Hi Eugen, We have a lot of shared directories in cephfs and each directory has a specific ACL to grant access to several groups (for read and/or for read/write access). Here is the complete steps to reproduce the pb in 17.2.6 with only one group, GIPSI, in the ACL: # mkdir /mnt/ceph/test # chown root:nogroup /mnt/ceph/test # chmod 770 /mnt/ceph/test # setfacl --set="u::rwx,g::rwx,o::-,d:m::rwx,m::rwx,d:g:GIPSI:rwx,g:GIPSI:rwx" /mnt/ceph/test/ # getfacl /mnt/ceph/test # file: mnt/ceph/test # owner: root # group: nogroup user::rwx group::rwx group:GIPSI:rwx mask::rwx other::--- default:user::rwx default:group::rwx default:group:GIPSI:rwx default:mask::rwx default:other::--- # touch /mnt/ceph/test/foo # getfacl /mnt/ceph/test/foo # file: mnt/ceph/test/foo # owner: root # group: root user::rw- group::rwx #effective:rw- group:GIPSI:rwx #effective:rw- mask::rw- other::--- # mkdir /mnt/ceph/ec42/test/.snap/snaptest # getfacl /mnt/ceph/test/.snap # file: mnt/ceph/test/.snap # owner: root # group: nogroup user::rwx group::rwx other::--- As a result, no member of the GIPSI group is able to access the snaphots… And we had no user complained about the access to the snapshots before our upgrade so I suppose that the ACL of the .snap directory was OK in pacific (> 16.2.9) Arnaud Le 04/09/2023 12:59, « Eugen Block » <eblock@xxxxxx <mailto:eblock@xxxxxx>> a écrit : I'm wondering if I did something wrong or if I'm missing something. I tried to reproduce the described steps from the bug you mentioned, and from Nautilus to Reef (I have a couple of test clusters) the getfacl output always shows the same output for the .snap directory: $ getfacl /mnt/cephfs/test/.snap/ getfacl: Removing leading '/' from absolute path names # file: mnt/cephfs/test/.snap/ # owner: root # group: root user::rwx group::rwx other::--- So in my tests it never actually shows the "users" group acl. But you wrote that it worked with Pacific for you, I'm confused... Zitat von MARTEL Arnaud <arnaud.martel@xxxxxx <mailto:arnaud.martel@xxxxxx>>: > Hi, > > I'm facing the same situation as described in bug #57084 > (https://tracker.ceph.com/issues/57084 <https://tracker.ceph.com/issues/57084>) since I upgraded from > 16.2.13 to 17.2.6 > > for example: > > root@faiserver:~# getfacl /mnt/ceph/default/ > # file: mnt/ceph/default/ > # owner: 99 > # group: nogroup > # flags: -s- > user::rwx > user:s-sac-acquisition:rwx > group::rwx > group:acquisition:r-x > group:SAC_R:r-x > mask::rwx > other::--- > default:user::rwx > default:user:s-sac-acquisition:rwx > default:group::rwx > default:group:acquisition:r-x > default:group:SAC_R:r-x > default:mask::rwx > default:other::--- > > root@faiserver:~# getfacl /mnt/ceph/default/.snap > # file: mnt/ceph/default/.snap > # owner: 99 > # group: nogroup > # flags: -s- > user::rwx > group::rwx > other::r-x > </pre> > > Before creating a new bug report, could you tell me if someone has > the same problem with 17.2.6 ?? > > Kind regards, > Arnaud > _______________________________________________ > ceph-users mailing list -- ceph-users@xxxxxxx <mailto:ceph-users@xxxxxxx> > To unsubscribe send an email to ceph-users-leave@xxxxxxx <mailto:ceph-users-leave@xxxxxxx> _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx <mailto:ceph-users@xxxxxxx> To unsubscribe send an email to ceph-users-leave@xxxxxxx <mailto:ceph-users-leave@xxxxxxx> _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |