubli@redhat.com> (cherry picked from commit fa687be)
Fixes: https://tracker.ceph.com/issues/57154 Signed-off-by: Xiubo Li <xiubli@redhat.com> (cherry picked from commit 429aafb)
Will use this to get the path string to do the mds auth check. It may fail when the there is no any dentry in local cache, which could be caused by just unlinking the last dentry while the inode keeps opening and then try to change the mode. Fixes: https://tracker.ceph.com/issues/57154 Signed-off-by: Xiubo Li <xiubli@redhat.com> (cherry picked from commit fd7aaab)
Fixes: https://tracker.ceph.com/issues/57154 Signed-off-by: Xiubo Li <xiubli@redhat.com> (cherry picked from commit 01a9398) Conflicts: src/client/Client.cc: conflict with commit 997b917 ("client: always refresh mds feature bits on session open")
If couldn't get the absolute path string we need to force it to do the sync setattr. Fixes: https://tracker.ceph.com/issues/57154 Signed-off-by: Xiubo Li <xiubli@redhat.com> (cherry picked from commit c1bf8d8)
This feature bit could be used to distinguish old and new clients. Fixes: https://tracker.ceph.com/issues/57154 Signed-off-by: Xiubo Li <xiubli@redhat.com> (cherry picked from commit b2046fc)
Since the setattr will check the cephx mds auth access before buffering the changes, so it makes no sense any more to let the cap update to check the access in MDS again. Fixes: https://tracker.ceph.com/issues/57154 Signed-off-by: Xiubo Li <xiubli@redhat.com> (cherry picked from commit f474203) Conflicts: src/client/Client.cc: missed dependency commit a8d0158 ("Client/Inode: wait_for_caps fixups")
Before opening the file locally we need to check the cephx access. Fixes: https://tracker.ceph.com/issues/57154 Signed-off-by: Xiubo Li <xiubli@redhat.com> (cherry picked from commit ce21659)
as it's too late. Session access authorization already happens before new caps are issued. Fixes: https://tracker.ceph.com/issues/56067 Signed-off-by: Ramana Raja <rraja@redhat.com> (cherry picked from commit 96305b5)
... MDS auth caps but don't have CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK feature bit (i.e., can't check the auth caps sent back to it by the MDS) from establishing a session. Do this in Server::handle_client_session(), and Server::handle_client_reconnect(), where old clients try to reconnect to MDS servers after an upgrade. If the client doesn't have the ability to authorize session access based on the MDS auth caps send back to it by the MDS, then the client may buffer changes locally during open and setattr operations when it's not supposed to, e.g., when enforcing root_squash MDS auth caps. Fixes: https://tracker.ceph.com/issues/56067 Signed-off-by: Ramana Raja <rraja@redhat.com> (cherry picked from commit e64931b)
The test.cc will be included in ceph_test_libcephfs, no need to include it to access. Fixes: https://tracker.ceph.com/issues/57154 Signed-off-by: Xiubo Li <xiubli@redhat.com> (cherry picked from commit 77ac100)
Fixes: https://tracker.ceph.com/issues/57154 Signed-off-by: Xiubo Li <xiubli@redhat.com> (cherry picked from commit 4af6a3f)
1df81f6 to
8245071
Compare
Test the 'chown' and 'truncate', which will call the setattr and 'cat' will open the files. Before each testing will open the file by non-root user and keep it to make sure the Fxw caps are issued, and then user the 'sudo' do to the tests, which will set the uid/gid to 0/0. Fixes: https://tracker.ceph.com/issues/57154 Signed-off-by: Xiubo Li <xiubli@redhat.com> (cherry picked from commit 28023f8) Conflicts: qa/tasks/cephfs/caps_helper.py: missed dependency commit f0ffade("qa/cephfs/cap_tester: simplify CapTester and its instantiation")
…6067 A kernel CephFS client with MDS root_squash caps is able to write to a file as non-root user. However, the data written is lost after clearing the kernel client cache, or re-mounting the client. This issue is not observed with a FUSE CephFS client. Signed-off-by: Ramana Raja <rraja@redhat.com> (cherry picked from commit c8bae07)
kclient doesn't have CEPHFS_FEATURE_MDS_AUTH_CAPS required to enforce root_squash. Run root_squash tests only for FUSE client. Signed-off-by: Ramana Raja <rraja@redhat.com> (cherry picked from commit a040446)
The mountpoint's root ino# possibly not be the full CephFS filesystem root, it's just the mountpoint of this particular client. Just prepend the mountpoint path to the full path. Introduced-by: c1bf8d8 client: check the cephx mds auth access for setattr Introduced-by: ce21659 client: check the cephx mds auth access for open Fixes: ceph#48027 (comment) Signed-off-by: Xiubo Li <xiubli@redhat.com> (cherry picked from commit e46dc20)
Just in case we cannot link all the way to our mount point we will force to do sync requests instead and let the MDS do the auth access check. Introduced-by: fd7aaab client: add make_path_string() helpers support Fixes: ceph#48027 (comment) Signed-off-by: Xiubo Li <xiubli@redhat.com> (cherry picked from commit c7bc452)
Fixes: https://tracker.ceph.com/issues/63364 Signed-off-by: Xiubo Li <xiubli@redhat.com> (cherry picked from commit 188aed9)
Update the oldest_client_tid via the session renew caps msg to make sure that the MDSs won't pile up the completed request list in a very large size. Fixes: https://tracker.ceph.com/issues/63364 Signed-off-by: Xiubo Li <xiubli@redhat.com> (cherry picked from commit 0cff6d5)
Member
Author
Member
Author
batrick
approved these changes
Mar 27, 2024
14 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
backport tracker: https://tracker.ceph.com/issues/62952
backport of #48027 and #53887
parent tracker: https://tracker.ceph.com/issues/57154
Contribution Guidelines
To sign and title your commits, please refer to Submitting Patches to Ceph.
If you are submitting a fix for a stable branch (e.g. "quincy"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.
When filling out the below checklist, you may click boxes directly in the GitHub web UI. When entering or editing the entire PR message in the GitHub web UI editor, you may also select a checklist item by adding an
xbetween the brackets:[x]. Spaces and capitalization matter when checking off items this way.Checklist
Show available Jenkins commands
jenkins retest this pleasejenkins test classic perfjenkins test crimson perfjenkins test signedjenkins test make checkjenkins test make check arm64jenkins test submodulesjenkins test dashboardjenkins test dashboard cephadmjenkins test apijenkins test docsjenkins render docsjenkins test ceph-volume alljenkins test ceph-volume toxjenkins test windowsjenkins test rook e2e