search

dell / ansible-powerscale

PowerScale (Isilon) Ansible modules
GNU General Public License v3.0
25 stars 21 forks source link

[BUG]: FS module returns wrong username if UID is equal to other UID in System zone #38

Open Bonifucksy opened 1 year ago

Bonifucksy commented 1 year ago

Describe the bug When you have local users in System zone with the same UID as users in the custom zone, and you add custom zone's users to ACL permissions to a directory in the custom zone, then get this directory details with FS module - FS module returns System zone usernames.

To Reproduce Steps to reproduce the behavior:

  1. Step 1 create a zone: 
    
--------------------------------------------------------------------------------
                   Name: zoneinsidezoneinsidezone
                   Path: /ifs/testzone/zoneinsidezone/zoneinsidezoneinsidezone
               Groupnet: groupnet0
          Map Untrusted:
         Auth Providers: lsa-file-provider:System, lsa-local-provider:zoneinsidezoneinsidezone
           NetBIOS Name:
     User Mapping Rules: -
   Home Directory Umask: 0077
     Skeleton Directory: /usr/share/skel
     Cache Entry Expiry: 4H
Negative Cache Entry Expiry: 1m
                Zone ID: 4
--------------------------------------------------------------------------------
2. Step 2 Create a user (in my case two of them) in System zone:
                Name: ansible_user
                  DN: CN=ansible_user,CN=Users,DC=DBISILONSIMULATOR
          DNS Domain: -
              Domain: DBISILONSIMULATOR
            Provider: lsa-local-provider:System
    Sam Account Name: ansible_user
                 UID: 2000
                 SID: S-1-5-21-1442644921-1582277087-1925991597-1001
             Enabled: Yes
             Expired: No
              Expiry: -
              Locked: No
               Email: -
               GECOS: -
       Generated GID: No
       Generated UID: No
       Generated UPN: Yes
       Primary Group
                      ID: GID:2000
                    Name: ansible
      Home Directory: /ifs/home/ansible_user
    Max Password Age: 4W
    Password Expired: No
     Password Expiry: 2022-09-22T12:20:30
   Password Last Set: 2021-10-05T17:22:20
    Password Expires: No
               Shell: /bin/zsh
                 UPN: ansible_user@DBISILONSIMULATOR

User Can Change Password: Yes

                Name: winscp_user
                  DN: CN=winscp_user,CN=Users,DC=DBISILONSIMULATOR
          DNS Domain: -
              Domain: DBISILONSIMULATOR
            Provider: lsa-local-provider:System
    Sam Account Name: winscp_user
                 UID: 2001
                 SID: S-1-5-21-1442644921-1582277087-1925991597-1002
             Enabled: Yes
             Expired: No
              Expiry: -
              Locked: No
               Email: -
               GECOS: -
       Generated GID: No
       Generated UID: No
       Generated UPN: Yes
       Primary Group
                      ID: GID:1800
                    Name: Isilon Users
      Home Directory: /ifs/home/winscp_user
    Max Password Age: 4W
    Password Expired: No
     Password Expiry: 2022-09-22T12:20:30
   Password Last Set: 2021-10-28T14:00:34
    Password Expires: No
               Shell: /bin/zsh
                 UPN: winscp_user@DBISILONSIMULATOR

User Can Change Password: Yes

3. Step 3 Create a user with the same UID (again I have two) in the custom zone:
                Name: lvl3user
                  DN: CN=lvl3user,CN=Users,DC=DBISILONSIMULATOR
          DNS Domain: -
              Domain: DBISILONSIMULATOR
            Provider: lsa-local-provider:zoneinsidezoneinsidezone
    Sam Account Name: lvl3user
                 UID: 2000
                 SID: S-1-5-21-1932411878-2135597842-4260751763-1000
             Enabled: Yes
             Expired: No
              Expiry: -
              Locked: No
               Email: -
               GECOS: -
       Generated GID: No
       Generated UID: No
       Generated UPN: Yes
       Primary Group
                      ID: GID:1800
                    Name: Isilon Users
      Home Directory: /ifs/testzone/zoneinsidezone/zoneinsidezoneinsidezone/home/lvl3user
    Max Password Age: 4W
    Password Expired: No
     Password Expiry: 2022-09-22T12:22:48
   Password Last Set: 2021-10-07T12:11:55
    Password Expires: No
               Shell: /bin/zsh
                 UPN: lvl3user@DBISILONSIMULATOR

