| Message ID | 20230121144713.39111-1-chengen.du@canonical.com |
|---|---|
| Headers | show |
| Series | NFS: client permission error after adding user to permissible group | expand |
On 1/21/23 7:47 AM, Chengen Du wrote: > [Impact] > The NFS client's access cache becomes stale due to the user's group membership changing on the server after the user has already logged in on the client. > The access cache only expires if either NFS_INO_INVALID_ACCESS flag is on or timeout (without delegation). > Adding a user to a group in the NFS server will not cause any file attributes to change. > The client will encounter permission errors until other file attributes are changed or the memory cache is dropped. > > [Fix] > The access cache shall be cleared once the user logs out and logs back in again. > > 0eb43812c0270ee3d005ff32f91f7d0a6c4943af NFS: Clear the file access cache upon login > 029085b8949f5d269ae2bbd14915407dd0c7f902 NFS: Judge the file access cache's timestamp in rcu path > 5e9a7b9c2ea18551759833146a181b14835bfe39 NFS: Fix up a sparse warning > > [Test Plan] > 1.[client side] testuser is not part of testgroup > testuser@kinetic:~$ ls -ld /mnt/private/ > drwxrwx--- 2 root testgroup 4096 Nov 24 08:23 /mnt/private/ > testuser@kinetic:~$ mktemp -p /mnt/private/ > mktemp: failed to create file via template > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > 2.[server side] add testuser into testgroup, which has access to folder > root@kinetic:~$ usermod -aG testgroup testuser && > echo `date +'%s'` > /proc/net/rpc/auth.unix.gid/flush > 3.[client side] create a file again but still fail > testuser@kinetic:~$ mktemp -p /mnt/private/ > mktemp: failed to create file via template > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > > [Where problems could occur] > The fix will apply upstream commits, so the regression can be considered as low. > > Chengen Du (1): > (upstream) NFS: Judge the file access cache's timestamp in rcu path > > NeilBrown (1): > (upstream) cred: add cred_fscmp() for comparing creds. > > Trond Myklebust (2): > (upstream) NFS: Clear the file access cache upon login > (upstream) NFS: Fix up a sparse warning > > fs/nfs/dir.c | 30 +++++++++++++++++++++++ > include/linux/cred.h | 1 + > include/linux/nfs_fs.h | 1 + > kernel/cred.c | 55 ++++++++++++++++++++++++++++++++++++++++++ > 4 files changed, 87 insertions(+) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Luke Nowakowski-Krijger <luke.nowakowskikrijger@canonical.com> On Sat, Jan 21, 2023 at 6:47 AM Chengen Du <chengen.du@canonical.com> wrote: > [Impact] > The NFS client's access cache becomes stale due to the user's group > membership changing on the server after the user has already logged in on > the client. > The access cache only expires if either NFS_INO_INVALID_ACCESS flag is on > or timeout (without delegation). > Adding a user to a group in the NFS server will not cause any file > attributes to change. > The client will encounter permission errors until other file attributes > are changed or the memory cache is dropped. > > [Fix] > The access cache shall be cleared once the user logs out and logs back in > again. > > 0eb43812c0270ee3d005ff32f91f7d0a6c4943af NFS: Clear the file access cache > upon login > 029085b8949f5d269ae2bbd14915407dd0c7f902 NFS: Judge the file access > cache's timestamp in rcu path > 5e9a7b9c2ea18551759833146a181b14835bfe39 NFS: Fix up a sparse warning > > [Test Plan] > 1.[client side] testuser is not part of testgroup > testuser@kinetic:~$ ls -ld /mnt/private/ > drwxrwx--- 2 root testgroup 4096 Nov 24 08:23 /mnt/private/ > testuser@kinetic:~$ mktemp -p /mnt/private/ > mktemp: failed to create file via template > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > 2.[server side] add testuser into testgroup, which has access to folder > root@kinetic:~$ usermod -aG testgroup testuser && > echo `date +'%s'` > /proc/net/rpc/auth.unix.gid/flush > 3.[client side] create a file again but still fail > testuser@kinetic:~$ mktemp -p /mnt/private/ > mktemp: failed to create file via template > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > > [Where problems could occur] > The fix will apply upstream commits, so the regression can be considered > as low. > > Chengen Du (1): > (upstream) NFS: Judge the file access cache's timestamp in rcu path > > NeilBrown (1): > (upstream) cred: add cred_fscmp() for comparing creds. > > Trond Myklebust (2): > (upstream) NFS: Clear the file access cache upon login > (upstream) NFS: Fix up a sparse warning > > fs/nfs/dir.c | 30 +++++++++++++++++++++++ > include/linux/cred.h | 1 + > include/linux/nfs_fs.h | 1 + > kernel/cred.c | 55 ++++++++++++++++++++++++++++++++++++++++++ > 4 files changed, 87 insertions(+) > > -- > 2.17.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team >
