1077452 – Unable to setup/use non-root Geo-replication

Bug 1077452 - Unable to setup/use non-root Geo-replication

Summary: Unable to setup/use non-root Geo-replication

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	GlusterFS
Classification:	Community
Component:	geo-replication
Sub Component:
Version:	mainline
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Venky Shankar
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1079561 1083997 1098053
TreeView+	depends on / blocked

Reported:	2014-03-18 03:39 UTC by Venky Shankar
Modified:	2014-11-11 08:28 UTC (History)
CC List:	8 users (show)
Fixed In Version:	glusterfs-3.6.0beta1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1079561 1098053 (view as bug list)
Environment:
Last Closed:	2014-11-11 08:28:49 UTC
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Venky Shankar 2014-03-18 03:39:57 UTC

Description of problem:
Unable to setup/use non-root Geo-replication

Version-Release number of selected component (if applicable):
mainline

How reproducible:
always

Actual results:
With the current changes to Geo-replication, using non-root user (via Mountbroker) to replicate data is not functioning.

Expected results:
Admin should be able to setup and use this feature as expected

Comment 1 Venky Shankar 2014-03-24 07:30:34 UTC

Efforts involved

This can be split into two parts - glusterd and geo-replication daemon.

1. Revert patch in glusterd
As of now, glusterd does not allow creation of non-root geo-rep session. Reverting this patch would allow the creation of non-root geo-rep sessions.

2. Fixes in geo-replication daemon
After #1, there would be changes/bug-fixes in the daemon part to allow entities to be synced without super user privileges. Majority of the code still lives in the codebase, but given the extensive amount of changes that has been done to geo-rep for distributify and using changelogs, there could be a lot of places to fix bugs.

Comment 2 Venky Shankar 2014-05-06 10:07:11 UTC

Initial patch: http://review.gluster.org/#/c/7658/

Comment 3 Anand Avati 2014-05-08 07:12:27 UTC

REVIEW: http://review.gluster.org/7658 (gsyncd / geo-rep: Partial support for Non-root geo-replication) posted (#4) for review on master by Venky Shankar (vshankar)

Comment 4 Anand Avati 2014-05-12 14:30:39 UTC

REVIEW: http://review.gluster.org/7658 (gsyncd / geo-rep: Partial support for Non-root geo-replication) posted (#5) for review on master by Avra Sengupta (asengupt)

Comment 5 Anand Avati 2014-05-12 14:30:46 UTC

REVIEW: http://review.gluster.org/7744 (glusterd/geo-rep: Allow gverify.sh and S56glusterd-geo-rep-create-post.sh to operate for non-root privileged slave volume) posted (#1) for review on master by Avra Sengupta (asengupt)

Comment 6 Anand Avati 2014-05-13 10:56:15 UTC

REVIEW: http://review.gluster.org/7744 (glusterd/geo-rep: Allow gverify.sh and S56glusterd-geo-rep-create-post.sh to operate for non-root privileged slave volume) posted (#2) for review on master by Avra Sengupta (asengupt)

Comment 7 Anand Avati 2014-05-13 10:56:21 UTC

REVIEW: http://review.gluster.org/7658 (gsyncd / geo-rep: Partial support for Non-root geo-replication.) posted (#6) for review on master by Avra Sengupta (asengupt)

Comment 8 Anand Avati 2014-05-14 06:03:32 UTC

REVIEW: http://review.gluster.org/7744 (glusterd/geo-rep: Allow gverify.sh and S56glusterd-geo-rep-create-post.sh to operate for non-root privileged slave volume) posted (#3) for review on master by Avra Sengupta (asengupt)

Comment 9 Anand Avati 2014-05-14 06:03:38 UTC

REVIEW: http://review.gluster.org/7658 (gsyncd / geo-rep: Partial support for Non-root geo-replication.) posted (#7) for review on master by Avra Sengupta (asengupt)

Comment 10 Anand Avati 2014-05-14 17:24:13 UTC

COMMIT: http://review.gluster.org/7658 committed in master by Venky Shankar (vshankar) 
------
commit 48201f4faeef3602cb095bf47d14deebf91899ba
Author: Venky Shankar <vshankar>
Date:   Sun May 4 01:34:08 2014 +0530

    gsyncd / geo-rep: Partial support for Non-root geo-replication.
    
    This patch enables geo-replication to be run as an unprivileged
    user. As of now, this is just the partial support, but is very
    close to achieve full functionality.
    
    Current limitation
    * Geo-replication executed Gluster CLI commands on the slave
      via SSH. On a non-root setup, Gluster CLI would run as an
      unprivileged user, failing to execute the command. As a
      workaround (for testing), setuid(2) Gluster CLI executable
      or use the glusterd option to accept commands by unprivileged
      CLI process. The nature of cli commands are "system::"
      commands (for key management) and remote volume info fetching.
    
    Remote volume info fetching has been modified to use --remote-host
    gluster cli option rather than ssh and remote cli execution.
    
    Change-Id: Ica89e2ba9b7f48fd6e1c876c477d7822dc693617
    BUG: 1077452
    Signed-off-by: Venky Shankar <vshankar>
    Reviewed-on: http://review.gluster.org/7658
    Tested-by: Gluster Build System <jenkins.com>

Comment 11 Anand Avati 2014-05-14 17:24:42 UTC

COMMIT: http://review.gluster.org/7744 committed in master by Venky Shankar (vshankar) 
------
commit 09e9775127c7def49202e68c923e36a6032a3628
Author: Avra Sengupta <asengupt>
Date:   Mon May 12 00:06:32 2014 +0000

    glusterd/geo-rep: Allow gverify.sh and S56glusterd-geo-rep-create-post.sh
    to operate for non-root privileged slave volume
    
    Mounting the slave-volume on local node, to perform disk checks
    in order to allow gverify.sh to operate for non-root privileged
    slave volume
    
    Allowing the hook script S56glusterd-geo-rep-create-post.sh
    to operate for non-root privileged slave volume
    
    Modified peer_add_secret_pub.in to accept username as argument
    and add the pem keys to the users's_home_dir/.ssh/authorized_keys
    
    Wrote set_geo_rep_pem_keys.sh which accepts username as argument
    and copies the pem keys from the user's home directory to
    $GLUSTERD_WORKING_DIR/geo-replication/ and then copies the keys
    to other nodes in the cluster and add them to the respective
    authorized keys. The script takes as argument the user name and
    assumes that the user will be present in all the nodes in the
    cluster. It is not needed for root.
    
    To summarize:
    For a privileged slave user, execute the following on master node as super user:
    gluster system:: execute gsec_create
    gluster volume geo-replication <master_vol> [root@]<slave_ip>::<slave_vol> create push_pem
    
    For a non-privileged slave user execute the following on master node as super user:
    gluster system:: execute gsec_create
    gluster volume geo-replication <master_vol> <slave_user>@<slave_ip>::<slave_vol> create push_pem
    then on the slave node execute the following as super user:
    /usr/local/libexec/glusterfs/set_geo_rep_pem_keys.sh <slave_user>
    
    BUG: 1077452
    Change-Id: I88020968aa5b13a2c2ab86b1d6661b60071f6f5e
    Signed-off-by: Avra Sengupta <asengupt>
    Reviewed-on: http://review.gluster.org/7744
    Tested-by: Gluster Build System <jenkins.com>
    Reviewed-by: Venky Shankar <vshankar>
    Tested-by: Venky Shankar <vshankar>

Comment 12 Anand Avati 2014-05-15 07:24:13 UTC

REVIEW: http://review.gluster.org/7767 (gsyncd/geo-rep: Fix remote vol info fetching for non-root) posted (#1) for review on master by Kotresh HR (khiremat)

Comment 13 Anand Avati 2014-05-15 08:21:11 UTC

COMMIT: http://review.gluster.org/7767 committed in master by Venky Shankar (vshankar) 
------
commit a20b6b473bf72224b0ea7752987d47d44b8b633c
Author: Kotresh H R <khiremat>
Date:   Thu May 15 12:52:22 2014 +0530

    gsyncd/geo-rep: Fix remote vol info fetching for non-root
    
    Signed-off-by: Kotresh H R <khiremat>
    
    Change-Id: If1d2cab3fcfe2391105551e54f0b9729a7c204e4
    BUG: 1077452
    Reviewed-on: http://review.gluster.org/7767
    Reviewed-by: Venky Shankar <vshankar>
    Tested-by: Venky Shankar <vshankar>

Comment 14 Anand Avati 2014-05-21 06:34:27 UTC

REVIEW: http://review.gluster.org/7818 (gsyncd / geo-rep: fix slave volume glusterd query) posted (#1) for review on master by Venky Shankar (vshankar)

