ZTS: delegate: test send:encrypted
Sponsored-by: TrueNAS
Reviewed-by: Alexander Motin <alexander.motin at TrueNAS.com>
Reviewed-by: Brian Behlendorf <behlendorf1 at llnl.gov>
Signed-off-by: Rob Norris <rob.norris at truenas.com>
Closes #18673
(cherry picked from commit 166a6672502c6398b3ef549d4a17f113f5cb2e8d)
ZTS: delegate: check send permissions on encrypted datasets
Sponsored-by: TrueNAS
Reviewed-by: Alexander Motin <alexander.motin at TrueNAS.com>
Reviewed-by: Brian Behlendorf <behlendorf1 at llnl.gov>
Signed-off-by: Rob Norris <rob.norris at truenas.com>
Closes #18673
(cherry picked from commit bce9a8ef7d0b4c1b8e323ef2b045379177c20410)
ZTS: delegate: add encryption option for test fixture datasets
The delegate test framework doesn't care about the encryption status of
the dataset under test, so by adding an option to create with encryption
the framework can be used to check encryption-related permissions
without any further fanfare.
Sponsored-by: TrueNAS
Reviewed-by: Alexander Motin <alexander.motin at TrueNAS.com>
Reviewed-by: Brian Behlendorf <behlendorf1 at llnl.gov>
Signed-off-by: Rob Norris <rob.norris at truenas.com>
Closes #18673
(cherry picked from commit 8303a36488da79c13d0fcca4365d71d5180407c3)
ZTS: remove send_delegation tests
These tests are doing the same tests as delegate/zfs_allow_send, and are
hard to follow and maintain. There's no need for them now, so drop them.
Sponsored-by: TrueNAS
Reviewed-by: Brian Behlendorf <behlendorf1 at llnl.gov>
Signed-off-by: Rob Norris <rob.norris at truenas.com>
Closes #18672
(cherry picked from commit 562b96ced9f28b8517913e5e9f7eaf1686db7cd0)
delegate: add 'send:encrypted' permission
send:encrypted is like send:raw, but only permits encrypted datasets to
be sent - raw send is not permitted for unencrypted datasets.
This commit creates the permission, wires it up, and adds the check for
it in zfs_secpolicy_send_impl(), if it is the last send permission
standing, the dataset is checked for its encryption state.
Sponsored-by: TrueNAS
Reviewed-by: Alexander Motin <alexander.motin at TrueNAS.com>
Reviewed-by: Brian Behlendorf <behlendorf1 at llnl.gov>
Signed-off-by: Rob Norris <rob.norris at truenas.com>
Closes #18673
(cherry picked from commit 97b9ba7a982e36d39a3cf7db271da2fab110769d)
ZTS: delegate: add test for send sub-permissions
Regular send and raw send are actually separate operations with separate
permissions. This adds a test to test the combinations properly using
the existing permission test infrastructure.
Sponsored-by: TrueNAS
Reviewed-by: Brian Behlendorf <behlendorf1 at llnl.gov>
Signed-off-by: Rob Norris <rob.norris at truenas.com>
Closes #18672
(cherry picked from commit 4d1d00f9fe0c87b2334613a0efaa758275f938b8)
zfs_secpolicy_send: lift checks to common function for both
The permissions checks for send are a little involved because different
permissions grant different abilities, and there's two ways to initiate
a send.
This lifts the common permissions checks into a single function, and
ensures that we maintain a single dataset hold across all checks. This
will become important in the next commit when we need to check a
specific dataset property as part of the permission check.
Sponsored-by: TrueNAS
Reviewed-by: Alexander Motin <alexander.motin at TrueNAS.com>
Reviewed-by: Brian Behlendorf <behlendorf1 at llnl.gov>
Signed-off-by: Rob Norris <rob.norris at truenas.com>
Closes #18673
(cherry picked from commit f0d69e6b16d93ab49f1914a29e64d5df6e4f7bc2)
NAS-141469 / 27.0.0-BETA.1 / Fix AD keytab freshness check and recovery churn (#19184)
last_password_change read the secrets.tdb timestamp with a stray ']' in
the key, so it always returned None and check_updated_keytab re-ran the
secrets backup + keytab store hourly. Drop the bracket.
Also cut directory-services recovery churn when AD is FAULTED: fast-fail
the winbind start in idmap.__wbclient_ctx rather than restarting per SID
lookup, cap the directoryservices_change job queue, and fix
get_db_secrets UnboundLocalError on invalid JSON.
Expand CI tests to cover regression.
(cherry picked from commit 69fa65bc1b0e5aa48d52509ff0b7c8098b4d4ab8)
NAS-140548 / 26.0.0-RC.1 / nsupdate: isolate each PTR in its own transaction (by anodos325) (#19230)
Batching IPv4 (in-addr.arpa) and IPv6 (ip6.arpa) PTRs in one DNS UPDATE
made BIND reject the out-of-zone record with NOTZONE, failing AD domain
joins with IPv6 enabled. Send each PTR in its own transaction
(best-effort, logged); forward A/AAAA stay one transaction (fatal). Move
the plan/run logic to utils/dns.py and add unit tests.
Original PR: https://github.com/truenas/middleware/pull/19226
Co-authored-by: Andrew Walker <andrew.walker at truenas.com>
NAS-140548 / 27.0.0-BETA.1 / nsupdate: isolate each PTR in its own transaction (#19226)
Batching IPv4 (in-addr.arpa) and IPv6 (ip6.arpa) PTRs in one DNS UPDATE
made BIND reject the out-of-zone record with NOTZONE, failing AD domain
joins with IPv6 enabled. Send each PTR in its own transaction
(best-effort, logged); forward A/AAAA stay one transaction (fatal). Move
the plan/run logic to utils/dns.py and add unit tests.
(cherry picked from commit 9df53abdd40c50893b398e05b4ab9c29156450d1)
