Bug 883590
| Summary: | Gluster CLI does not allow setting root squashing | ||
|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Gluster Storage | Reporter: | Veda Shankar <veshanka> |
| Component: | glusterd | Assignee: | vpshastry <vshastry> |
| Status: | CLOSED ERRATA | QA Contact: | Saurabh <saujain> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 2.0 | CC: | amarts, bcompton, divya, mzywusko, ndevos, nsathyan, rfortier, rhs-bugs, shaines, storage-doc, ujjwala, vbellur |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause:
Client root user gains the permissions of the local root user and gets all the privileges of local root, which is not desired.
Consequence:
Fix:
Root squashing feature which squashes (convert to nfsnobody) all the incoming request from the root (id 0)(same as in NFS root-squash) is implemented in RPC layer per volume basis.
Result:
Can set root-squash on/off per volume.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-03-28 22:27:55 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 896408 | ||
| Bug Blocks: | |||
|
Description
Veda Shankar
2012-12-04 22:53:17 UTC
The GlusterFS volume has root-squashing disabled by default and is not desirable in production environments. With root squashing enabled, if a RHS volume is accessed from a client using the "root" user id then the incoming requests are converted to user "nobody". The Gluster CLI does not allow enabling this feature. gluster> volume set gvol0 root-squashing enable option : root-squashing does not exist Did you mean count-fop-hits or flush-behind? Set volume unsuccessful >> root squashing is disabled by default and can be turned on by
>>
>> "gluster volume set<VOLNAME> root-squashing on"
>>
> Thanks. Is there a feature page with supported usecase against this?
Not sure about any feature pages. However, the functionality should be the
same as for RHEL NFS-servers. From 'man 5 exports' on a RHEL NFS-server:
root_squash
Map requests from uid/gid 0 to the anonymous uid/gid. Note that
this does not apply to any other uids or gids that might be
equally sensitive, such as user bin or group staff.
Testing should be done by mounting a volume and do some file operations as
root. These operations should be executed as user nobody instead. From my
understanding, both volumes mounted over NFS and GlusterFS-native should be
affected.
According to customer testing, with root squashing enabled the "write" behavior is correct but the "read" behavior is incorrect ie "others" are allowed access even though the permission is set to 770. Moving the bug to ON_QA as the CLI option is now available for root-squashing. And there are different bugs opened for tracking issues like comment #7 (bug 887145 and bug 887263) Upstream Bug 896408: Gluster CLI does not allow setting root squashing. Varun, This bug has been added to Update 4 errata. Could you provide your inputs in doc text field which will enable me to update errata?? Thanks, Divya Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0691.html |