User Can Change Password: Yes

                Name: anotheruser3
                  DN: CN=anotheruser3,CN=Users,DC=DBISILONSIMULATOR
          DNS Domain: -
              Domain: DBISILONSIMULATOR
            Provider: lsa-local-provider:zoneinsidezoneinsidezone
    Sam Account Name: anotheruser3
                 UID: 2001
                 SID: S-1-5-21-1932411878-2135597842-4260751763-1001
             Enabled: No
             Expired: No
              Expiry: -
              Locked: No
               Email: -
               GECOS: -
       Generated GID: No
       Generated UID: No
       Generated UPN: Yes
       Primary Group
                      ID: GID:1800
                    Name: Isilon Users
      Home Directory: /ifs/testzone/zoneinsidezone/zoneinsidezoneinsidezone/home/anotheruser3
    Max Password Age: 4W
    Password Expired: No
     Password Expiry: 2022-09-22T12:22:48
   Password Last Set: 2022-08-03T16:33:34
    Password Expires: No
               Shell: /bin/zsh
                 UPN: anotheruser3@DBISILONSIMULATOR

User Can Change Password: Yes

4. Step 4 Add the custom zone's users to ACL permissions of a folder in the custom zone:

DBISILONSIMULATOR-1# ls -led /ifs/testzone/zoneinsidezone/zoneinsidezoneinsidezone/sharelvl3 drwxrw---- + 2 root wheel 0 Sep 22 12:00 /ifs/testzone/zoneinsidezone/zoneinsidezoneinsidezone/sharelvl3 OWNER: user:root GROUP: group:wheel 0: user:anotheruser3 allow dir_gen_write,std_delete 1: user:Guest allow dir_gen_read,dir_gen_write,std_delete 2: user:lvl3user allow dir_gen_write,std_delete 3: user:root allow dir_gen_read,dir_gen_write,dir_gen_execute,std_write_dac,delete_child 4: group:wheel allow std_read_dac,std_synchronize,dir_read_attr

5. Step 5 Get FS details from that directory using FS module:
- name: Get filesystem details
  dellemc.powerscale.filesystem:
    onefs_host: "{{onefs_host}}"
    verify_ssl: "{{verify_ssl}}"
    api_user: "{{api_user}}"
    api_password: "{{api_password}}"
    access_zone: "zoneinsidezoneinsidezone"
    path: "/sharelvl3"
    state: present
  register: ACL_permissions
6. Step 6 The output has System zone users instead of the custom zone's ones:

ok: [DBISILONSIMULATOR] => { "add_quota": "", "changed": false, "create_filesystem": "", "delete_filesystem": "", "delete_quota": "", "filesystem_details": { "attrs": [ ... "namespace_acl": { "acl": [ { "accessrights": [ "dir_gen_write", "std_delete" ], "accesstype": "allow", "inherit_flags": [], "op": null, "trustee": { "id": "UID:2001", "name": "winscp_user", "type": "user" } }, { "accessrights": [ "dir_gen_read", "dir_gen_write", "std_delete" ], "accesstype": "allow", "inherit_flags": [], "op": null, "trustee": { "id": "UID:1501", "name": "Guest", "type": "user" } }, { "accessrights": [ "dir_gen_write", "std_delete" ], "accesstype": "allow", "inherit_flags": [], "op": null, "trustee": { "id": "UID:2000", "name": "ansible_user", "type": "user" } }, { "accessrights": [ "dir_gen_read", "dir_gen_write", "dir_gen_execute", "std_write_dac", "delete_child" ], "accesstype": "allow", "inherit_flags": [], "op": null, "trustee": { "id": "UID:0", "name": "root", "type": "user" } }, { "accessrights": [ "std_read_dac", "std_synchronize", "dir_read_attr" ], "accesstype": "allow", "inherit_flags": [], "op": null, "trustee": { "id": "GID:0", "name": "wheel", "type": "group" } } ],


**Expected behavior**
FS module should return the custom zone usernames instead of System zone's ones.

**System Information (please complete the following information):**
 - OS/Version:  Ubuntu 20.04.4 LTS
 - Ansible Version 2.13.2
 - Python Version 3.9.13 
 - OneFS version: 9.2.1.10
Bonifucksy commented 1 year ago

Folks, I did some additional testing on this. In addition to the returning wrong usernames for users with same UID, the module returns usernames only if a user with the same UID exists in System zone and it returns null if you have a user with unique UID in a non-system zone. Check this out:

Custom zone user with non-unique UID:

--------------------------------------------------------------------------------
                    Name: user_auto_uid
                      DN: CN=user_auto_uid,CN=Users,DC=DBISILONSIMULATOR
              DNS Domain: -
                  Domain: DBISILONSIMULATOR
                Provider: lsa-local-provider:zoneinsidezone
        Sam Account Name: user_auto_uid
                     UID: 2001
                     SID: S-1-5-21-2000583827-658865485-2256679347-1006
                 Enabled: No
                 Expired: No
                  Expiry: -
                  Locked: No
                   Email: -
                   GECOS: -
           Generated GID: No
           Generated UID: No
           Generated UPN: Yes
           Primary Group
                          ID: GID:1800
                        Name: Isilon Users
          Home Directory: /ifs/testzone/zoneinsidezone/home/user_auto_uid
        Max Password Age: 4W
        Password Expired: No
         Password Expiry: 2022-09-23T18:00:07
       Password Last Set: 2022-09-23T17:28:47
        Password Expires: No
                   Shell: /bin/zsh
                     UPN: user_auto_uid@DBISILONSIMULATOR
User Can Change Password: Yes
--------------------------------------------------------------------------------

