From 58ad973109c1e3893a7f47e9cafff6c65fc2dd9a Mon Sep 17 00:00:00 2001 From: nadav mizrahi Date: Wed, 5 Feb 2025 11:20:28 +0200 Subject: [PATCH] NSFS | add configuration flag to enable dinamic supplemental groups allocation Signed-off-by: nadav mizrahi --- config.js | 20 ++++++++++++++----- .../AccountsAndBuckets.md | 2 +- .../ConfigFileCustomizations.md | 14 +++++++++++++ src/native/util/os_darwin.cpp | 3 ++- src/native/util/os_linux.cpp | 3 ++- src/test/unit_tests/test_nsfs_access.js | 11 ++++++++++ 6 files changed, 45 insertions(+), 8 deletions(-) diff --git a/config.js b/config.js index c942c5686a..3735e5446e 100644 --- a/config.js +++ b/config.js @@ -823,6 +823,8 @@ config.NSFS_CONTENT_DIRECTORY_VERSIONING_ENABLED = false; config.NSFS_EXIT_EVENTS_TIME_FRAME_MIN = 24 * 60; // per day config.NSFS_MAX_EXIT_EVENTS_PER_TIME_FRAME = 10; // allow max 10 failed forks per day +config.NSFS_ENABLE_DYNAMIC_SUPPLEMENTAL_GROUPS = 'true'; + config.NSFS_GLACIER_LOGS_DIR = '/var/run/noobaa-nsfs/wal'; config.NSFS_GLACIER_LOGS_POLL_INTERVAL = 10 * 1000; @@ -1106,6 +1108,18 @@ function _get_config_root() { return config_root; } +/** + * go over the config object and set the relevant configurations as environment variables +*/ +function _set_nc_config_to_env() { + const config_to_env = ['NOOBAA_LOG_LEVEL', 'UV_THREADPOOL_SIZE', 'GPFS_DL_PATH', 'NSFS_ENABLE_DYNAMIC_SUPPLEMENTAL_GROUPS']; + Object.values(config_to_env).forEach(function(key) { + if (config[key] !== undefined) { + process.env[key] = config[key]; + } + }); +} + /** * validate_nc_master_keys_config validates the following - * 1. if type is file - @@ -1155,11 +1169,6 @@ function load_nsfs_nc_config() { const merged_config = _.merge(shared_config, node_config || {}); Object.keys(merged_config).forEach(function(key) { - const config_to_env = ['NOOBAA_LOG_LEVEL', 'UV_THREADPOOL_SIZE', 'GPFS_DL_PATH']; - if (config_to_env.includes(key)) { - process.env[key] = merged_config[key]; - return; - } config[key] = merged_config[key]; }); console.warn(`nsfs: config_dir_path=${config.NSFS_NC_CONF_DIR}`); @@ -1171,6 +1180,7 @@ function load_nsfs_nc_config() { if (err.code !== 'MODULE_NOT_FOUND' && err.code !== 'ENOENT') throw err; console.warn('config.load_nsfs_nc_config could not find config.json... skipping'); } + _set_nc_config_to_env(); } /** * reload_nsfs_nc_config reloads on non containerized env the config.json file every 10 seconfs diff --git a/docs/NooBaaNonContainerized/AccountsAndBuckets.md b/docs/NooBaaNonContainerized/AccountsAndBuckets.md index e1b5ac4c7a..340b28148e 100644 --- a/docs/NooBaaNonContainerized/AccountsAndBuckets.md +++ b/docs/NooBaaNonContainerized/AccountsAndBuckets.md @@ -32,7 +32,7 @@ See all available account properties - [NC Account Schema](../../src/server/syst - `uid/gid/user` - An account's access key is mapped to a file system uid/gid (or user). Before performing any file system operation, NooBaa switches to the account's UID/GID, ensuring that accounts access to buckets and objects is enforced by the file system. - `supplemental_groups` - In addition to the account main GID, an account can have supplementary group IDs that are used to determine permissions for accessing files. These GIDs are validated against a files group (GID) permissions. - By default, supplemental groups are based on user's groups in the filesystem. In case this value was set in the CLI it will override the user's groups in the filesystem. In case this value was not set in account configuration (in the CLI) and failed to fetch the user's group in the filesystem (either because no record exists or because the operation failed), supplemental groups will be unset. + By default, supplemental groups are based on user's groups in the filesystem. In case this value was set in the CLI it will override the user's groups in the filesystem. In case this value was not set in account configuration (in the CLI) and failed to fetch the user's group in the filesystem (either because no record exists or because the operation failed), supplemental groups will be unset. You can disable fetching groups from users record in the filesystem by setting NSFS_ENABLE_DYNAMIC_SUPPLEMENTAL_GROUPS to be `false` in config.json. In this case the default would be to unset supplemental groups entirely. Note: Depending on the file system there may be 'sticky bit' enabled somewhere on the files path. 