From: Steve Dickson <SteveD@redhat.com>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: Trond Myklebust <Trond.Myklebust@netapp.com>,
Linux NFS Mailing list <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH] Adding the nfs4_use_min_auth module parameter
Date: Thu, 07 Nov 2013 16:35:48 -0500 [thread overview]
Message-ID: <527C07B4.800@RedHat.com> (raw)
In-Reply-To: <A8E8F2C4-8CB7-434E-8520-B2B53F0582D9@oracle.com>
Hey mrchuck...
On 07/11/13 14:25, Chuck Lever wrote:
> Hi Steve-
>
> On Nov 7, 2013, at 11:09 AM, Steve Dickson <steved@redhat.com> wrote:
>
>> This new module parameter makes the v4 client
>> use the minimal authentication flavor (AUTH_UNIX)
>> when establishing NFSV4 state and doing the
>> pseudoroot lookup
>
> The patch description doesn't say, but is this change to work
> around the 15 second GSSD upcall timeout?
Yes. A 15 second delay on every mount due to security that
nobody is requesting is just not good.. IMHO.. Also running
a security daemon for non-secure mounts just seems wrong to me.
> Have we completely given up on fixing the upcall?
Back when we were looking on to introduce gss-proxy into
the client, it was decided the upcall on the client
was not going to change. I'm just going with that!
steved.
>
>
>> Signed-off-by: Steve Dickson <steved@redhat.com>
>> ---
>> fs/nfs/nfs4_fs.h | 1 +
>> fs/nfs/nfs4client.c | 8 ++++++--
>> fs/nfs/nfs4proc.c | 4 +++-
>> fs/nfs/super.c | 6 +++++-
>> 4 files changed, 15 insertions(+), 4 deletions(-)
>>
>> diff --git a/fs/nfs/nfs4_fs.h b/fs/nfs/nfs4_fs.h
>> index 28842ab..20bf925 100644
>> --- a/fs/nfs/nfs4_fs.h
>> +++ b/fs/nfs/nfs4_fs.h
>> @@ -438,6 +438,7 @@ extern bool nfs4_disable_idmapping;
>> extern unsigned short max_session_slots;
>> extern unsigned short send_implementation_id;
>> extern bool recover_lost_locks;
>> +extern bool nfs4_use_min_auth;
>>
>> #define NFS4_CLIENT_ID_UNIQ_LEN (64)
>> extern char nfs4_client_id_uniquifier[NFS4_CLIENT_ID_UNIQ_LEN];
>> diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c
>> index a860ab5..ff85991 100644
>> --- a/fs/nfs/nfs4client.c
>> +++ b/fs/nfs/nfs4client.c
>> @@ -355,6 +355,7 @@ struct nfs_client *nfs4_init_client(struct nfs_client *clp,
>> char buf[INET6_ADDRSTRLEN + 1];
>> struct nfs_client *old;
>> int error;
>> + rpc_authflavor_t flavor = RPC_AUTH_GSS_KRB5I;
>>
>> if (clp->cl_cons_state == NFS_CS_READY) {
>> /* the client is initialised already */
>> @@ -368,8 +369,11 @@ struct nfs_client *nfs4_init_client(struct nfs_client *clp,
>> if (clp->cl_minorversion != 0)
>> __set_bit(NFS_CS_INFINITE_SLOTS, &clp->cl_flags);
>> __set_bit(NFS_CS_DISCRTRY, &clp->cl_flags);
>> - error = nfs_create_rpc_client(clp, timeparms, RPC_AUTH_GSS_KRB5I);
>> - if (error == -EINVAL)
>> +
>> + if (nfs4_use_min_auth)
>> + flavor = RPC_AUTH_UNIX;
>> + error = nfs_create_rpc_client(clp, timeparms, flavor);
>> + if (error == -EINVAL && flavor != RPC_AUTH_UNIX)
>> error = nfs_create_rpc_client(clp, timeparms, RPC_AUTH_UNIX);
>> if (error < 0)
>> goto error;
>> diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
>> index d53d678..00162cb 100644
>> --- a/fs/nfs/nfs4proc.c
>> +++ b/fs/nfs/nfs4proc.c
>> @@ -2864,7 +2864,9 @@ static int nfs4_find_root_sec(struct nfs_server *server, struct nfs_fh *fhandle,
>> int status = -EPERM;
>> size_t i;
>>
>> - for (i = 0; i < ARRAY_SIZE(flav_array); i++) {
