12:58 p.m.
Maybe we should move this to a GitHub issue? ACLs are (in theory)
propagated via the attribute code (and fsal_copy_attrs).
Getting a small, complete debug trace including FSAL and NFS_PROTO (or
whatever the logname is) on GitHub so we have the history for others to see
should at least make it clear where the PROXY_V4 code is dropping it (or
not).
On Wed, Oct 13, 2021 at 10:56 AM Becker, Jeffrey C. (ARC-TN)[InuTeq, LLC]
via Devel <devel(a)lists.nfs-ganesha.org> wrote:
Also - PROXY is not working for me with setfacl at the current time,
but I
haven't done exhaustive testing yet.
-Jeff
On 10/13/21, 10:50 AM, "Frank Filz" <ffilzlnx(a)mindspring.com> wrote:
Unfortunately there really isn't much documentation on PROXY beyond
any dribs and drabs in the wiki on github.
Frank
> -----Original Message-----
> From: Andrea Cucciarre' via Devel [mailto:
devel(a)lists.nfs-ganesha.org]
> Sent: Wednesday, October 13, 2021 10:44 AM
> To: Frank Filz <ffilzlnx(a)mindspring.com>; 'Becker, Jeffrey C.
(ARC-TN)[InuTeq,
> LLC]' <jeffrey.c.becker(a)nasa.gov>
> Cc: 'Ganesha-devel' <devel(a)lists.nfs-ganesha.org>
> Subject: [NFS-Ganesha-Devel] Re: [EXTERNAL] ganesha is not honoring
the nfsv4
> acl
>
> Thanks.
> Is there any documentation link that can help on how to use
FSAL_PROXY_V4?
>
> Regards
> Andrea Cucciarre'
>
>
>
> On 10/13/2021 7:27 PM, Frank Filz wrote:
> > Oops, I didn't respond to the list...
> >
> > Ganesha currently has limited ACL support.
> >
> > FSAL_GPFS supports NFSv4 ACLs on the backend
> >
> > FSAL_CEPH and FSAL_GLUSTER support conversion between NFSv4 ACLs
and
> > POSIX ACLs to be stored as POSIX ACLs on the backend
> >
> > FSAL_LIZARDFS has ACL support but I know almost nothing about
Lizardfs to
> evaluate how it's stored.
> >
> > FSAL_PROXY_V4 looks like it has ACL support, I don't know if it
actually works.
> >
> > Beyond that, Ganesha doesn't support ACLs. It does not support the
sideband
> protocol to do POSIX ACLs for NFSv3 mounts.
> >
> > There was a discussion on IRC about FSAL_VFS supporting ACLs for
filesystems
> that support using NFSv4 ACLs via nfs4_get/setfacl. In theory, we
could bend
> things to support NFSv4 re-export and then hook into the ACLs (and
that could
> then work for any other filesystem that also decided to implement
ACLs using
> the same interface) but there are no immediate plans to do so and
re-export
> would be tricky and is honestly better done by FSAL_PROXY_V4
limiting our
> incentive to support FSAL_VFS NFS re-export with ACLs.
> >
> > Frank
> >
> >> -----Original Message-----
> >> From: Becker, Jeffrey C. (ARC-TN)[InuTeq, LLC] via Devel
> >> [mailto:devel@lists.nfs-ganesha.org]
> >> Sent: Wednesday, October 13, 2021 8:51 AM
> >> To: Andrea Cucciarre <acucciarre(a)cloudian.com>;
> >> devel(a)lists.nfs-ganesha.org
> >> Subject: [NFS-Ganesha-Devel] Re: [EXTERNAL] ganesha is not
honoring
> >> the nfsv4 acl
> >>
> >> I am seeing a similar situation with Ganesha and an NFSv4 mount
of a
> >> directory on which I've run setfacl, and the user in the setfacl
gets permission
> denied.
> >>
> >> -Jeff
> >>
> >> On 10/13/21, 7:06 AM, "Andrea Cucciarre via Devel"
<devel(a)lists.nfs-
> >> ganesha.org> wrote:
> >>
> >> I'm trying to figure out why ganesha is not honoring the
nfsv4
> >> acl
> >>
> >> On the backend filesystem the NFSv4 seems to be properly
configured:
> >>
> >> # nfs4_getfacl /hyperfile/volumes/1/6_1/dir_1
> >> A::andrea:rwaxtTnNcCy
> >>
> >> However, on the NFS client user "andrea" can't
access the
> >> directory
> >>
> >> $ mount -v | grep nfs
> >> 10.130.42.92:/vol1 on /mnt type nfs4
> >>
(rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,pro
> >> t
> >> o=tc
> >>
p,timeo=600,retrans=2,sec=sys,clientaddr=10.50.50.37,local_lock=none,
> >> a
> >> ddr=1
> >> 0.130.42.92)
> >>
> >> $ cd /mnt/dir_1
> >> -bash: cd: /mnt/dir_1: Permission denied
> >>
> >> The UID for andrea is the same on NFS client and NFS ganesha
server.
> >>
> >> I have enabled debug logs in Ganesha, but it doesn't say
much to
> >> me (I have grepped for ACL)
> >>
> >> 3/10/2021 13:53:15 : epoch 6166dd9b :
hf-frontend-1-1-699f6cb8cf-gmlqp
> :
> >> nfs-ganesha-124687[svc_56] nfs_access_op :NFS3 :DEBUG
:access_mask =
> >> mode(rwx)
> >> ACL(list_dir,add_file,execute,add_subdirectory,delete_child)
> >>
> >> 13/10/2021 13:53:15 : epoch 6166dd9b :
hf-frontend-1-1-699f6cb8cf-
> gmlqp :
> >> nfs-ganesha-124687[svc_56] fsal_check_access_no_acl :NFS4 ACL
:F_DBG
> >> :file Mode=0777, file uid=0, file gid= 0, user uid=10001, user
gid=
> >> 10002,
> >> access_type=0X7000000
> >>
> >> 13/10/2021 13:53:15 : epoch 6166dd9b :
hf-frontend-1-1-699f6cb8cf-
> gmlqp :
> >> nfs-ganesha-124687[svc_56] fsal_check_access_no_acl :NFS4 ACL
:F_DBG
> >> :Mask=0X7000000, Access Type=0X7000000 Allowed=0X7000000
Denied=0X0
> >> ALLOWED
> >>
> >> 13/10/2021 13:53:15 : epoch 6166dd9b :
hf-frontend-1-1-699f6cb8cf-
> gmlqp :
> >> nfs-ganesha-124687[svc_56] file_To_Fattr :NFS4 ACL :DEBUG :No
> >> permission check for ACL for obj 0x563029ad02f8
> >>
> >> 13/10/2021 13:53:15 : epoch 6166dd9b :
hf-frontend-1-1-699f6cb8cf-
> gmlqp :
> >> nfs-ganesha-124687[svc_53] fsal_check_access_no_acl :NFS4 ACL
:F_DBG
> >> :file Mode=0777, file uid=0, file gid= 0, user uid=10001, user
gid=
> >> 10002,
> >> access_type=0X1000000
> >>
> >> 13/10/2021 13:53:15 : epoch 6166dd9b :
hf-frontend-1-1-699f6cb8cf-
> gmlqp :
> >> nfs-ganesha-124687[svc_53] fsal_check_access_no_acl :NFS4 ACL
:F_DBG
> >> :Mask=0X7000000, Access Type=0X1000000 Allowed=0X1000000
Denied=0X0
> >> ALLOWED
> >>
> >> 13/10/2021 13:53:15 : epoch 6166dd9b :
hf-frontend-1-1-699f6cb8cf-
> gmlqp :
> >> nfs-ganesha-124687[svc_53] file_To_Fattr :NFS4 ACL :DEBUG :No
> >> permission check for ACL for obj 0x7f7ca4003748
> >>
> >> 13/10/2021 13:53:15 : epoch 6166dd9b :
hf-frontend-1-1-699f6cb8cf-
> gmlqp :
> >> nfs-ganesha-124687[svc_57] nfs_access_op :NFS3 :DEBUG
:access_mask =
> >> mode(rwx)
> >> ACL(list_dir,add_file,execute,add_subdirectory,delete_child)
> >>
> >> 13/10/2021 13:53:15 : epoch 6166dd9b :
hf-frontend-1-1-699f6cb8cf-
> gmlqp :
> >> nfs-ganesha-124687[svc_57] fsal_check_access_no_acl :NFS4 ACL
:F_DBG
> >> :file Mode=0, file uid=0, file gid= 0, user uid=10001, user gid=
> >> 10002,
> >> access_type=0X7000000
> >>
> >> 13/10/2021 13:53:15 : epoch 6166dd9b :
hf-frontend-1-1-699f6cb8cf-
> gmlqp :
> >> nfs-ganesha-124687[svc_57] fsal_check_access_no_acl :NFS4 ACL
:F_DBG
> >> :Mask=0X0, Access Type=0X7000000 Allowed=0X0 Denied=0X7000000
> DENIED
> >>
> >> 13/10/2021 13:53:15 : epoch 6166dd9b :
hf-frontend-1-1-699f6cb8cf-
> gmlqp :
> >> nfs-ganesha-124687[svc_57] file_To_Fattr :NFS4 ACL :DEBUG :No
> >> permission check for ACL for obj 0x7f7ca4003748
> >> _______________________________________________
> >> Devel mailing list -- devel(a)lists.nfs-ganesha.org
> >> To unsubscribe send an email to
> >> devel-leave(a)lists.nfs-ganesha.org
> >>
> >> _______________________________________________
> >> Devel mailing list -- devel(a)lists.nfs-ganesha.org To unsubscribe
send
> >> an email to devel-leave(a)lists.nfs-ganesha.org
> _______________________________________________
> Devel mailing list -- devel(a)lists.nfs-ganesha.org To unsubscribe
send an email to
> devel-leave(a)lists.nfs-ganesha.org
_______________________________________________
Devel mailing list -- devel(a)lists.nfs-ganesha.org
To unsubscribe send an email to devel-leave(a)lists.nfs-ganesha.org