Bug 883590 - Gluster CLI does not allow setting root squashing
Summary: Gluster CLI does not allow setting root squashing
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat Storage
Component: glusterd
Version: 2.0
Hardware: All
OS: Linux
high
high
Target Milestone: ---
: ---
Assignee: vpshastry
QA Contact: Saurabh
URL:
Whiteboard:
Depends On: 896408
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-12-04 22:53 UTC by Veda Shankar
Modified: 2022-07-09 05:48 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Client root user gains the permissions of the local root user and gets all the privileges of local root, which is not desired. Consequence: Fix: Root squashing feature which squashes (convert to nfsnobody) all the incoming request from the root (id 0)(same as in NFS root-squash) is implemented in RPC layer per volume basis. Result: Can set root-squash on/off per volume.
Clone Of:
Environment:
Last Closed: 2013-03-28 22:27:55 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 143703 0 None None None Never
Red Hat Product Errata RHSA-2013:0691 0 normal SHIPPED_LIVE Important: Red Hat Storage 2.0 security, bug fix, and enhancement update #4 2013-03-29 02:21:19 UTC

Description Veda Shankar 2012-12-04 22:53:17 UTC 
Description of problem:



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 2 Veda Shankar 2012-12-04 23:08:31 UTC 
The GlusterFS volume has root-squashing disabled by default and is not desirable in production environments.  With root squashing enabled, if a RHS volume is accessed from a client using the "root" user id then the incoming requests are converted to user "nobody".  

The Gluster CLI does not allow enabling this feature.

gluster> volume set gvol0 root-squashing enable
option : root-squashing does not exist
Did you mean count-fop-hits or flush-behind?
Set volume unsuccessful
Comment 5 Niels de Vos 2012-12-12 09:22:06 UTC 
>> root squashing is disabled by default and can be turned on by
>>
>> "gluster volume set<VOLNAME>  root-squashing on"
>>
> Thanks. Is there a feature page with supported usecase against this?

Not sure about any feature pages. However, the functionality should be the
same as for RHEL NFS-servers. From 'man 5 exports' on a RHEL NFS-server:

       root_squash
              Map  requests from uid/gid 0 to the anonymous uid/gid. Note that
              this does not apply to any other uids  or  gids  that  might  be
              equally sensitive, such as user bin or group staff.

Testing should be done by mounting a volume and do some file operations as
root. These operations should be executed as user nobody instead. From my
understanding, both volumes mounted over NFS and GlusterFS-native should be
affected.
Comment 7 Veda Shankar 2012-12-13 16:06:07 UTC 
According to customer testing, with root squashing enabled the "write" behavior is correct but the "read" behavior is incorrect ie "others" are allowed access even though the permission is set to 770.
Comment 8 Amar Tumballi 2012-12-24 08:54:59 UTC 
Moving the bug to ON_QA as the CLI option is now available for root-squashing. And there are different bugs opened for tracking issues like comment #7 (bug 887145 and bug 887263)
Comment 10 Niels de Vos 2013-01-17 09:15:15 UTC 
Upstream Bug 896408: Gluster CLI does not allow setting root squashing.
Comment 11 Divya 2013-02-12 10:58:16 UTC 
Varun,

This bug has been added to Update 4 errata. Could you provide your inputs in doc text field which will enable me to update errata??

Thanks,
Divya
Comment 14 errata-xmlrpc 2013-03-28 22:27:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0691.html
Note You need to log in before you can comment on or make changes to this bug.