762132 – (GLUSTER-400) Support auxiliary gids in GlusterFS

Bug 762132 (GLUSTER-400) - Support auxiliary gids in GlusterFS

Summary: Support auxiliary gids in GlusterFS

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	GLUSTER-400
Product:	GlusterFS
Classification:	Community
Component:	core
Sub Component:
Version:	mainline
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Shehjar Tikoo
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	GLUSTER-399
TreeView+	depends on / blocked

Reported:	2009-11-23 09:39 UTC by Shehjar Tikoo
Modified:	2015-12-01 16:45 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Regression:	RTP
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Shehjar Tikoo 2009-11-23 09:39:18 UTC

In order to support full RPC authentication, we need to be able to transmit an array of gid_ts using the call frame so that posix call call setgroups with those gids. This is needed in order to support RPC authentication schemes where the RPC layer on the client sends us a list of at most 16 group ids for the user on whose behalf the RPC was issued.

This needs support from client and server protocols along with the GlusterFS message encoding and decoding routines so that the array of group ids get supported natively in GlusterFS.

Comment 1 Shehjar Tikoo 2009-11-30 06:21:18 UTC

Once the transmission of gids is possible, the next thing that needs to be done is to bring in support in posix such that we depend on our in-house access and permission checking code rather than having to depend on setfs[ug]id and or setgroups system calls.

Neither setfs[ug]id will work for us because it only allows setting one uid or gid whereas the operation needs to be performed using a gid sent to us through the auxiliary group list in RPC.

setgroups does not work for setting the aux groups of the current process to a given array of gids because this function sets the gids for the whole process and not just the thread. This model is not acceptable for our purposes. Hence the need to have an in-house access checking mechanism

Comment 2 Anand Avati 2009-12-03 07:59:31 UTC

PATCH: http://patches.gluster.com/patch/2518 in master (core, client, server: Support auxiliary group ids)

Comment 3 Shehjar Tikoo 2010-01-25 02:19:43 UTC

err...not fixed. Auxiliary gid support has two parts. One in the protocol/client and server, which is the previous patch and a second part in storage/posix. That change is in my NFS tree and will be brought in later with NFS xlator.

Comment 4 Anand Avati 2010-03-04 08:12:36 UTC

PATCH: http://patches.gluster.com/patch/2864 in master (core: Provide helper macro to set [ug]id in frame)

Comment 5 Shehjar Tikoo 2010-03-31 09:50:48 UTC

Access control translator is being introduced for a fix to this bug. See bz 597 to know why.

Comment 6 Anand Avati 2010-03-31 11:43:46 UTC

PATCH: http://patches.gluster.com/patch/3068 in master (core: Add iatt protection bit testing macros)

Comment 7 Anand Avati 2010-03-31 11:43:50 UTC

PATCH: http://patches.gluster.com/patch/3069 in master (core: Expose default callbacks)

Comment 8 Anand Avati 2010-03-31 11:43:54 UTC

PATCH: http://patches.gluster.com/patch/3070 in master (access-control: Introduce new translator)

Note You need to log in before you can comment on or make changes to this bug.