NSFS | add configuration flag to enable dinamic supplemental groups a…

…llocation

Signed-off-by: nadav mizrahi <[email protected]>

config.js

@@ -823,6 +823,8 @@ config.NSFS_CONTENT_DIRECTORY_VERSIONING_ENABLED = false;
 config.NSFS_EXIT_EVENTS_TIME_FRAME_MIN = 24 * 60; // per day
 config.NSFS_MAX_EXIT_EVENTS_PER_TIME_FRAME = 10; // allow max 10 failed forks per day
 
+config.NSFS_ENABLE_DYNAMIC_SUPPLEMENTAL_GROUPS = 'true';
+
 config.NSFS_GLACIER_LOGS_DIR = '/var/run/noobaa-nsfs/wal';
 config.NSFS_GLACIER_LOGS_POLL_INTERVAL = 10 * 1000;
 
@@ -1106,6 +1108,18 @@ function _get_config_root() {
     return config_root;
 }
 
+/**
+ * go over the config object and set the relevant configurations as environment variables
+*/
+function _set_nc_config_to_env() {
+    const config_to_env = ['NOOBAA_LOG_LEVEL', 'UV_THREADPOOL_SIZE', 'GPFS_DL_PATH', 'NSFS_ENABLE_DYNAMIC_SUPPLEMENTAL_GROUPS'];
+    Object.values(config_to_env).forEach(function(key) {
+        if (config[key] !== undefined) {
+            process.env[key] = config[key];
+        }
+    });
+}
+
 /**
  * validate_nc_master_keys_config validates the following -
  * 1. if type is file -
@@ -1155,11 +1169,6 @@ function load_nsfs_nc_config() {
         const merged_config = _.merge(shared_config, node_config || {});
 
         Object.keys(merged_config).forEach(function(key) {
-            const config_to_env = ['NOOBAA_LOG_LEVEL', 'UV_THREADPOOL_SIZE', 'GPFS_DL_PATH'];
-            if (config_to_env.includes(key)) {
-                process.env[key] = merged_config[key];
-                return;
-            }
             config[key] = merged_config[key];
         });
         console.warn(`nsfs: config_dir_path=${config.NSFS_NC_CONF_DIR}`);
@@ -1171,6 +1180,7 @@ function load_nsfs_nc_config() {
         if (err.code !== 'MODULE_NOT_FOUND' && err.code !== 'ENOENT') throw err;
         console.warn('config.load_nsfs_nc_config could not find config.json... skipping');
     }
+    _set_nc_config_to_env();
 }
 /**
  * reload_nsfs_nc_config reloads on non containerized env the config.json file every 10 seconfs

docs/NooBaaNonContainerized/AccountsAndBuckets.md

@@ -32,7 +32,7 @@ See all available account properties - [NC Account Schema](../../src/server/syst
   - `uid/gid/user` - An account's access key is mapped to a file system uid/gid (or user). Before performing any file system operation, NooBaa switches to the account's UID/GID, ensuring that accounts access to buckets and objects is enforced by the file system.  
 
   - `supplemental_groups` - In addition to the account main GID, an account can have supplementary group IDs that are used to determine permissions for accessing files. These GIDs are validated against a files group (GID) permissions.
-  By default, supplemental groups are based on user's groups in the filesystem. In case this value was set in the CLI it will override the user's groups in the filesystem. In case this value was not set in account configuration (in the CLI) and failed to fetch the user's group in the filesystem (either because no record exists or because the operation failed), supplemental groups will be unset.
+  By default, supplemental groups are based on user's groups in the filesystem. In case this value was set in the CLI it will override the user's groups in the filesystem. In case this value was not set in account configuration (in the CLI) and failed to fetch the user's group in the filesystem (either because no record exists or because the operation failed), supplemental groups will be unset. You can disable fetching groups from users record in the filesystem by setting NSFS_ENABLE_DYNAMIC_SUPPLEMENTAL_GROUPS to be `false` in config.json. In this case the default would be to unset supplemental groups entirely.
   Note: Depending on the file system there may be 'sticky bit' enabled somewhere on the files path. 'sticky bit' is a user ownership access right flag that prevents other users than the file owner and root from deleting or moving files.
   In that case some actions will still get access denied regardless of group permissions enabled. sticky bit is denoted by `t` at the end of the permissions list (example: `drwxrwxrwt`). see https://en.wikipedia.org/wiki/Sticky_bit
 