'sticky bit' is a user ownership access right flag that prevents other users than the file owner and root from deleting or moving files. In that case some actions will still get access denied regardless of group permissions enabled. sticky bit is denoted by `t` at the end of the permissions list (example: `drwxrwxrwt`). see https://en.wikipedia.org/wiki/Sticky_bit diff --git a/docs/NooBaaNonContainerized/ConfigFileCustomizations.md b/docs/NooBaaNonContainerized/ConfigFileCustomizations.md index 718dd3965e..8a9b874949 100644 --- a/docs/NooBaaNonContainerized/ConfigFileCustomizations.md +++ b/docs/NooBaaNonContainerized/ConfigFileCustomizations.md @@ -506,6 +506,20 @@ Warning: After setting this configuration, NooBaa will skip schema validations a 3. systemctl restart noobaa ``` +### 34. Dynamic supplemental groups allocation flag - +* Key: `NSFS_ENABLE_DYNAMIC_SUPPLEMENTAL_GROUPS` +* Type: boolean +* Default: true +* Description: whether to fetch supplemental groups dynamicly from FS user record. +* Steps: + ``` + 1. Open /path/to/config_dir/config.json file. + 2. Set the config key - + Example: + "NSFS_ENABLE_DYNAMIC_SUPPLEMENTAL_GROUPS": false + 3. systemctl restart noobaa + ``` + ## Config.json File Examples The following is an example of a config.json file - diff --git a/src/native/util/os_darwin.cpp b/src/native/util/os_darwin.cpp index 01ed046e7d..df75ae785d 100644 --- a/src/native/util/os_darwin.cpp +++ b/src/native/util/os_darwin.cpp @@ -80,7 +80,8 @@ static void set_supplemental_groups(uid_t uid, gid_t gid, std::vector& groups) { //first check if groups were defined in the account configuration if (groups.empty()) { - if (get_supplemental_groups_by_uid(uid, groups) < 0) { + const char* is_enabled = getenv("NSFS_ENABLE_DYNAMIC_SUPPLEMENTAL_GROUPS"); + if ((is_enabled == NULL) || (strcmp(is_enabled, "true") != 0) || get_supplemental_groups_by_uid(uid, groups) < 0) { //aready unset by _mac_thread_setugid return; } diff --git a/src/native/util/os_linux.cpp b/src/native/util/os_linux.cpp index 3fa07f8e4a..8fd74d416b 100644 --- a/src/native/util/os_linux.cpp +++ b/src/native/util/os_linux.cpp @@ -65,7 +65,8 @@ static void set_supplemental_groups(uid_t uid, std::vector& groups) { //first check if groups were defined in the account configuration if (groups.empty()) { - if (get_supplemental_groups_by_uid(uid, groups) < 0) { + const char* is_enabled = getenv("NSFS_ENABLE_DYNAMIC_SUPPLEMENTAL_GROUPS"); + if ((is_enabled == NULL) || (strcmp(is_enabled, "true") != 0) || get_supplemental_groups_by_uid(uid, groups) < 0) { //couldn't get supplemental groups dynamically. set it to be an empty set MUST_SYS(syscall(SYS_setgroups, 0, NULL)); return; diff --git a/src/test/unit_tests/test_nsfs_access.js b/src/test/unit_tests/test_nsfs_access.js index 3d63d74654..e7442f0bb2 100644 --- a/src/test/unit_tests/test_nsfs_access.js +++ b/src/test/unit_tests/test_nsfs_access.js @@ -162,6 +162,17 @@ mocha.describe('new tests check', async function() { assert.equal(err.code, 'EACCES'); } }); + + mocha.it('NON ROOT 4 with disabled dynamicly suplemental groups - failure', async function() { + try { + process.env.NSFS_ENABLE_DYNAMIC_SUPPLEMENTAL_GROUPS = 'false'; + const non_root_entries = await nb_native().fs.readdir(NON_ROOT4_FS_CONFIG, full_path_non_root1); + assert.fail(`non root 4 has access to a folder with disabled supplemental groups - ${p} ${non_root_entries}`); + } catch (err) { + assert.equal(err.code, 'EACCES'); + } + process.env.NSFS_ENABLE_DYNAMIC_SUPPLEMENTAL_GROUPS = 'true'; + }); });