From: Olga Kornievskaia <aglo@umich.edu>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: Trond Myklebust <trondmy@hammerspace.com>,
Linux NFS Mailing List <linux-nfs@vger.kernel.org>
Subject: Re: acls+kerberos (limitation)
Date: Fri, 20 Dec 2019 13:15:27 -0500 [thread overview]
Message-ID: <CAN-5tyEv4UTfCmkkrYFnOB7nHAV8qX7opfSb=RJT_=PA5tih4g@mail.gmail.com> (raw)
In-Reply-To: <C5067A0A-5FA4-4FC0-B5B6-828EB3E83373@oracle.com>
On Wed, Dec 18, 2019 at 2:34 PM Chuck Lever <chuck.lever@oracle.com> wrote:
>
>
>
> > On Dec 18, 2019, at 2:31 PM, Olga Kornievskaia <aglo@umich.edu> wrote:
> >
> > On Wed, Dec 18, 2019 at 2:05 PM Trond Myklebust <trondmy@hammerspace.com> wrote:
> >>
> >> On Wed, 2019-12-18 at 12:47 -0500, Olga Kornievskaia wrote:
> >>> Hi folks,
> >>>
> >>> Is this a well know but undocumented fact that you can't set large
> >>> amount of acls (over 4096bytes, ~90acls) while mounted using
> >>> krb5i/krb5p? That if you want to get/set large acls, it must be done
> >>> over auth_sys/krb5?
> >>>
> >>
> >> It's certainly not something that I was aware of. Do you see where that
> >> limitation is coming from?
> >
> > I haven't figure it exactly but gss_unwrap_resp_integ() is failing in
> > if (mic_offset > rcv_buf->len). I'm just not sure who sets up the
> > buffer (or why rvc_buf->len is (4280) larger than a page can a
> > page-limit might make sense to for me but it's not). So you think it
> > should have been working.
>
> The buffer is set up in the XDR encoder. But pages can be added
> by the transport... I guess rcv_buf->len isn't updated when that
> happens.
>
Here's why the acl+krbi/krb5p is failing.
acl tool first calls into the kernel to find out how large of a buffer
it needs to supply and gets acl size then calls down again then code
in __nfs4_get_acl_uncached() allocates a number of pages (this what
set's the available buffer length later used by the sunrpc code). That
works for non-integrity because in call_decode() the call
rpc_unwrap_resp() doesn't try to calculate the checksum on the buffer
that was just read. However, when its krb5i/krb5p we have truncated
buffer and mic offset that's larger than the existing buffer.
I think something needs to be marked to skip doing gss for the initial
acl query? I first try providing more space in
__nfs4_get_acl_uncached() for when authflavor=krb5i/krb5p and buflen=0
but no matter what the number is the received acl can be larger than
that thus I don't think that's a good approach.
> --
> Chuck Lever
>
>
>
next prev parent reply other threads:[~2019-12-20 18:15 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-18 17:47 acls+kerberos (limitation) Olga Kornievskaia
2019-12-18 19:05 ` Trond Myklebust
2019-12-18 19:31 ` Olga Kornievskaia
2019-12-18 19:34 ` Chuck Lever
2019-12-20 18:15 ` Olga Kornievskaia [this message]
2019-12-20 18:28 ` Chuck Lever
2019-12-20 20:04 ` Olga Kornievskaia
2019-12-20 20:11 ` Chuck Lever
2019-12-20 20:53 ` Olga Kornievskaia
2019-12-20 20:57 ` Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAN-5tyEv4UTfCmkkrYFnOB7nHAV8qX7opfSb=RJT_=PA5tih4g@mail.gmail.com' \
--to=aglo@umich.edu \
--cc=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
--cc=trondmy@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).