docs/NooBaaNonContainerized/ConfigFileCustomizations.md

@@ -506,6 +506,20 @@ Warning: After setting this configuration, NooBaa will skip schema validations a
     3. systemctl restart noobaa
     ```
 
+### 34. Dynamic supplemental groups allocation flag -
+* <u>Key</u>: `NSFS_ENABLE_DYNAMIC_SUPPLEMENTAL_GROUPS`
+* <u>Type</u>: boolean
+* <u>Default</u>: true
+* <u>Description</u>: whether to fetch supplemental groups dynamicly from FS user record.
+* <u>Steps</u>:
+    ```
+    1. Open /path/to/config_dir/config.json file.
+    2. Set the config key -
+    Example:
+    "NSFS_ENABLE_DYNAMIC_SUPPLEMENTAL_GROUPS": false
+    3. systemctl restart noobaa
+    ```
+
 ## Config.json File Examples
 The following is an example of a config.json file - 
 

src/native/util/os_darwin.cpp

@@ -80,7 +80,8 @@ static void
 set_supplemental_groups(uid_t uid, gid_t gid, std::vector<gid_t>& groups) {
     //first check if groups were defined in the account configuration
     if (groups.empty()) {
-        if (get_supplemental_groups_by_uid(uid, groups) < 0) {
+        const char* is_enabled = getenv("NSFS_ENABLE_DYNAMIC_SUPPLEMENTAL_GROUPS");
+        if ((is_enabled == NULL) || (strcmp(is_enabled, "true") != 0) || get_supplemental_groups_by_uid(uid, groups) < 0) {
             //aready unset by _mac_thread_setugid
             return;
         }

src/native/util/os_linux.cpp

@@ -65,7 +65,8 @@ static void
 set_supplemental_groups(uid_t uid, std::vector<gid_t>& groups) {
     //first check if groups were defined in the account configuration
     if (groups.empty()) {
-        if (get_supplemental_groups_by_uid(uid, groups) < 0) {
+        const char* is_enabled = getenv("NSFS_ENABLE_DYNAMIC_SUPPLEMENTAL_GROUPS");
+        if ((is_enabled == NULL) || (strcmp(is_enabled, "true") != 0) || get_supplemental_groups_by_uid(uid, groups) < 0) {
             //couldn't get supplemental groups dynamically. set it to be an empty set
             MUST_SYS(syscall(SYS_setgroups, 0, NULL));
             return;

src/test/unit_tests/test_nsfs_access.js

@@ -162,6 +162,17 @@ mocha.describe('new tests check', async function() {
             assert.equal(err.code, 'EACCES');
         }
     });
+
+    mocha.it('NON ROOT 4 with disabled dynamicly suplemental groups - failure', async function() {
+        try {
+            process.env.NSFS_ENABLE_DYNAMIC_SUPPLEMENTAL_GROUPS = 'false';
+            const non_root_entries = await nb_native().fs.readdir(NON_ROOT4_FS_CONFIG, full_path_non_root1);
+            assert.fail(`non root 4 has access to a folder with disabled supplemental groups - ${p} ${non_root_entries}`);
+        } catch (err) {
+            assert.equal(err.code, 'EACCES');
+        }
+        process.env.NSFS_ENABLE_DYNAMIC_SUPPLEMENTAL_GROUPS = 'true';
+    });
 });