Restating Andrea's comments, the (upstream) part should be removed here since that will end up in the commit message. I'll remove it when I'm applying these patches but just for the future you should not include that in the commit message. I know there is some old documentation somewhere where it talks about including that.. Acked-by: Luke Nowakowski-Krijger <luke.nowakowskikrijger@canonical.com> On Sat, Jan 21, 2023 at 6:47 AM Chengen Du <chengen.du@canonical.com> wrote: > [Impact] > The NFS client's access cache becomes stale due to the user's group > membership changing on the server after the user has already logged in on > the client. > The access cache only expires if either NFS_INO_INVALID_ACCESS flag is on > or timeout (without delegation). > Adding a user to a group in the NFS server will not cause any file > attributes to change. > The client will encounter permission errors until other file attributes > are changed or the memory cache is dropped. > > [Fix] > The access cache shall be cleared once the user logs out and logs back in > again. > > 0eb43812c0270ee3d005ff32f91f7d0a6c4943af NFS: Clear the file access cache > upon login > 029085b8949f5d269ae2bbd14915407dd0c7f902 NFS: Judge the file access > cache's timestamp in rcu path > 5e9a7b9c2ea18551759833146a181b14835bfe39 NFS: Fix up a sparse warning > > [Test Plan] > 1.[client side] testuser is not part of testgroup > testuser@kinetic:~$ ls -ld /mnt/private/ > drwxrwx--- 2 root testgroup 4096 Nov 24 08:23 /mnt/private/ > testuser@kinetic:~$ mktemp -p /mnt/private/ > mktemp: failed to create file via template > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > 2.[server side] add testuser into testgroup, which has access to folder > root@kinetic:~$ usermod -aG testgroup testuser && > echo `date +'%s'` > /proc/net/rpc/auth.unix.gid/flush > 3.[client side] create a file again but still fail > testuser@kinetic:~$ mktemp -p /mnt/private/ > mktemp: failed to create file via template > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > > [Where problems could occur] > The fix will apply upstream commits, so the regression can be considered > as low. > > Chengen Du (1): > (upstream) NFS: Judge the file access cache's timestamp in rcu path > > NeilBrown (1): > (upstream) cred: add cred_fscmp() for comparing creds. > > Trond Myklebust (2): > (upstream) NFS: Clear the file access cache upon login > (upstream) NFS: Fix up a sparse warning > > fs/nfs/dir.c | 30 +++++++++++++++++++++++ > include/linux/cred.h | 1 + > include/linux/nfs_fs.h | 1 + > kernel/cred.c | 55 ++++++++++++++++++++++++++++++++++++++++++ > 4 files changed, 87 insertions(+) > > -- > 2.17.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team >
Applied to bionic:linux master-next after dropping the (upstream) parts. Thanks~! - Luke On Sat, Jan 21, 2023 at 6:47 AM Chengen Du <chengen.du@canonical.com> wrote: > [Impact] > The NFS client's access cache becomes stale due to the user's group > membership changing on the server after the user has already logged in on > the client. > The access cache only expires if either NFS_INO_INVALID_ACCESS flag is on > or timeout (without delegation). > Adding a user to a group in the NFS server will not cause any file > attributes to change. > The client will encounter permission errors until other file attributes > are changed or the memory cache is dropped. > > [Fix] > The access cache shall be cleared once the user logs out and logs back in > again. > > 0eb43812c0270ee3d005ff32f91f7d0a6c4943af NFS: Clear the file access cache > upon login > 029085b8949f5d269ae2bbd14915407dd0c7f902 NFS: Judge the file access > cache's timestamp in rcu path > 5e9a7b9c2ea18551759833146a181b14835bfe39 NFS: Fix up a sparse warning > > [Test Plan] > 1.[client side] testuser is not part of testgroup > testuser@kinetic:~$ ls -ld /mnt/private/ > drwxrwx--- 2 root testgroup 4096 Nov 24 08:23 /mnt/private/ > testuser@kinetic:~$ mktemp -p /mnt/private/ > mktemp: failed to create file via template > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > 2.[server side] add testuser into testgroup, which has access to folder > root@kinetic:~$ usermod -aG testgroup testuser && > echo `date +'%s'` > /proc/net/rpc/auth.unix.gid/flush > 3.[client side] create a file again but still fail > testuser@kinetic:~$ mktemp -p /mnt/private/ > mktemp: failed to create file via template > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > > [Where problems could occur] > The fix will apply upstream commits, so the regression can be considered > as low. > > Chengen Du (1): > (upstream) NFS: Judge the file access cache's timestamp in rcu path > > NeilBrown (1): > (upstream) cred: add cred_fscmp() for comparing creds. > > Trond Myklebust (2): > (upstream) NFS: Clear the file access cache upon login > (upstream) NFS: Fix up a sparse warning > > fs/nfs/dir.c | 30 +++++++++++++++++++++++ > include/linux/cred.h | 1 + > include/linux/nfs_fs.h | 1 + > kernel/cred.c | 55 ++++++++++++++++++++++++++++++++++++++++++ > 4 files changed, 87 insertions(+) > > -- > 2.17.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team >