System zone user with the same UID:

--------------------------------------------------------------------------------
                    Name: winscp_user
                      DN: CN=winscp_user,CN=Users,DC=DBISILONSIMULATOR
              DNS Domain: -
                  Domain: DBISILONSIMULATOR
                Provider: lsa-local-provider:System
        Sam Account Name: winscp_user
                     UID: 2001
                     SID: S-1-5-21-1442644921-1582277087-1925991597-1002
                 Enabled: Yes
                 Expired: No
                  Expiry: -
                  Locked: No
                   Email: -
                   GECOS: -
           Generated GID: No
           Generated UID: No
           Generated UPN: Yes
           Primary Group
                          ID: GID:1800
                        Name: Isilon Users
          Home Directory: /ifs/home/winscp_user
        Max Password Age: 4W
        Password Expired: No
         Password Expiry: 2022-09-23T18:04:08
       Password Last Set: 2021-10-28T14:00:34
        Password Expires: No
                   Shell: /bin/zsh
                     UPN: winscp_user@DBISILONSIMULATOR
User Can Change Password: Yes
--------------------------------------------------------------------------------

Custom zone user with unique UID:

--------------------------------------------------------------------------------
                    Name: user3k2
                      DN: CN=user3k2,CN=Users,DC=DBISILONSIMULATOR
              DNS Domain: -
                  Domain: DBISILONSIMULATOR
                Provider: lsa-local-provider:zoneinsidezone
        Sam Account Name: user3k2
                     UID: 3758
                     SID: S-1-5-21-2000583827-658865485-2256679347-1007
                 Enabled: No
                 Expired: No
                  Expiry: -
                  Locked: No
                   Email: -
                   GECOS: -
           Generated GID: No
           Generated UID: No
           Generated UPN: Yes
           Primary Group
                          ID: GID:1800
                        Name: Isilon Users
          Home Directory: /ifs/testzone/zoneinsidezone/home/user3k2
        Max Password Age: 4W
        Password Expired: No
         Password Expiry: 2022-09-23T18:00:07
       Password Last Set: 2022-09-23T17:32:03
        Password Expires: No
                   Shell: /bin/zsh
                     UPN: user3k2@DBISILONSIMULATOR
User Can Change Password: Yes
--------------------------------------------------------------------------------

Directory on the cluster:

mkdir /ifs/testzone/zoneinsidezone/uid_test_folder
chmod -R +a user 'user3k2' allow dir_gen_read /ifs/testzone/zoneinsidezone/uid_test_folder
chmod -R +a user 'user_auto_uid' allow dir_gen_read,dir_gen_write /ifs/testzone/zoneinsidezone/uid_test_folder

DBISILONSIMULATOR-1# ls -led /ifs/testzone/zoneinsidezone/uid_test_folder
drwxrw---- +   2 root  wheel  0 Sep 23 18:09 /ifs/testzone/zoneinsidezone/uid_test_folder
 OWNER: user:root
 GROUP: group:wheel
 0: user:user_auto_uid allow dir_gen_read,dir_gen_write
 1: user:user3k2 allow dir_gen_read
 2: user:root allow dir_gen_read,dir_gen_write,dir_gen_execute,std_write_dac,delete_child
 3: group:wheel allow std_read_dac,std_synchronize,dir_read_attr

The module returns a wrong username (one from System zone instead of from the custome zone) for one user and just null for another user:

...
"namespace_acl": {
            "acl": [
                {
                    "accessrights": [
                        "dir_gen_read",
                        "dir_gen_write"
                    ],
                    "accesstype": "allow",
                    "inherit_flags": [],
                    "op": null,
                    "trustee": {
                        "id": "UID:2001",
                        "name": "winscp_user",
                        "type": "user"
                    }
                },
                {
                    "accessrights": [
                        "dir_gen_read"
                    ],
                    "accesstype": "allow",
                    "inherit_flags": [],
                    "op": null,
                    "trustee": {
                        "id": "UID:3758",
                        "name": null,
                        "type": null
                    }
                }
...
Bonifucksy commented 1 year ago

Hey folks, any news on that bug?

anupamaloke commented 1 year ago

@Bonifucksy, sorry for a much delayed response. This is due to an issue with the platform REST API. We are in discussion with the platform team, however at this point in time there is no ETA for the fix.