Maybe we should move this to a GitHub issue? ACLs are (in theory) propagated via the attribute code (and fsal_copy_attrs).

Getting a small, complete debug trace including FSAL and NFS_PROTO (or whatever the logname is) on GitHub so we have the history for others to see should at least make it clear where the PROXY_V4 code is dropping it (or not).

On Wed, Oct 13, 2021 at 10:56 AM Becker, Jeffrey C. (ARC-TN)[InuTeq, LLC] via Devel <devel@lists.nfs-ganesha.org> wrote:
Also - PROXY is not working for me with setfacl at the current time, but I haven't done exhaustive testing yet.

-Jeff

On 10/13/21, 10:50 AM, "Frank Filz" <ffilzlnx@mindspring.com> wrote:

    Unfortunately there really isn't much documentation on PROXY beyond any dribs and drabs in the wiki on github.

    Frank

    > -----Original Message-----
    > From: Andrea Cucciarre' via Devel [mailto:devel@lists.nfs-ganesha.org]
    > Sent: Wednesday, October 13, 2021 10:44 AM
    > To: Frank Filz <ffilzlnx@mindspring.com>; 'Becker, Jeffrey C. (ARC-TN)[InuTeq,
    > LLC]' <jeffrey.c.becker@nasa.gov>
    > Cc: 'Ganesha-devel' <devel@lists.nfs-ganesha.org>
    > Subject: [NFS-Ganesha-Devel] Re: [EXTERNAL] ganesha is not honoring the nfsv4
    > acl
    >
    > Thanks.
    > Is there any documentation link that can help on how to use FSAL_PROXY_V4?
    >
    > Regards
    > Andrea Cucciarre'
    >
    >
    >
    > On 10/13/2021 7:27 PM, Frank Filz wrote:
    > > Oops, I didn't respond to the list...
    > >
    > > Ganesha currently has limited ACL support.
    > >
    > > FSAL_GPFS supports NFSv4 ACLs on the backend
    > >
    > > FSAL_CEPH and FSAL_GLUSTER support conversion between NFSv4 ACLs and
    > > POSIX ACLs to be stored as POSIX ACLs on the backend
    > >
    > > FSAL_LIZARDFS has ACL support but I know almost nothing about Lizardfs to
    > evaluate how it's stored.
    > >
    > > FSAL_PROXY_V4 looks like it has ACL support, I don't know if it actually works.
    > >
    > > Beyond that, Ganesha doesn't support ACLs. It does not support the sideband
    > protocol to do POSIX ACLs for NFSv3 mounts.
    > >
    > > There was a discussion on IRC about FSAL_VFS supporting ACLs for filesystems
    > that support using NFSv4 ACLs via nfs4_get/setfacl. In theory, we could bend
    > things to support NFSv4 re-export and then hook into the ACLs (and that could
    > then work for any other filesystem that also decided to implement ACLs using
    > the same interface) but there are no immediate plans to do so and re-export
    > would be tricky and is honestly better done by FSAL_PROXY_V4 limiting our
    > incentive to support FSAL_VFS NFS re-export with ACLs.
    > >
    > > Frank
    > >
    > >> -----Original Message-----
    > >> From: Becker, Jeffrey C. (ARC-TN)[InuTeq, LLC] via Devel
    > >> [mailto:devel@lists.nfs-ganesha.org]
    > >> Sent: Wednesday, October 13, 2021 8:51 AM
    > >> To: Andrea Cucciarre <acucciarre@cloudian.com>;
    > >> devel@lists.nfs-ganesha.org
    > >> Subject: [NFS-Ganesha-Devel] Re: [EXTERNAL] ganesha is not honoring
    > >> the nfsv4 acl
    > >>
    > >> I am seeing a similar situation with  Ganesha and an NFSv4 mount of a
    > >> directory on which I've run setfacl, and the user in the setfacl gets permission
    > denied.
    > >>
    > >> -Jeff
    > >>
    > >> On 10/13/21, 7:06 AM, "Andrea Cucciarre via Devel" <devel@lists.nfs-
    > >> ganesha.org> wrote:
    > >>
    > >>      I'm trying to figure out why ganesha is not honoring the nfsv4
    > >> acl
    > >>
    > >>      On the backend filesystem the NFSv4 seems to be properly configured:
    > >>
    > >>      # nfs4_getfacl /hyperfile/volumes/1/6_1/dir_1
    > >>      A::andrea:rwaxtTnNcCy
    > >>
    > >>      However, on the NFS client user "andrea" can't access the
    > >> directory
    > >>
    > >>      $ mount -v | grep nfs
    > >>      10.130.42.92:/vol1 on /mnt type nfs4
    > >> (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,pro
    > >> t
    > >> o=tc
