Bug 883590

Summary: Gluster CLI does not allow setting root squashing
Product: Red Hat Gluster Storage Reporter: Veda Shankar <veshanka>
Component: glusterfs-serverAssignee: vpshastry <vshastry>
Status: CLOSED ERRATA QA Contact: Saurabh <saujain>
Severity: high Docs Contact:
Priority: high    
Version: 2.0CC: amarts, divya, mzywusko, ndevos, nsathyan, rfortier, rhs-bugs, shaines, storage-doc, ujjwala, vbellur
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Client root user gains the permissions of the local root user and gets all the privileges of local root, which is not desired. Consequence: Fix: Root squashing feature which squashes (convert to nfsnobody) all the incoming request from the root (id 0)(same as in NFS root-squash) is implemented in RPC layer per volume basis. Result: Can set root-squash on/off per volume.
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-28 18:27:55 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 896408    
Bug Blocks:    

Description Veda Shankar 2012-12-04 17:53:17 EST
Description of problem:



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 2 Veda Shankar 2012-12-04 18:08:31 EST
The GlusterFS volume has root-squashing disabled by default and is not desirable in production environments.  With root squashing enabled, if a RHS volume is accessed from a client using the "root" user id then the incoming requests are converted to user "nobody".  

The Gluster CLI does not allow enabling this feature.

gluster> volume set gvol0 root-squashing enable
option : root-squashing does not exist
Did you mean count-fop-hits or flush-behind?
Set volume unsuccessful
Comment 5 Niels de Vos 2012-12-12 04:22:06 EST
>> root squashing is disabled by default and can be turned on by
>>
>> "gluster volume set<VOLNAME>  root-squashing on"
>>
> Thanks. Is there a feature page with supported usecase against this?

Not sure about any feature pages. However, the functionality should be the
same as for RHEL NFS-servers. From 'man 5 exports' on a RHEL NFS-server:

       root_squash
              Map  requests from uid/gid 0 to the anonymous uid/gid. Note that
              this does not apply to any other uids  or  gids  that  might  be
              equally sensitive, such as user bin or group staff.

Testing should be done by mounting a volume and do some file operations as
root. These operations should be executed as user nobody instead. From my
understanding, both volumes mounted over NFS and GlusterFS-native should be
affected.
Comment 7 Veda Shankar 2012-12-13 11:06:07 EST
According to customer testing, with root squashing enabled the "write" behavior is correct but the "read" behavior is incorrect ie "others" are allowed access even though the permission is set to 770.
Comment 8 Amar Tumballi 2012-12-24 03:54:59 EST
Moving the bug to ON_QA as the CLI option is now available for root-squashing. And there are different bugs opened for tracking issues like comment #7 (bug 887145 and bug 887263)
Comment 10 Niels de Vos 2013-01-17 04:15:15 EST
Upstream Bug 896408: Gluster CLI does not allow setting root squashing.
Comment 11 Divya 2013-02-12 05:58:16 EST
Varun,

This bug has been added to Update 4 errata. Could you provide your inputs in doc text field which will enable me to update errata??

Thanks,
Divya
Comment 14 errata-xmlrpc 2013-03-28 18:27:55 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0691.html