12:27 p.m.
Oops, I didn't respond to the list...
Ganesha currently has limited ACL support.
FSAL_GPFS supports NFSv4 ACLs on the backend
FSAL_CEPH and FSAL_GLUSTER support conversion between NFSv4 ACLs and POSIX ACLs to be
stored as POSIX ACLs on the backend
FSAL_LIZARDFS has ACL support but I know almost nothing about Lizardfs to evaluate how
it's stored.
FSAL_PROXY_V4 looks like it has ACL support, I don't know if it actually works.
Beyond that, Ganesha doesn't support ACLs. It does not support the sideband protocol
to do POSIX ACLs for NFSv3 mounts.
There was a discussion on IRC about FSAL_VFS supporting ACLs for filesystems that support
using NFSv4 ACLs via nfs4_get/setfacl. In theory, we could bend things to support NFSv4
re-export and then hook into the ACLs (and that could then work for any other filesystem
that also decided to implement ACLs using the same interface) but there are no immediate
plans to do so and re-export would be tricky and is honestly better done by FSAL_PROXY_V4
limiting our incentive to support FSAL_VFS NFS re-export with ACLs.
Frank
-----Original Message-----
From: Becker, Jeffrey C. (ARC-TN)[InuTeq, LLC] via Devel
[mailto:devel@lists.nfs-ganesha.org]
Sent: Wednesday, October 13, 2021 8:51 AM
To: Andrea Cucciarre <acucciarre(a)cloudian.com>;
devel(a)lists.nfs-ganesha.org
Subject: [NFS-Ganesha-Devel] Re: [EXTERNAL] ganesha is not honoring
the nfsv4 acl
I am seeing a similar situation with Ganesha and an NFSv4 mount of a
directory on which I've run setfacl, and the user in the setfacl gets permission
denied.
-Jeff
On 10/13/21, 7:06 AM, "Andrea Cucciarre via Devel" <devel(a)lists.nfs-
ganesha.org> wrote:
I'm trying to figure out why ganesha is not honoring the nfsv4 acl
On the backend filesystem the NFSv4 seems to be properly configured:
# nfs4_getfacl /hyperfile/volumes/1/6_1/dir_1
A::andrea:rwaxtTnNcCy
However, on the NFS client user "andrea" can't access the
directory
$ mount -v | grep nfs
10.130.42.92:/vol1 on /mnt type nfs4
(rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,prot
o=tc
p,timeo=600,retrans=2,sec=sys,clientaddr=10.50.50.37,local_lock=none,a
ddr=1
0.130.42.92)
$ cd /mnt/dir_1
-bash: cd: /mnt/dir_1: Permission denied
The UID for andrea is the same on NFS client and NFS ganesha server.
I have enabled debug logs in Ganesha, but it doesn't say much to
me (I have grepped for ACL)
3/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf-gmlqp :
nfs-ganesha-124687[svc_56] nfs_access_op :NFS3 :DEBUG :access_mask =
mode(rwx) ACL(list_dir,add_file,execute,add_subdirectory,delete_child)
13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf-gmlqp :
nfs-ganesha-124687[svc_56] fsal_check_access_no_acl :NFS4 ACL :F_DBG
:file Mode=0777, file uid=0, file gid= 0, user uid=10001, user gid=
10002,
access_type=0X7000000
13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf-gmlqp :
nfs-ganesha-124687[svc_56] fsal_check_access_no_acl :NFS4 ACL :F_DBG
:Mask=0X7000000, Access Type=0X7000000 Allowed=0X7000000 Denied=0X0
ALLOWED
13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf-gmlqp :
nfs-ganesha-124687[svc_56] file_To_Fattr :NFS4 ACL :DEBUG :No
permission check for ACL for obj 0x563029ad02f8
13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf-gmlqp :
nfs-ganesha-124687[svc_53] fsal_check_access_no_acl :NFS4 ACL :F_DBG
:file Mode=0777, file uid=0, file gid= 0, user uid=10001, user gid=
10002,
access_type=0X1000000
13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf-gmlqp :
nfs-ganesha-124687[svc_53] fsal_check_access_no_acl :NFS4 ACL :F_DBG
:Mask=0X7000000, Access Type=0X1000000 Allowed=0X1000000 Denied=0X0
ALLOWED
13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf-gmlqp :
nfs-ganesha-124687[svc_53] file_To_Fattr :NFS4 ACL :DEBUG :No
permission check for ACL for obj 0x7f7ca4003748
13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf-gmlqp :
nfs-ganesha-124687[svc_57] nfs_access_op :NFS3 :DEBUG :access_mask =
mode(rwx) ACL(list_dir,add_file,execute,add_subdirectory,delete_child)
13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf-gmlqp :
nfs-ganesha-124687[svc_57] fsal_check_access_no_acl :NFS4 ACL :F_DBG
:file Mode=0, file uid=0, file gid= 0, user uid=10001, user gid=
10002,
access_type=0X7000000
13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf-gmlqp :
nfs-ganesha-124687[svc_57] fsal_check_access_no_acl :NFS4 ACL :F_DBG
:Mask=0X0, Access Type=0X7000000 Allowed=0X0 Denied=0X7000000 DENIED
13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf-gmlqp :
nfs-ganesha-124687[svc_57] file_To_Fattr :NFS4 ACL :DEBUG :No
permission check for ACL for obj 0x7f7ca4003748
_______________________________________________
Devel mailing list -- devel(a)lists.nfs-ganesha.org
To unsubscribe send an email to devel-leave(a)lists.nfs-ganesha.org
_______________________________________________
Devel mailing list -- devel(a)lists.nfs-ganesha.org To unsubscribe send
an email to devel-leave(a)lists.nfs-ganesha.org