>> + if (nfs4_use_min_auth)
>> + status = nfs4_lookup_root_sec(server, fhandle, info, RPC_AUTH_UNIX);
>> + else for (i = 0; i < ARRAY_SIZE(flav_array); i++) {
>> status = nfs4_lookup_root_sec(server, fhandle, info, flav_array[i]);
>> if (status == -NFS4ERR_WRONGSEC || status == -EACCES)
>> continue;
>> diff --git a/fs/nfs/super.c b/fs/nfs/super.c
>> index a03b9c6..42b4f9b 100644
>> --- a/fs/nfs/super.c
>> +++ b/fs/nfs/super.c
>> @@ -2791,6 +2791,7 @@ unsigned short max_session_slots = NFS4_DEF_SLOT_TABLE_SIZE;
>> unsigned short send_implementation_id = 1;
>> char nfs4_client_id_uniquifier[NFS4_CLIENT_ID_UNIQ_LEN] = "";
>> bool recover_lost_locks = false;
>> +bool nfs4_use_min_auth = false;
>>
>> EXPORT_SYMBOL_GPL(nfs_callback_set_tcpport);
>> EXPORT_SYMBOL_GPL(nfs_callback_tcpport);
>> @@ -2800,6 +2801,7 @@ EXPORT_SYMBOL_GPL(max_session_slots);
>> EXPORT_SYMBOL_GPL(send_implementation_id);
>> EXPORT_SYMBOL_GPL(nfs4_client_id_uniquifier);
>> EXPORT_SYMBOL_GPL(recover_lost_locks);
>> +EXPORT_SYMBOL_GPL(nfs4_use_min_auth);
>>
>> #define NFS_CALLBACK_MAXPORTNR (65535U)
>>
>> @@ -2842,5 +2844,7 @@ MODULE_PARM_DESC(recover_lost_locks,
>> "If the server reports that a lock might be lost, "
>> "try to recover it risking data corruption.");
>>
>> -
>> +module_param(nfs4_use_min_auth, bool, 0644);
>> +MODULE_PARM_DESC(nfs4_use_min_auth,
>> + "Use mimnal auth in SETCLIENTID operation");
>> #endif /* CONFIG_NFS_V4 */
>> --
>> 1.7.1
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
> --
> Chuck Lever
> chuck[dot]lever[at]oracle[dot]com
>
>
>
next prev parent reply other threads:[~2013-11-07 21:34 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-07 19:09 [PATCH] Adding the nfs4_use_min_auth module parameter Steve Dickson
2013-11-07 19:25 ` Chuck Lever
2013-11-07 21:01 ` Jeff Layton
2013-11-07 21:40 ` Steve Dickson
2013-11-07 22:04 ` Jeff Layton
2013-11-07 21:35 ` Steve Dickson [this message]
2013-11-07 23:05 ` Chuck Lever
2013-11-08 12:41 ` Steve Dickson
2013-11-08 13:22 ` Jeff Layton
2013-11-08 15:00 ` Steve Dickson
2013-11-08 15:12 ` Jeff Layton
2013-11-08 16:10 ` Steve Dickson
2013-11-08 16:17 ` J. Bruce Fields
2013-11-08 16:19 ` Steve Dickson
2013-11-08 16:22 ` J. Bruce Fields
2013-11-08 16:28 ` Steve Dickson
2013-11-08 16:39 ` J. Bruce Fields
2013-11-08 16:45 ` Steve Dickson
2013-11-08 18:12 ` Chuck Lever
2013-11-08 18:09 ` Chuck Lever
2013-11-08 20:14 ` J. Bruce Fields
2013-11-08 20:32 ` Steve Dickson
2013-11-09 2:04 ` NeilBrown
2013-11-08 16:27 ` Weston Andros Adamson
2013-11-08 16:38 ` Steve Dickson
2013-11-08 15:04 ` J. Bruce Fields
2013-11-08 15:54 ` Chuck Lever
2013-11-08 16:14 ` J. Bruce Fields
2013-11-08 17:58 ` Chuck Lever
2013-11-08 18:46 ` Chuck Lever
2013-11-08 21:09 ` J. Bruce Fields
2013-11-08 16:17 ` Steve Dickson
2013-11-08 15:46 ` Chuck Lever
2013-11-08 21:25 ` Steve Dickson
2013-11-07 19:26 ` Myklebust, Trond
2013-11-07 21:25 ` Steve Dickson
2013-11-07 21:39 ` Myklebust, Trond
2013-11-07 21:57 ` Steve Dickson
2013-11-07 22:29 ` Myklebust, Trond
2013-11-08 12:21 ` Steve Dickson
2013-11-08 14:30 ` Myklebust, Trond
2013-11-08 15:08 ` Steve Dickson
2013-11-08 15:16 ` Myklebust, Trond
2013-11-08 16:31 ` Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=527C07B4.800@RedHat.com \
--to=steved@redhat.com \
--cc=Trond.Myklebust@netapp.com \
--cc=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).