Bug 1344727

Summary: [nfs-ganesha+kerberos]: user continues to perform IO's after ticket destroy, until volume is remounted.
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Shashank Raj <sraj>
Component: nfs-ganeshaAssignee: Kaleb KEITHLEY <kkeithle>
Status: CLOSED NOTABUG QA Contact: Manisha Saini <msaini>
Severity: medium Docs Contact:
Priority: medium    
Version: rhgs-3.1CC: jijoy, jthottan, kkeithle, msaini, ndevos, pasik, sanandpa, skoduri
Target Milestone: ---Keywords: Reopened, ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-29 11:50:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Shashank Raj 2016-06-10 14:18:47 UTC 
Description of problem:

[nfs-ganesha+kerberos]: user continues to perform IO's after ticket destroy, until volume is remounted.

Version-Release number of selected component (if applicable):

nfs-ganesha-2.3.1-8

How reproducible:

Always

Steps to Reproduce:

>> Mount the volume using krb5 on a client and perform some IO's:

[root@dhcp42-130 ~]# df
dhcp42-142.lab.eng.blr.redhat.com:/testvolume 187676672  509952 187166720   1% /mnt3

>> Login as guest user and try to acess mount point and observe that it gives permission denied message:

[root@dhcp42-130 ~]# su - guest
Last login: Fri Jun 10 19:09:26 IST 2016 on pts/0
[guest@dhcp42-130 ~]$ cd /mnt3
-bash: cd: /mnt3: Permission denied

>> Generate a kerberos ticket for the user

[guest@dhcp42-130 ~]$ klist
klist: Credentials cache keyring 'persistent:1000:1000' not found

[guest@dhcp42-130 ~]$ kinit
Password for guest.BLR.REDHAT.COM: 

[guest@dhcp42-130 mnt3]$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: guest.BLR.REDHAT.COM

Valid starting       Expires              Service principal
06/10/2016 19:42:48  06/11/2016 19:42:41  nfs/dhcp42-142.lab.eng.blr.redhat.com.BLR.REDHAT.COM
06/10/2016 19:42:41  06/11/2016 19:42:41  krbtgt/LAB.ENG.BLR.REDHAT.COM.BLR.REDHAT.COM

>> Do some IO's on the mountpoint: 

[guest@dhcp42-130 ~]$ cd /mnt3
[guest@dhcp42-130 mnt3]$ ls
fil6  file1  file10  file11  file2  file3  file4  file5  file7  file8  file9  raj
[guest@dhcp42-130 mnt3]$ touch file100
[guest@dhcp42-130 mnt3]$ ls
fil6  file1  file10  file100  file11  file2  file3  file4  file5  file7  file8  file9  raj

>> Destroy the ticket for the user:

[guest@dhcp42-130 ~]$ kdestroy
[guest@dhcp42-130 ~]$ klist
klist: Credentials cache keyring 'persistent:1000:1000' not found

>> Observe that even after destroying the ticket, user is able to perform IO's:

[guest@dhcp42-130 ~]$ cd /mnt3
[guest@dhcp42-130 mnt3]$ ls
fil6  file1  file10  file100  file11  file2  file3  file4  file5  file7  file8  file9  raj

[guest@dhcp42-130 mnt3]$ date
Fri Jun 10 19:17:58 IST 2016

[guest@dhcp42-130 mnt3]$ ls
fil6  file1  file10  file100  file11  file2  file3  file4  file5  file7  file8  file9  raj
[guest@dhcp42-130 mnt3]$ touch file123
[guest@dhcp42-130 mnt3]$ ls
fil6  file1  file10  file100  file11  file123  file2  file3  file4  file5  file7  file8  file9  raj

[guest@dhcp42-130 mnt3]$ date
Fri Jun 10 19:28:37 IST 2016

[guest@dhcp42-130 mnt3]$ klist
klist: Credentials cache keyring 'persistent:1000:1000' not found

>> Umount the volume from root and again mount it

[guest@dhcp42-130 mnt3]$ exit
logout

[root@dhcp42-130 ~]# df

dhcp42-142.lab.eng.blr.redhat.com:/testvolume 187676672  509952 187166720   1% /mnt3

[root@dhcp42-130 ~]# umount /mnt3

[root@dhcp42-130 ~]# df
Filesystem                        1K-blocks    Used Available Use% Mounted on
/dev/mapper/rhel_dhcp42--130-root  27740944 1341788  26399156   5% /
devtmpfs                            3995072       0   3995072   0% /dev
tmpfs                               4005468       0   4005468   0% /dev/shm
tmpfs                               4005468    8588   3996880   1% /run
tmpfs                               4005468       0   4005468   0% /sys/fs/cgroup
/dev/vda1                            508588  126924    381664  25% /boot
tmpfs                                801096       0    801096   0% /run/user/0

[root@dhcp42-130 ~]# mount -t nfs -o sec=krb5 dhcp42-142.lab.eng.blr.redhat.com:/testvolume /mnt3

>> Again login as guest user and try to perform IO's and observe that it gives permission denied error now:

[root@dhcp42-130 ~]# su - guest
Last login: Fri Jun 10 19:16:52 IST 2016 on pts/0

[guest@dhcp42-130 ~]$ cd /mnt3
-bash: cd: /mnt3: Permission denied
[guest@dhcp42-130 ~]$ 

Actual results:

user continues to perform IO's after ticket destroy, until volume is remounted.

Expected results:

IO should not happen when the ticket for a user is destroyed.

Additional info:
Comment 2 Niels de Vos 2016-06-10 15:13:55 UTC 
kdestroy is not really a good way to test this. I assume the ticket is still in the kernels keyring for the users session.

Instead of doing kdestroy, it is better to pass a lifetime to the kinit command. For example, to have a ticket that is valid for two minutes:

  $ kinit -l 2m

Please re-test with this.
Comment 9 Manisha Saini 2020-08-16 14:45:41 UTC 
QE will reopen this issue if again observed in testing.Clearing needinfo.