Red Hat Bugzilla – Full Text Bug Listing
|Summary:||Gluster CLI does not allow setting root squashing|
|Product:||Red Hat Gluster Storage||Reporter:||Veda Shankar <veshanka>|
|Status:||CLOSED ERRATA||QA Contact:||Saurabh <saujain>|
|Version:||2.0||CC:||amarts, divya, mzywusko, ndevos, nsathyan, rfortier, rhs-bugs, shaines, storage-doc, ujjwala, vbellur|
|Fixed In Version:||Doc Type:||Bug Fix|
Cause: Client root user gains the permissions of the local root user and gets all the privileges of local root, which is not desired. Consequence: Fix: Root squashing feature which squashes (convert to nfsnobody) all the incoming request from the root (id 0)(same as in NFS root-squash) is implemented in RPC layer per volume basis. Result: Can set root-squash on/off per volume.
|Last Closed:||2013-03-28 18:27:55 EDT||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||896408|
Description Veda Shankar 2012-12-04 17:53:17 EST
Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Comment 2 Veda Shankar 2012-12-04 18:08:31 EST
The GlusterFS volume has root-squashing disabled by default and is not desirable in production environments. With root squashing enabled, if a RHS volume is accessed from a client using the "root" user id then the incoming requests are converted to user "nobody". The Gluster CLI does not allow enabling this feature. gluster> volume set gvol0 root-squashing enable option : root-squashing does not exist Did you mean count-fop-hits or flush-behind? Set volume unsuccessful
Comment 5 Niels de Vos 2012-12-12 04:22:06 EST
>> root squashing is disabled by default and can be turned on by >> >> "gluster volume set<VOLNAME> root-squashing on" >> > Thanks. Is there a feature page with supported usecase against this? Not sure about any feature pages. However, the functionality should be the same as for RHEL NFS-servers. From 'man 5 exports' on a RHEL NFS-server: root_squash Map requests from uid/gid 0 to the anonymous uid/gid. Note that this does not apply to any other uids or gids that might be equally sensitive, such as user bin or group staff. Testing should be done by mounting a volume and do some file operations as root. These operations should be executed as user nobody instead. From my understanding, both volumes mounted over NFS and GlusterFS-native should be affected.
Comment 7 Veda Shankar 2012-12-13 11:06:07 EST
According to customer testing, with root squashing enabled the "write" behavior is correct but the "read" behavior is incorrect ie "others" are allowed access even though the permission is set to 770.
Comment 8 Amar Tumballi 2012-12-24 03:54:59 EST
Moving the bug to ON_QA as the CLI option is now available for root-squashing. And there are different bugs opened for tracking issues like comment #7 (bug 887145 and bug 887263)
Comment 10 Niels de Vos 2013-01-17 04:15:15 EST
Upstream Bug 896408: Gluster CLI does not allow setting root squashing.
Comment 11 Divya 2013-02-12 05:58:16 EST
Varun, This bug has been added to Update 4 errata. Could you provide your inputs in doc text field which will enable me to update errata?? Thanks, Divya
Comment 14 errata-xmlrpc 2013-03-28 18:27:55 EDT
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0691.html