Re: Group-based permissions issue when using ACLs on CephFS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Fri, Mar 23, 2018 at 8:49 PM, Yan, Zheng <ukernel@xxxxxxxxx> wrote:
On Fri, Mar 23, 2018 at 9:50 PM, Josh Haft <paccrap@xxxxxxxxx> wrote:
> On Fri, Mar 23, 2018 at 12:14 AM, Yan, Zheng <ukernel@xxxxxxxxx> wrote:
>>
>> On Fri, Mar 23, 2018 at 5:14 AM, Josh Haft <paccrap@xxxxxxxxx> wrote:
>> > Hello!
>> >
>> > I'm running Ceph 12.2.2 with one primary and one standby MDS. Mounting
>> > CephFS via ceph-fuse (to leverage quotas), and enabled ACLs by adding
>> > fuse_default_permissions=0 and client_acl_type=posix_acl to the mount
>> > options. I then export this mount via NFS and the clients mount NFS4.1.
>> >
>> does fuse_default_permissions=0 work?
>
> Yes, ACLs work as expected when I set fuse_default_permissions=0.
>
>> > After doing some in-depth testing it seems I'm unable to allow access from
>> > the NFS clients to a directory/file based on group membership when the
>> > underlying CephFS was mounted with ACL support. This issue appears using
>> > both filesystem permissions (e.g. chgrp) and NFSv4 ACLs. However, ACLs do
>> > work if the principal is a user instead of a group. If I disable ACL support
>> > on the ceph-fuse mount, things work as expected using fs permissions;
>> > obviously I don't get ACL support.
>> >
>> > As an intermediate step I did check whether this works directly on the
>> > CephFS filesystem - on the NFS server - and it does. So it appears to be an
>> > issue re-exporting it via NFS.
>> >
>> > I do not see this issue when mounting CephFS via the kernel, exporting via
>> > NFS, and re-running these tests.
>> >
>> > I searched the ML and bug reports but only found this -
>> > http://tracker.ceph.com/issues/12617 - which seems close to the issue I'm
>> > running into, but was closed as resolved 2+ years ago.
>> >
>> > Has anyone else run into this? Am I missing something obvious?
>> >
>>
>> ceph-fuse does permission check according to localhost's config of
>> supplement group. that's why you see this behavior.
>
> You're saying both the NFS client and server (where ceph-fuse is
> running) need to use the same directory backend? (they are)
> I should have mentioned I'm using LDAP/AD on client and server, so I
> don't think that is the problem.
>
> Either way, I would not expect the behavior to change simply by
> enabling ACLs, especially when I'm using filesystem permissions, and
> ACLs aren't part of the equation.

More specifically, ceph-fuse find which groups request initiator are
in by function fuse_req_getgroups(). this function does tricks on
"/proc/%lu/task/%lu/status".  It only works  when nfs client and
ceph-fuse are running on the same machine.

So why does this work when I'm using ceph-fuse but ACLs are disabled?  

>> Yan, Zheng
>>
>> > Thanks!
>> > Josh
>> >
>> >
>> > _______________________________________________
>> > ceph-users mailing list
>> > ceph-users@xxxxxxxxxxxxxx
>> > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>> >

_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux