Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1344727 - [nfs-ganesha+kerberos]: user continues to perform IO's after ticket destroy, until volume is remounted.
Summary: [nfs-ganesha+kerberos]: user continues to perform IO's after ticket destroy, ...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: nfs-ganesha
Version: rhgs-3.1
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Kaleb KEITHLEY
QA Contact: Manisha Saini
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-10 14:18 UTC by Shashank Raj
Modified: 2020-08-16 14:45 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-29 11:50:02 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Shashank Raj 2016-06-10 14:18:47 UTC
Description of problem:

[nfs-ganesha+kerberos]: user continues to perform IO's after ticket destroy, until volume is remounted.

Version-Release number of selected component (if applicable):

nfs-ganesha-2.3.1-8

How reproducible:

Always

Steps to Reproduce:

>> Mount the volume using krb5 on a client and perform some IO's:

[root@dhcp42-130 ~]# df
dhcp42-142.lab.eng.blr.redhat.com:/testvolume 187676672  509952 187166720   1% /mnt3

>> Login as guest user and try to acess mount point and observe that it gives permission denied message:

[root@dhcp42-130 ~]# su - guest
Last login: Fri Jun 10 19:09:26 IST 2016 on pts/0
[guest@dhcp42-130 ~]$ cd /mnt3
-bash: cd: /mnt3: Permission denied

>> Generate a kerberos ticket for the user

[guest@dhcp42-130 ~]$ klist
klist: Credentials cache keyring 'persistent:1000:1000' not found

[guest@dhcp42-130 ~]$ kinit
Password for guest@LAB.ENG.BLR.REDHAT.COM: 

[guest@dhcp42-130 mnt3]$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: guest@LAB.ENG.BLR.REDHAT.COM

Valid starting       Expires              Service principal
06/10/2016 19:42:48  06/11/2016 19:42:41  nfs/dhcp42-142.lab.eng.blr.redhat.com@LAB.ENG.BLR.REDHAT.COM
06/10/2016 19:42:41  06/11/2016 19:42:41  krbtgt/LAB.ENG.BLR.REDHAT.COM@LAB.ENG.BLR.REDHAT.COM

>> Do some IO's on the mountpoint: 

[guest@dhcp42-130 ~]$ cd /mnt3
[guest@dhcp42-130 mnt3]$ ls
fil6  file1  file10  file11  file2  file3  file4  file5  file7  file8  file9  raj
[guest@dhcp42-130 mnt3]$ touch file100
[guest@dhcp42-130 mnt3]$ ls
fil6  file1  file10  file100  file11  file2  file3  file4  file5  file7  file8  file9  raj

>> Destroy the ticket for the user:

[guest@dhcp42-130 ~]$ kdestroy
[guest@dhcp42-130 ~]$ klist
klist: Credentials cache keyring 'persistent:1000:1000' not found

>> Observe that even after destroying the ticket, user is able to perform IO's:

[guest@dhcp42-130 ~]$ cd /mnt3
[guest@dhcp42-130 mnt3]$ ls
fil6  file1  file10  file100  file11  file2  file3  file4  file5  file7  file8  file9  raj

[guest@dhcp42-130 mnt3]$ date
Fri Jun 10 19:17:58 IST 2016

[guest@dhcp42-130 mnt3]$ ls
fil6  file1  file10  file100  file11  file2  file3  file4  file5  file7  file8  file9  raj
[guest@dhcp42-130 mnt3]$ touch file123
[guest@dhcp42-130 mnt3]$ ls
fil6  file1  file10  file100  file11  file123  file2  file3  file4  file5  file7  file8  file9  raj

[guest@dhcp42-130 mnt3]$ date
Fri Jun 10 19:28:37 IST 2016

[guest@dhcp42-130 mnt3]$ klist
klist: Credentials cache keyring 'persistent:1000:1000' not found

>> Umount the volume from root and again mount it

[guest@dhcp42-130 mnt3]$ exit
logout

[root@dhcp42-130 ~]# df

dhcp42-142.lab.eng.blr.redhat.com:/testvolume 187676672  509952 187166720   1% /mnt3

[root@dhcp42-130 ~]# umount /mnt3

[root@dhcp42-130 ~]# df
Filesystem                        1K-blocks    Used Available Use% Mounted on
/dev/mapper/rhel_dhcp42--130-root  27740944 1341788  26399156   5% /
devtmpfs                            3995072       0   3995072   0% /dev
tmpfs                               4005468       0   4005468   0% /dev/shm
tmpfs                               4005468    8588   3996880   1% /run
tmpfs                               4005468       0   4005468   0% /sys/fs/cgroup
/dev/vda1                            508588  126924    381664  25% /boot
tmpfs                                801096       0    801096   0% /run/user/0

[root@dhcp42-130 ~]# mount -t nfs -o sec=krb5 dhcp42-142.lab.eng.blr.redhat.com:/testvolume /mnt3

>> Again login as guest user and try to perform IO's and observe that it gives permission denied error now:

[root@dhcp42-130 ~]# su - guest
Last login: Fri Jun 10 19:16:52 IST 2016 on pts/0

[guest@dhcp42-130 ~]$ cd /mnt3
-bash: cd: /mnt3: Permission denied
[guest@dhcp42-130 ~]$ 

Actual results:

user continues to perform IO's after ticket destroy, until volume is remounted.

Expected results:

IO should not happen when the ticket for a user is destroyed.

Additional info:

Comment 2 Niels de Vos 2016-06-10 15:13:55 UTC
kdestroy is not really a good way to test this. I assume the ticket is still in the kernels keyring for the users session.

Instead of doing kdestroy, it is better to pass a lifetime to the kinit command. For example, to have a ticket that is valid for two minutes:

  $ kinit -l 2m

Please re-test with this.

Comment 9 Manisha Saini 2020-08-16 14:45:41 UTC
QE will reopen this issue if again observed in testing.Clearing needinfo.


Note You need to log in before you can comment on or make changes to this bug.