    > >> p,timeo=600,retrans=2,sec=sys,clientaddr=10.50.50.37,local_lock=none,
    > >> a
    > >> ddr=1
    > >> 0.130.42.92)
    > >>
    > >>      $ cd /mnt/dir_1
    > >>      -bash: cd: /mnt/dir_1: Permission denied
    > >>
    > >>      The UID for andrea is the same on NFS client and NFS ganesha server.
    > >>
    > >>      I have enabled debug logs in Ganesha, but it doesn't say much to
    > >> me (I have grepped for ACL)
    > >>
    > >>      3/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf-gmlqp
    > :
    > >> nfs-ganesha-124687[svc_56] nfs_access_op :NFS3 :DEBUG :access_mask =
    > >> mode(rwx)
    > >> ACL(list_dir,add_file,execute,add_subdirectory,delete_child)
    > >>
    > >>      13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf-
    > gmlqp :
    > >> nfs-ganesha-124687[svc_56] fsal_check_access_no_acl :NFS4 ACL :F_DBG
    > >> :file Mode=0777, file uid=0, file gid= 0, user uid=10001, user gid=
    > >> 10002,
    > >> access_type=0X7000000
    > >>
    > >>      13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf-
    > gmlqp :
    > >> nfs-ganesha-124687[svc_56] fsal_check_access_no_acl :NFS4 ACL :F_DBG
    > >> :Mask=0X7000000, Access Type=0X7000000 Allowed=0X7000000 Denied=0X0
    > >> ALLOWED
    > >>
    > >>      13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf-
    > gmlqp :
    > >> nfs-ganesha-124687[svc_56] file_To_Fattr :NFS4 ACL :DEBUG :No
    > >> permission check for ACL for obj 0x563029ad02f8
    > >>
    > >>      13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf-
    > gmlqp :
    > >> nfs-ganesha-124687[svc_53] fsal_check_access_no_acl :NFS4 ACL :F_DBG
    > >> :file Mode=0777, file uid=0, file gid= 0, user uid=10001, user gid=
    > >> 10002,
    > >> access_type=0X1000000
    > >>
    > >>      13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf-
    > gmlqp :
    > >> nfs-ganesha-124687[svc_53] fsal_check_access_no_acl :NFS4 ACL :F_DBG
    > >> :Mask=0X7000000, Access Type=0X1000000 Allowed=0X1000000 Denied=0X0
    > >> ALLOWED
    > >>
    > >>      13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf-
    > gmlqp :
    > >> nfs-ganesha-124687[svc_53] file_To_Fattr :NFS4 ACL :DEBUG :No
    > >> permission check for ACL for obj 0x7f7ca4003748
    > >>
    > >>      13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf-
    > gmlqp :
    > >> nfs-ganesha-124687[svc_57] nfs_access_op :NFS3 :DEBUG :access_mask =
    > >> mode(rwx)
    > >> ACL(list_dir,add_file,execute,add_subdirectory,delete_child)
    > >>
    > >>      13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf-
    > gmlqp :
    > >> nfs-ganesha-124687[svc_57] fsal_check_access_no_acl :NFS4 ACL :F_DBG
    > >> :file Mode=0, file uid=0, file gid= 0, user uid=10001, user gid=
    > >> 10002,
    > >> access_type=0X7000000
    > >>
    > >>      13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf-
    > gmlqp :
    > >> nfs-ganesha-124687[svc_57] fsal_check_access_no_acl :NFS4 ACL :F_DBG
    > >> :Mask=0X0, Access Type=0X7000000 Allowed=0X0 Denied=0X7000000
    > DENIED
    > >>
    > >>      13/10/2021 13:53:15 : epoch 6166dd9b : hf-frontend-1-1-699f6cb8cf-
    > gmlqp :
    > >> nfs-ganesha-124687[svc_57] file_To_Fattr :NFS4 ACL :DEBUG :No
    > >> permission check for ACL for obj 0x7f7ca4003748
    > >>      _______________________________________________
    > >>      Devel mailing list -- devel@lists.nfs-ganesha.org
    > >>      To unsubscribe send an email to
    > >> devel-leave@lists.nfs-ganesha.org
    > >>
    > >> _______________________________________________
    > >> Devel mailing list -- devel@lists.nfs-ganesha.org To unsubscribe send
    > >> an email to devel-leave@lists.nfs-ganesha.org
    > _______________________________________________
    > Devel mailing list -- devel@lists.nfs-ganesha.org To unsubscribe send an email to
    > devel-leave@lists.nfs-ganesha.org


_______________________________________________
Devel mailing list -- devel@lists.nfs-ganesha.org
To unsubscribe send an email to devel-leave@lists.nfs-ganesha.org