Hello!
I'm running Ceph 12.2.2 with one primary and one standby MDS. Mounting CephFS via ceph-fuse (to leverage quotas), and enabled ACLs by adding fuse_default_permissions=0 and client_acl_type=posix_acl to the mount options. I then export this mount via NFS and the clients mount NFS4.1.
After doing some in-depth testing it seems I'm unable to allow access from the NFS clients to a directory/file based on group membership when the underlying CephFS was mounted with ACL support. This issue appears using both filesystem permissions (e.g. chgrp) and NFSv4 ACLs. However, ACLs do work if the principal is a user instead of a group. If I disable ACL support on the ceph-fuse mount, things work as expected using fs permissions; obviously I don't get ACL support.
As an intermediate step I did check whether this works directly on the CephFS filesystem - on the NFS server - and it does. So it appears to be an issue re-exporting it via NFS.
I do not see this issue when mounting CephFS via the kernel, exporting via NFS, and re-running these tests.
I searched the ML and bug reports but only found this - http://tracker.ceph.com/issues/12617 - which seems close to the issue I'm running into, but was closed as resolved 2+ years ago.
Has anyone else run into this? Am I missing something obvious?
Thanks!I'm running Ceph 12.2.2 with one primary and one standby MDS. Mounting CephFS via ceph-fuse (to leverage quotas), and enabled ACLs by adding fuse_default_permissions=0 and client_acl_type=posix_acl to the mount options. I then export this mount via NFS and the clients mount NFS4.1.
After doing some in-depth testing it seems I'm unable to allow access from the NFS clients to a directory/file based on group membership when the underlying CephFS was mounted with ACL support. This issue appears using both filesystem permissions (e.g. chgrp) and NFSv4 ACLs. However, ACLs do work if the principal is a user instead of a group. If I disable ACL support on the ceph-fuse mount, things work as expected using fs permissions; obviously I don't get ACL support.
As an intermediate step I did check whether this works directly on the CephFS filesystem - on the NFS server - and it does. So it appears to be an issue re-exporting it via NFS.
I do not see this issue when mounting CephFS via the kernel, exporting via NFS, and re-running these tests.
I searched the ML and bug reports but only found this - http://tracker.ceph.com/issues/12617 - which seems close to the issue I'm running into, but was closed as resolved 2+ years ago.
Has anyone else run into this? Am I missing something obvious?
_______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