Comment 15 Anand Avati 2014-05-21 09:04:00 UTC

REVIEW: http://review.gluster.org/7818 (gsyncd / geo-rep: fix cli query for volinfo fetch) posted (#2) for review on master by Venky Shankar (vshankar)

Comment 16 Anand Avati 2014-05-21 09:04:06 UTC

REVIEW: http://review.gluster.org/7820 (gsyncd / geo-rep: Mountbroker cli to use INET sockets) posted (#1) for review on master by Venky Shankar (vshankar)

Comment 17 Anand Avati 2014-05-21 09:20:23 UTC

REVIEW: http://review.gluster.org/7820 (gsyncd / geo-rep: Mountbroker cli to use INET sockets) posted (#2) for review on master by Venky Shankar (vshankar)

Comment 18 Anand Avati 2014-05-21 09:20:30 UTC

REVIEW: http://review.gluster.org/7818 (gsyncd / geo-rep: fix cli query for volinfo fetch) posted (#3) for review on master by Venky Shankar (vshankar)

Comment 19 Anand Avati 2014-05-21 09:20:49 UTC

REVIEW: http://review.gluster.org/7821 (mgmt/glusterd: Allow mount/umount requests over AF_INET) posted (#1) for review on master by Venky Shankar (vshankar)

Comment 20 Anand Avati 2014-05-21 15:52:26 UTC

REVIEW: http://review.gluster.org/7820 (gsyncd / geo-rep: Mountbroker cli to use INET sockets) posted (#3) for review on master by Venky Shankar (vshankar)

Comment 21 Anand Avati 2014-05-21 15:52:32 UTC

REVIEW: http://review.gluster.org/7821 (mgmt/glusterd: Allow mount/umount requests over AF_INET) posted (#2) for review on master by Venky Shankar (vshankar)

Comment 22 Anand Avati 2014-05-21 15:52:37 UTC

REVIEW: http://review.gluster.org/7818 (gsyncd / geo-rep: fix cli query for volinfo fetch) posted (#4) for review on master by Venky Shankar (vshankar)

Comment 23 Anand Avati 2014-05-21 15:52:43 UTC

REVIEW: http://review.gluster.org/7833 (gsyncd : Use --remote-host option during cli invocation) posted (#1) for review on master by Venky Shankar (vshankar)

Comment 24 Anand Avati 2014-05-22 12:23:13 UTC

REVIEW: http://review.gluster.org/7820 (gsyncd / geo-rep: Mountbroker cli to use INET sockets) posted (#4) for review on master by Venky Shankar (vshankar)

Comment 25 Anand Avati 2014-05-22 12:23:19 UTC

REVIEW: http://review.gluster.org/7821 (mgmt/glusterd: Allow mount/umount requests over AF_INET) posted (#3) for review on master by Venky Shankar (vshankar)

Comment 26 Anand Avati 2014-05-22 12:23:26 UTC

REVIEW: http://review.gluster.org/7833 (gsyncd : Use --remote-host option during cli invocation) posted (#2) for review on master by Venky Shankar (vshankar)

Comment 27 Anand Avati 2014-05-22 12:23:35 UTC

REVIEW: http://review.gluster.org/7818 (gsyncd / geo-rep: fix cli query for volinfo fetch) posted (#5) for review on master by Venky Shankar (vshankar)

Comment 28 Anand Avati 2014-05-26 02:50:59 UTC

COMMIT: http://review.gluster.org/7821 committed in master by Venky Shankar (vshankar) 
------
commit a6da7b531bccbec8c8320acb09e2ee6a5df73a33
Author: Vijay Bellur <vbellur>
Date:   Tue May 20 19:57:37 2014 +0530

    mgmt/glusterd: Allow mount/umount requests over AF_INET
    
    Along with a simple naming convention change to avoid
    confusion as per below.
    
       s/gd_svc_cli_prog_ro/gd_svc_cli_trusted_progs/
       s/gd_svc_cli_actors_ro/gd_svc_cli_trusted_actors/
    
    Change-Id: Ibc73d88846636656f060a811f641f37a1a864615
    BUG: 1077452
    Original-Author: Vijay Bellur <vbellur>
    Signed-off-by: Venky Shankar <vshankar>
    Reviewed-on: http://review.gluster.org/7821
    Reviewed-by: Kotresh HR <khiremat>
    Tested-by: Gluster Build System <jenkins.com>

Comment 29 Anand Avati 2014-05-26 02:51:36 UTC

COMMIT: http://review.gluster.org/7818 committed in master by Venky Shankar (vshankar) 
------
commit bbb8313568bd0725f9faf1927ccefe79126a2113
Author: Venky Shankar <vshankar>
Date:   Wed May 21 11:54:24 2014 +0530

    gsyncd / geo-rep: fix cli query for volinfo fetch
    
    With an unprivileged geo-replication session, monitor
    was using user@slave for --remote-host option for gluster
    cli, thereby failing to sucessfully connect to the slave
    glusterd.
    
    This patch fixes the issue by selecting the hostname/IP
    from the speicified slave endpoint url.
    
    - For privileged geo-replication sessions, this patch
    has no effect as the slave endpoint url is just the
    hostname/IP.
    
    Change-Id: I88f66c406a8d9a34db7fc626965f949075e3ceac
    BUG: 1077452
    Signed-off-by: Venky Shankar <vshankar>
    Reviewed-on: http://review.gluster.org/7818
    Reviewed-by: Aravinda VK <avishwan>
    Reviewed-by: Kotresh HR <khiremat>
    Tested-by: Gluster Build System <jenkins.com>

Comment 30 Anand Avati 2014-05-26 02:52:09 UTC

COMMIT: http://review.gluster.org/7820 committed in master by Venky Shankar (vshankar) 
------
commit 74cc911d4301905d0722a943ca2b844637d4dc74
Author: Venky Shankar <vshankar>
Date:   Wed May 21 14:18:06 2014 +0530

    gsyncd / geo-rep: Mountbroker cli to use INET sockets
    
    unprivileged geo-replication session runs the slave gsyncd
    process as unprivileged, thereby executing gluster cli commands
    as an unprivileged user. By default, cli to glusterd
    uses unix domain sockets, thereby restricting cli command
    execution by non root users.
    
    This patch introduces '--remote-host' cli option to force
    cli to use INET socket. For this to work, the following
    needs to be added in glusterd volfile
    
          option rpc-auth-allow-insecure on
    
    Change-Id: I84b1711281bbcbde156200f80ebdb065afb55488
    BUG: 1077452
    Signed-off-by: Venky Shankar <vshankar>
    Reviewed-on: http://review.gluster.org/7820
    Tested-by: Gluster Build System <jenkins.com>

Comment 31 Anand Avati 2014-05-26 02:53:03 UTC

COMMIT: http://review.gluster.org/7833 committed in master by Venky Shankar (vshankar) 
------
commit be8a3845c7d76d7da66ad278618ff29d0b81903c
Author: Venky Shankar <vshankar>
Date:   Wed May 21 20:49:22 2014 +0530

    gsyncd : Use --remote-host option during cli invocation
    
    Required for unprivileged geo-replication sessions to
    execute glusterd commands (which are however restricted).
    
    Change-Id: Ib83b81defa061717f4465ffa665450d0f5d3d20d
    BUG: 1077452
    Signed-off-by: Venky Shankar <vshankar>
    Reviewed-on: http://review.gluster.org/7833
    Reviewed-by: Kotresh HR <khiremat>
    Tested-by: Gluster Build System <jenkins.com>

Comment 32 Justin Clift 2014-06-19 09:35:27 UTC

Would it be practical to backport this to 3.5.x series?

Comment 33 Niels de Vos 2014-09-22 12:36:54 UTC

A beta release for GlusterFS 3.6.0 has been released. Please verify if the release solves this bug report for you. In case the glusterfs-3.6.0beta1 release does not have a resolution for this issue, leave a comment in this bug and move the status to ASSIGNED. If this release fixes the problem for you, leave a note and change the status to VERIFIED.

Packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update (possibly an "updates-testing" repository) infrastructure for your distribution.

[1] http://supercolony.gluster.org/pipermail/gluster-users/2014-September/018836.html
[2] http://supercolony.gluster.org/pipermail/gluster-users/

Comment 34 Niels de Vos 2014-11-11 08:28:49 UTC

This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-3.6.1, please reopen this bug report.

glusterfs-3.6.1 has been announced [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution.

[1] http://supercolony.gluster.org/pipermail/gluster-users/2014-November/019410.html
[2] http://supercolony.gluster.org/mailman/listinfo/gluster-users

Note You need to log in before you can comment on or make changes to this bug.