Re: Please support NSF squashing multiple groups

All of lore.kernel.org
 help / color / mirror / Atom feed

From: NeilBrown <neilb@suse.de>
To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: paul.szabo@sydney.edu.au, andros@netapp.com, linux-nfs@vger.kernel.org
Subject: Re: Please support NSF squashing multiple groups
Date: Sat, 20 Aug 2011 10:19:46 +1000	[thread overview]
Message-ID: <20110820101946.45ffab49@notabene.brown> (raw)
In-Reply-To: <20110819234534.GC3589@fieldses.org>

On Fri, 19 Aug 2011 19:45:34 -0400 "J. Bruce Fields" <bfields@fieldses.org>
wrote:

> On Sat, Aug 20, 2011 at 08:35:43AM +1000, paul.szabo@sydney.edu.au wrote:
> > Dear Andy,
> > 
> > > Note that only AUTH_SYS sends GID and GID lists in the rpc_cred.
> > > RPCSEC_GSS with Kerberos only sends the krb5 principal to the server.
> > > The server looks up group membership via nsswitch - either /etc/groups
> > > ...
> > 
> > Can the server be set so as to ignore any AUTH_SYS sends, and accept
> > RPCSEC_GSS only?
> 
> Add something like sec=krb5:krb5i:krb5p to all your exports.
> 
> > > idmapd only deals with groups when a SETATTR arrives with ACE who's that
> > > are group names where it maps the groupname@domain to a gid, or a
> > > GETATTR ACL request where it maps gid->groupname@domain
> > 
> > Can the server be set so as to ignore any attempts from the client to
> > set group memberships, but always set its own from /etc/group?
> 
> Use kerberos, or run mountd with the --manage-gids option.
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

I almost suggested this, but then realised that it doesn't help.

With AUTH_SYS the client sends a UID, a GID and a list of at most 16
auxiliary GIDs.

With --manage-gids, the server ignores the list of auxiliary GIDs and
generates a list locally based on the UID.
So the UID and primary GID from the server are still trusted.

So kerberos is really the only option to be able to filter uids and gids
under user-space control.

When I suggested looking at idmap I was actually imagining writing your own
plug-in that did whatever mapping and filtering you wanted.

I think I mentioned before that you would need to use kerberos and NFSv4 to
make use of this but in fact you just need kerberos.  It will work with
NFSv3, though with some limitations.
In particular:
  when the client issues a chown/chgrp request, the uid/gid is used directly
  - idmap does not have a chance to filter/translate it (in v4 it does).
  When the client issues a getattr, the uid/gid are passed through
  unchanged.  idmap does not get to translate it (in v4 it does).

The only mapping available with v3 is the authenticated username of the
entity which issued the request.  idmap gets to translate that into a uid and
gids however the plug-in tells it too.

NeilBrown

> 
> --b.

next prev parent reply	other threads:[~2011-08-20  0:19 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-08-19  0:32 Please support NSF squashing multiple groups paul.szabo
2011-08-19  1:05 ` NeilBrown
2011-08-19  2:10   ` paul.szabo
2011-08-19 19:19     ` J. Bruce Fields
2011-08-19 22:06       ` paul.szabo
2011-08-19 22:15         ` Andy Adamson
2011-08-19 22:35           ` paul.szabo
2011-08-19 23:45             ` J. Bruce Fields
2011-08-20  0:19               ` NeilBrown [this message]
2011-08-22 14:23             ` Andy Adamson
2011-08-19 19:29 ` J. Bruce Fields
2011-08-19 22:21   ` paul.szabo
2011-08-22 16:14 ` Jim Rees
     [not found]   ` <20110822161413.GE2477-8f4Pc2RrbJmHXe+LvDLADg@public.gmane.org>
2011-08-22 21:05     ` paul.szabo-E0wInbZyfUpWG/WdbR7gnQ
  -- strict thread matches above, loose matches on Subject: below --
2011-09-20 22:48 paul.szabo
2011-09-20 23:05 ` Trond Myklebust
2011-09-20 23:29   ` paul.szabo
2011-09-20 23:38     ` Myklebust, Trond
2011-09-21  0:09       ` paul.szabo
2011-09-21  4:16         ` Myklebust, Trond
2011-09-21  5:38           ` paul.szabo
2011-09-20 23:47     ` Myklebust, Trond
2011-09-30  4:08 paul.szabo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110820101946.45ffab49@notabene.brown \
    --to=neilb@suse.de \
    --cc=andros@netapp.com \
    --cc=bfields@fieldses.org \
    --cc=linux-nfs@vger.kernel.org \
    --cc=paul.szabo@sydney.edu.au \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.