Bug 762132 (GLUSTER-400)

Summary: Support auxiliary gids in GlusterFS
Product: [Community] GlusterFS Reporter: Shehjar Tikoo <shehjart>
Component: coreAssignee: Shehjar Tikoo <shehjart>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: mainlineCC: aavati, amarts, gluster-bugs
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: RTP Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 762131    

Description Shehjar Tikoo 2009-11-23 09:39:18 UTC 
In order to support full RPC authentication, we need to be able to transmit an array of gid_ts using the call frame so that posix call call setgroups with those gids. This is needed in order to support RPC authentication schemes where the RPC layer on the client sends us a list of at most 16 group ids for the user on whose behalf the RPC was issued.

This needs support from client and server protocols along with the GlusterFS message encoding and decoding routines so that the array of group ids get supported natively in GlusterFS.
Comment 1 Shehjar Tikoo 2009-11-30 06:21:18 UTC 
Once the transmission of gids is possible, the next thing that needs to be done is to bring in support in posix such that we depend on our in-house access and permission checking code rather than having to depend on setfs[ug]id and or setgroups system calls.

Neither setfs[ug]id will work for us because it only allows setting one uid or gid whereas the operation needs to be performed using a gid sent to us through the auxiliary group list in RPC.

setgroups does not work for setting the aux groups of the current process to a given array of gids because this function sets the gids for the whole process and not just the thread. This model is not acceptable for our purposes. Hence the need to have an in-house access checking mechanism
Comment 2 Anand Avati 2009-12-03 07:59:31 UTC 
PATCH: http://patches.gluster.com/patch/2518 in master (core, client, server: Support auxiliary group ids)
Comment 3 Shehjar Tikoo 2010-01-25 02:19:43 UTC 
err...not fixed. Auxiliary gid support has two parts. One in the protocol/client and server, which is the previous patch and a second part in storage/posix. That change is in my NFS tree and will be brought in later with NFS xlator.
Comment 4 Anand Avati 2010-03-04 08:12:36 UTC 
PATCH: http://patches.gluster.com/patch/2864 in master (core: Provide helper macro to set [ug]id in frame)
Comment 5 Shehjar Tikoo 2010-03-31 09:50:48 UTC 
Access control translator is being introduced for a fix to this bug. See bz 597 to know why.
Comment 6 Anand Avati 2010-03-31 11:43:46 UTC 
PATCH: http://patches.gluster.com/patch/3068 in master (core: Add iatt protection bit testing macros)
Comment 7 Anand Avati 2010-03-31 11:43:50 UTC 
PATCH: http://patches.gluster.com/patch/3069 in master (core: Expose default callbacks)
Comment 8 Anand Avati 2010-03-31 11:43:54 UTC 
PATCH: http://patches.gluster.com/patch/3070 in master (access-control: Introduce new translator)