Project

General

Profile

Bug #16367

libcephfs: UID parsing breaks root squash (Ganesha FSAL)

Added by Kenneth Waegeman over 4 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Correctness/Safety
Target version:
-
% Done:

0%

Source:
Community (user)
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Component(FS):
Client, Common/Protocol, Ganesha FSAL, MDS, ceph-fuse
Labels (FS):
Pull request ID:
Crash signature:

Description

Testing with ganesha 2.4-o-dev20 and libcephfs 10.2.1:
I did set root squash on in the ganesha.conf, but as root I can do metadata operations through the nfs mounts like creating directories and running touch. Writing actual data data or changing permissions does not work, so that is ok. Also these created files/dirs also show up as root in the cephfs.

History

#1 Updated by Greg Farnum over 4 years ago

Can you please:
1) run ls -lha on the director you're testing in
2) do your tests
3) run ls -lha on all the relevant pieces
4) paste that output

It'll make it a lot easier to see what pieces are going wrong. :)

#2 Updated by Greg Farnum over 4 years ago

  • Status changed from New to Need More Info

#3 Updated by Kenneth Waegeman over 4 years ago

I have ceph mounted under /mnt/nfs/ceph:
[root@test2202 test]# pwd
/mnt/nfs/ceph/test
[root@test2202 test]# ls hal
total 1.5K
drwxr-xr-x 1 root root 4 Jun 20 10:48 .
drwxr-xr-x 3 root root 0 Jun 17 16:44 ..
drwx-----
1 kwaegema users 0 Jun 16 17:24 roto
drwxr-xr-x 1 kwaegema users 0 Jun 17 11:22 testtest
[root@test2202 test]# touch mail1
touch: setting times of `mail1': Permission denied
[root@test2202 test]# mkdir mail2
[root@test2202 test]# ls alh
total 2.0K
drwxr-xr-x 1 root root 4 Jun 20 10:48 .
drwxr-xr-x 3 root root 0 Jun 17 16:44 ..
-rw-r--r-
1 root root 0 Jun 20 10:49 mail1
drwxr-xr-x 1 root root 0 Jun 20 10:49 mail2
drwx------ 1 kwaegema users 0 Jun 16 17:24 roto
drwxr-xr-x 1 kwaegema users 0 Jun 17 11:22 testtest
[root@test2202 test]# echo "Add something to file" > mail3
bash: mail3: Permission denied
[root@test2202 test]# ls -alh
total 2.0K
drwxr-xr-x 1 root root 0 Jun 20 10:51 .
drwxr-xr-x 3 root root 0 Jun 17 16:44 ..
-rw-r--r-
1 root root 0 Jun 20 10:49 mail1
drwxr-xr-x 1 root root 0 Jun 20 10:49 mail2
rw-r--r- 1 root root 0 Jun 20 10:51 mail3
drwx------ 1 kwaegema users 0 Jun 16 17:24 roto
drwxr-xr-x 1 kwaegema users 0 Jun 17 11:22 testtest
[root@test2202 test]# rm rf testtest
[root@test2202 test]# ls -alh
total 1.5K
drwxr-xr-x 1 root root 0 Jun 20 10:51 .
drwxr-xr-x 3 root root 0 Jun 17 16:44 ..
-rw-r--r-
1 root root 0 Jun 20 10:49 mail1
drwxr-xr-x 1 root root 0 Jun 20 10:49 mail2
rw-r--r- 1 root root 0 Jun 20 10:51 mail3
drwx------ 1 kwaegema users 0 Jun 16 17:24 roto

I also asked this at the Ganesha mailing list. We are setting the anonymous id to -2, which it seems triggers this:
https://github.com/nfs-ganesha/nfs-ganesha/issues/102

I will retry with the workaround they provided for now.

#4 Updated by Kenneth Waegeman over 4 years ago

Now easier to read:

[root@test2202 test]# pwd
/mnt/nfs/ceph/test
[root@test2202 test]# ls -hal
total 1.5K
drwxr-xr-x 1 root     root  4 Jun 20 10:48 .
drwxr-xr-x 3 root     root  0 Jun 17 16:44 ..
drwx------ 1 kwaegema users 0 Jun 16 17:24 roto
drwxr-xr-x 1 kwaegema users 0 Jun 17 11:22 testtest
[root@test2202 test]# touch mail1
touch: setting times of `mail1': Permission denied
[root@test2202 test]# mkdir mail2
[root@test2202 test]# ls -alh
total 2.0K
drwxr-xr-x 1 root     root  4 Jun 20 10:48 .
drwxr-xr-x 3 root     root  0 Jun 17 16:44 ..
-rw-r--r-- 1 root     root  0 Jun 20 10:49 mail1
drwxr-xr-x 1 root     root  0 Jun 20 10:49 mail2
drwx------ 1 kwaegema users 0 Jun 16 17:24 roto
drwxr-xr-x 1 kwaegema users 0 Jun 17 11:22 testtest
[root@test2202 test]# echo "Add something to file" > mail3
-bash: mail3: Permission denied
[root@test2202 test]# ls -alh
total 2.0K
drwxr-xr-x 1 root     root  0 Jun 20 10:51 .
drwxr-xr-x 3 root     root  0 Jun 17 16:44 ..
-rw-r--r-- 1 root     root  0 Jun 20 10:49 mail1
drwxr-xr-x 1 root     root  0 Jun 20 10:49 mail2
-rw-r--r-- 1 root     root  0 Jun 20 10:51 mail3
drwx------ 1 kwaegema users 0 Jun 16 17:24 roto
drwxr-xr-x 1 kwaegema users 0 Jun 17 11:22 testtest
[root@test2202 test]# rm -rf testtest
[root@test2202 test]# ls -alh
total 1.5K
drwxr-xr-x 1 root     root  0 Jun 20 10:51 .
drwxr-xr-x 3 root     root  0 Jun 17 16:44 ..
-rw-r--r-- 1 root     root  0 Jun 20 10:49 mail1
drwxr-xr-x 1 root     root  0 Jun 20 10:49 mail2
-rw-r--r-- 1 root     root  0 Jun 20 10:51 mail3
drwx------ 1 kwaegema users 0 Jun 16 17:24 roto

#5 Updated by Greg Farnum over 4 years ago

Yeah, I expect that Frank's report is the root cause, but wanted to see to make sure. :)

#6 Updated by Greg Farnum over 4 years ago

  • Subject changed from Ganesha CEPH FSAL root squash not working as expected to libcephfs: UID parsing breaks root squash (Ganesha FSAL)
  • Status changed from Need More Info to 12

#7 Updated by Kenneth Waegeman over 4 years ago

I don't know if I should open a new issue for this, but it looks like even with another ID something is still wrong:

I am able to write files as the nobody user or any user in directories of other users, without having write permission

[root@test2202 vsc40035]# ls -al
total 1
drwxr-xr-x 1 vsc40035 vsc40035 0 Jun 23 13:46 .
drwxr-xr-x 3 root     root     0 Jun 23 13:50 ..
[root@test2202 vsc40035]# touch hola
[root@test2202 vsc40035]# ls
hola
[root@test2202 vsc40035]# ls -al
total 1
drwxr-xr-x 1 vsc40035   vsc40035   0 Jun 23 13:51 .
drwxr-xr-x 3 root       root       0 Jun 23 13:50 ..
-rw-r--r-- 1 2147483647 2147483647 0 Jun 23 13:51 hola
[root@test2202 vsc40035]# echo whut > hola
[root@test2202 vsc40035]# cat hola 
whut
[root@test2202 vsc40035]# ls -al
total 1
drwxr-xr-x 1 vsc40035   vsc40035   0 Jun 23 13:51 .
drwxr-xr-x 3 root       root       0 Jun 23 13:50 ..
-rw-r--r-- 1 2147483647 2147483647 5 Jun 23 13:52 hola

[root@test2202 ~]# su - kwaegema
[kwaegema@test2202 ~]$ cd /mnt/nfs/ceph/offload/vsc40035/
[kwaegema@test2202 vsc40035]$ touch hehe
[kwaegema@test2202 vsc40035]$ ls -al
total 1
drwxr-xr-x 1 vsc40035   vsc40035   5 Jun 23 13:54 .
drwxr-xr-x 3 root       root       0 Jun 23 13:50 ..
-rw-r--r-- 1 kwaegema   users      0 Jun 23 13:58 hehe
-rw-r--r-- 1 2147483647 2147483647 5 Jun 23 13:52 hola

#8 Updated by John Spray over 4 years ago

  • Assignee set to Greg Farnum

#9 Updated by Greg Farnum over 4 years ago

  • Status changed from 12 to In Progress

My basic approach here is to just stop automatically setting UID/GID within the Client class code base at all. It currently has get_uid() and get_gid() functions it uses ubiquitously; I'm exposing those externally as pick_my_(uid|gid) and am walking my way through the header file getting rid of all the default-set uid/gid params and adjusting the callers to invoke these pickers instead. fuse_ll.cc, libcephfs.cc, and SyntheticClient are all fine making those calls; anybody who is passing down a negative value presumably knows what they're doing.

BUT: I am not at all sure we do the right thing server-side with negative UID/GID values. That's going to be a whole separate thing.

#10 Updated by Greg Farnum about 4 years ago

  • Category changed from 44 to Correctness/Safety
  • Component(FS) Client, Common/Protocol, Ganesha FSAL, MDS, ceph-fuse added

#11 Updated by Greg Farnum about 4 years ago

  • Status changed from In Progress to Fix Under Review

#12 Updated by Greg Farnum almost 4 years ago

  • Status changed from Fix Under Review to Resolved

Also available in: Atom PDF