Re: [lustre-discuss] Disable identity_upcall and ACL

Wed, 09 Jan 2019 06:34:07 -0800 

After most tests, when identity_upcall is set to NONE, it looks like only ACL 
using secondary groups are not satisfied.
If secondary groups are properly defined on clients, accesses are granted as 
expected.

Aurélien

Le 09/01/2019 14:31, « lustre-discuss au nom de Degremont, Aurelien » 
<lustre-discuss-boun...@lists.lustre.org au nom de degre...@amazon.com> a écrit 
:

    Hi Daniel!
    
    The secondary group thing was ok to me. I got this idea even if there is 
some weird results during my tests. Looks like you can overwrite MDT checks if 
user and group is properly defined on client node. Cache effects?
    
    ACL is really the thing I was interested in. Who is validating the ACLs? 
MDT, client or both? Do you think ACL could be properly applied if user/groups 
are only defined on client side and identity_upcall is disabled on MDT side?
    
    Thanks
    
    Aurélien
    
    Le 09/01/2019 12:22, « lustre-discuss au nom de Daniel Kobras » 
<lustre-discuss-boun...@lists.lustre.org au nom de kob...@puzzle-itc.de> a 
écrit :
    
        Hi Aurélien!
        
        Am 09.01.19 um 11:48 schrieb Degremont, Aurelien:
        > When disabling identity_upcall on a MDT, you get this message in 
system
        > logs:
        > 
        >   lustre-MDT0000: disable "identity_upcall" with ACL enabled maybe 
cause
        > unexpected "EACCESS"
        > 
        > I’m trying to understand what could be a scenario that shows this 
problem?
        > What is the implication, or rather, how identity_upcall works?
        
        Without an identity_upcall, all Lustre users effectively lose their
        secondary group memberships. These are not passed in the RPCs, but
        evaluated on the MDS instead. The default l_getidentity receives a
        numeric uid, queries NSS to obtain the corresponding account's list of
        gids, and passes the list back to the kernel. As a test scenario, just
        try to access a file or directory from an account that only has access
        permissions via one of its secondardy groups. (The log message is a bit
        misleading--you don't actually need to use ACLs, ordinary group
        permissions are sufficient.)
        
        Kind regards,
        
        Daniel
        -- 
        Daniel Kobras
        Principal Architect
        Puzzle ITC Deutschland
        +49 7071 14316 0
        www.puzzle-itc.de
        
        -- 
        Puzzle ITC Deutschland GmbH
        Sitz der Gesellschaft:  Jurastr. 27/1, 72072 
        Tübingen
        Eingetragen am Amtsgericht Stuttgart HRB 765802
        Geschäftsführer: 
        Lukas Kallies, Daniel Kobras, Mark Pröhl
        
        _______________________________________________
        lustre-discuss mailing list
        lustre-discuss@lists.lustre.org
        http://lists.lustre.org/listinfo.cgi/lustre-discuss-lustre.org
        
    
    _______________________________________________
    lustre-discuss mailing list
    lustre-discuss@lists.lustre.org
    http://lists.lustre.org/listinfo.cgi/lustre-discuss-lustre.org
    

_______________________________________________
lustre-discuss mailing list
lustre-discuss@lists.lustre.org
http://lists.lustre.org/listinfo.cgi/lustre-discuss-lustre.org

Reply via email to