On Sat, Mar 24, 2018 at 11:34 AM, Josh Haft <paccrap@xxxxxxxxx> wrote: > > > On Fri, Mar 23, 2018 at 8:49 PM, Yan, Zheng <ukernel@xxxxxxxxx> wrote: >> >> On Fri, Mar 23, 2018 at 9:50 PM, Josh Haft <paccrap@xxxxxxxxx> wrote: >> > On Fri, Mar 23, 2018 at 12:14 AM, Yan, Zheng <ukernel@xxxxxxxxx> wrote: >> >> >> >> On Fri, Mar 23, 2018 at 5:14 AM, Josh Haft <paccrap@xxxxxxxxx> wrote: >> >> > Hello! >> >> > >> >> > I'm running Ceph 12.2.2 with one primary and one standby MDS. >> >> > Mounting >> >> > CephFS via ceph-fuse (to leverage quotas), and enabled ACLs by adding >> >> > fuse_default_permissions=0 and client_acl_type=posix_acl to the mount >> >> > options. I then export this mount via NFS and the clients mount >> >> > NFS4.1. >> >> > >> >> does fuse_default_permissions=0 work? >> > >> > Yes, ACLs work as expected when I set fuse_default_permissions=0. >> > >> >> > After doing some in-depth testing it seems I'm unable to allow access >> >> > from >> >> > the NFS clients to a directory/file based on group membership when >> >> > the >> >> > underlying CephFS was mounted with ACL support. This issue appears >> >> > using >> >> > both filesystem permissions (e.g. chgrp) and NFSv4 ACLs. However, >> >> > ACLs do >> >> > work if the principal is a user instead of a group. If I disable ACL >> >> > support >> >> > on the ceph-fuse mount, things work as expected using fs permissions; >> >> > obviously I don't get ACL support. >> >> > >> >> > As an intermediate step I did check whether this works directly on >> >> > the >> >> > CephFS filesystem - on the NFS server - and it does. So it appears to >> >> > be an >> >> > issue re-exporting it via NFS. >> >> > >> >> > I do not see this issue when mounting CephFS via the kernel, >> >> > exporting via >> >> > NFS, and re-running these tests. >> >> > >> >> > I searched the ML and bug reports but only found this - >> >> > http://tracker.ceph.com/issues/12617 - which seems close to the issue >> >> > I'm >> >> > running into, but was closed as resolved 2+ years ago. >> >> > >> >> > Has anyone else run into this? Am I missing something obvious? >> >> > >> >> >> >> ceph-fuse does permission check according to localhost's config of >> >> supplement group. that's why you see this behavior. >> > >> > You're saying both the NFS client and server (where ceph-fuse is >> > running) need to use the same directory backend? (they are) >> > I should have mentioned I'm using LDAP/AD on client and server, so I >> > don't think that is the problem. >> > >> > Either way, I would not expect the behavior to change simply by >> > enabling ACLs, especially when I'm using filesystem permissions, and >> > ACLs aren't part of the equation. >> >> More specifically, ceph-fuse find which groups request initiator are >> in by function fuse_req_getgroups(). this function does tricks on >> "/proc/%lu/task/%lu/status". It only works when nfs client and >> ceph-fuse are running on the same machine. >> > So why does this work when I'm using ceph-fuse but ACLs are disabled? >> Really? Please check if supplement groups work for inodes without ACL (mount fuse with config option fuse_default_permissions=0) >> >> >> Yan, Zheng >> >> >> >> > Thanks! >> >> > Josh >> >> > >> >> > >> >> > _______________________________________________ >> >> > ceph-users mailing list >> >> > ceph-users@xxxxxxxxxxxxxx >> >> > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com >> >> > > > _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |