[NFS-Ganesha-Devel] Re: [EXTERNAL] ganesha is not honoring the nfsv4 acl

-----Original Message----- From: Andrea Cucciarre' via Devel [mailto:devel@lists.nfs-ganesha.org] Sent: Wednesday, October 13, 2021 10:44 AM To: Frank Filz <ffilzlnx(a)mindspring.com>; 'Becker, Jeffrey C. (ARC-TN)[InuTeq, LLC]' <jeffrey.c.becker(a)nasa.gov&gt; Cc: 'Ganesha-devel' <devel(a)lists.nfs-ganesha.org&gt; Subject: [NFS-Ganesha-Devel] Re: [EXTERNAL] ganesha is not honoring the nfsv4 acl Thanks. Is there any documentation link that can help on how to use FSAL_PROXY_V4? Regards Andrea Cucciarre' On 10/13/2021 7:27 PM, Frank Filz wrote: > Oops, I didn't respond to the list... > > Ganesha currently has limited ACL support. > > FSAL_GPFS supports NFSv4 ACLs on the backend > > FSAL_CEPH and FSAL_GLUSTER support conversion between NFSv4 ACLs and > POSIX ACLs to be stored as POSIX ACLs on the backend > > FSAL_LIZARDFS has ACL support but I know almost nothing about Lizardfs to evaluate how it's stored. > > FSAL_PROXY_V4 looks like it has ACL support, I don't know if it actually works. > > Beyond that, Ganesha doesn't support ACLs. It does not support the sideband protocol to do POSIX ACLs for NFSv3 mounts. > > There was a discussion on IRC about FSAL_VFS supporting ACLs for filesystems that support using NFSv4 ACLs via nfs4_get/setfacl. In theory, we could bend things to support NFSv4 re-export and then hook into the ACLs (and that could then work for any other filesystem that also decided to implement ACLs using the same interface) but there are no immediate plans to do so and re-export would be tricky and is honestly better done by FSAL_PROXY_V4 limiting our incentive to support FSAL_VFS NFS re-export with ACLs. > > Frank > >> -----Original Message----- >> From: Becker, Jeffrey C. (ARC-TN)[InuTeq, LLC] via Devel >> [mailto:devel@lists.nfs-ganesha.org] >> Sent: Wednesday, October 13, 2021 8:51 AM >> To: Andrea Cucciarre <acucciarre(a)cloudian.com>; >> devel(a)lists.nfs-ganesha.org >> Subject: [NFS-Ganesha-Devel] Re: [EXTERNAL] ganesha is not honoring >> the nfsv4 acl >> >> I am seeing a similar situation with Ganesha and an NFSv4 mount of a >> directory on which I've run setfacl, and the user in the setfacl gets permission denied. >> >> -Jeff >> >> On 10/13/21, 7:06 AM, "Andrea Cucciarre via Devel" <devel(a)lists.nfs- >> ganesha.org> wrote: >> >> I'm trying to figure out why ganesha is not honoring the nfsv4 >> acl >> >> On the backend filesystem the NFSv4 seems to be properly configured: >> >> # nfs4_getfacl /hyperfile/volumes/1/6_1/dir_1 >> A::andrea:rwaxtTnNcCy >> >> However, on the NFS client user "andrea" can't access the >> directory >> >> $ mount -v | grep nfs >> 10.130.42.92:/vol1 on /mnt type nfs4 >> (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,pro >> t >> o=tc >> p,timeo=600,retrans=2,sec=sys,clientaddr=10.50.50.37,local_lock=none, >> a >> ddr=1 >> 0.130.42.92) >> >> $ cd /mnt/dir_1 >> -bash: cd: /mnt/dir_1: Permission denied >> >> The UID for andrea is the same on NFS client and NFS ganesha server. >> >> I have enabled debug logs in Ganesha, but it doesn't say much to >> me (I have grepped for ACL) >> >> 3/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf-gmlqp : >> nfs-ganesha-124687[svc_56] nfs_access_op :NFS3 :DEBUG :access_mask = >> mode(rwx) >> ACL(list_dir,add_file,execute,add_subdirectory,delete_child) >> >> 13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf- gmlqp : >> nfs-ganesha-124687[svc_56] fsal_check_access_no_acl :NFS4 ACL :F_DBG >> :file Mode=0777, file uid=0, file gid= 0, user uid=10001, user gid= >> 10002, >> access_type=0X7000000 >> >> 13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf- gmlqp : >> nfs-ganesha-124687[svc_56] fsal_check_access_no_acl :NFS4 ACL :F_DBG >> :Mask=0X7000000, Access Type=0X7000000 Allowed=0X7000000 Denied=0X0 >> ALLOWED >> >> 13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf- gmlqp : >> nfs-ganesha-124687[svc_56] file_To_Fattr :NFS4 ACL :DEBUG :No >> permission check for ACL for obj 0x563029ad02f8 >> >> 13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf- gmlqp : >> nfs-ganesha-124687[svc_53] fsal_check_access_no_acl :NFS4 ACL :F_DBG >> :file Mode=0777, file uid=0, file gid= 0, user uid=10001, user gid= >> 10002, >> access_type=0X1000000 >> >> 13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf- gmlqp : >> nfs-ganesha-124687[svc_53] fsal_check_access_no_acl :NFS4 ACL :F_DBG >> :Mask=0X7000000, Access Type=0X1000000 Allowed=0X1000000 Denied=0X0 >> ALLOWED >> >> 13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf- gmlqp : >> nfs-ganesha-124687[svc_53] file_To_Fattr :NFS4 ACL :DEBUG :No >> permission check for ACL for obj 0x7f7ca4003748 >> >> 13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf- gmlqp : >> nfs-ganesha-124687[svc_57] nfs_access_op :NFS3 :DEBUG :access_mask = >> mode(rwx) >> ACL(list_dir,add_file,execute,add_subdirectory,delete_child) >> >> 13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf- gmlqp : >> nfs-ganesha-124687[svc_57] fsal_check_access_no_acl :NFS4 ACL :F_DBG >> :file Mode=0, file uid=0, file gid= 0, user uid=10001, user gid= >> 10002, >> access_type=0X7000000 >> >> 13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf- gmlqp : >> nfs-ganesha-124687[svc_57] fsal_check_access_no_acl :NFS4 ACL :F_DBG >> :Mask=0X0, Access Type=0X7000000 Allowed=0X0 Denied=0X7000000 DENIED >> >> 13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf- gmlqp : >> nfs-ganesha-124687[svc_57] file_To_Fattr :NFS4 ACL :DEBUG :No >> permission check for ACL for obj 0x7f7ca4003748 >> _______________________________________________ >> Devel mailing list -- devel(a)lists.nfs-ganesha.org >> To unsubscribe send an email to >> devel-leave(a)lists.nfs-ganesha.org >> >> _______________________________________________ >> Devel mailing list -- devel(a)lists.nfs-ganesha.org To unsubscribe send >> an email to devel-leave(a)lists.nfs-ganesha.org _______________________________________________ Devel mailing list -- devel(a)lists.nfs-ganesha.org To unsubscribe send an email to devel-leave(a)lists.nfs-ganesha.org