Your description seems to match my observations trying to create
cephfs snapshots via dashboard. In latest Octopus it works, in Pacific
16.2.13 and Quincy 17.2.6 it doesn't, in Reef 18.2.0 it works again.
Zitat von MARTEL Arnaud <arnaud.martel@xxxxxx>:
Hi Eugen,
We have a lot of shared directories in cephfs and each directory has
a specific ACL to grant access to several groups (for read and/or
for read/write access).
Here is the complete steps to reproduce the pb in 17.2.6 with only
one group, GIPSI, in the ACL:
# mkdir /mnt/ceph/test
# chown root:nogroup /mnt/ceph/test
# chmod 770 /mnt/ceph/test
# setfacl
--set="u::rwx,g::rwx,o::-,d:m::rwx,m::rwx,d:g:GIPSI:rwx,g:GIPSI:rwx"
/mnt/ceph/test/
# getfacl /mnt/ceph/test
# file: mnt/ceph/test
# owner: root
# group: nogroup
user::rwx
group::rwx
group:GIPSI:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:GIPSI:rwx
default:mask::rwx
default:other::---
# touch /mnt/ceph/test/foo
# getfacl /mnt/ceph/test/foo
# file: mnt/ceph/test/foo
# owner: root
# group: root
user::rw-
group::rwx #effective:rw-
group:GIPSI:rwx #effective:rw-
mask::rw-
other::---
# mkdir /mnt/ceph/ec42/test/.snap/snaptest
# getfacl /mnt/ceph/test/.snap
# file: mnt/ceph/test/.snap
# owner: root
# group: nogroup
user::rwx
group::rwx
other::---
As a result, no member of the GIPSI group is able to access the snaphots…
And we had no user complained about the access to the snapshots
before our upgrade so I suppose that the ACL of the .snap directory
was OK in pacific (> 16.2.9)
Arnaud
Le 04/09/2023 12:59, « Eugen Block » <eblock@xxxxxx
<mailto:eblock@xxxxxx>> a écrit :
I'm wondering if I did something wrong or if I'm missing something. I
tried to reproduce the described steps from the bug you mentioned, and
from Nautilus to Reef (I have a couple of test clusters) the getfacl
output always shows the same output for the .snap directory:
$ getfacl /mnt/cephfs/test/.snap/
getfacl: Removing leading '/' from absolute path names
# file: mnt/cephfs/test/.snap/
# owner: root
# group: root
user::rwx
group::rwx
other::---
So in my tests it never actually shows the "users" group acl. But you
wrote that it worked with Pacific for you, I'm confused...
Zitat von MARTEL Arnaud <arnaud.martel@xxxxxx <mailto:arnaud.martel@xxxxxx>>:
Hi,
I'm facing the same situation as described in bug #57084
(https://tracker.ceph.com/issues/57084
<https://tracker.ceph.com/issues/57084>) since I upgraded from
16.2.13 to 17.2.6
for example:
root@faiserver:~# getfacl /mnt/ceph/default/
# file: mnt/ceph/default/
# owner: 99
# group: nogroup
# flags: -s-
user::rwx
user:s-sac-acquisition:rwx
group::rwx
group:acquisition:r-x
group:SAC_R:r-x
mask::rwx
other::---
default:user::rwx
default:user:s-sac-acquisition:rwx
default:group::rwx
default:group:acquisition:r-x
default:group:SAC_R:r-x
default:mask::rwx
default:other::---
root@faiserver:~# getfacl /mnt/ceph/default/.snap
# file: mnt/ceph/default/.snap
# owner: 99
# group: nogroup
# flags: -s-
user::rwx
group::rwx
other::r-x
</pre>
Before creating a new bug report, could you tell me if someone has
the same problem with 17.2.6 ??
Kind regards,
Arnaud
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx <mailto:ceph-users@xxxxxxx>
To unsubscribe send an email to ceph-users-leave@xxxxxxx
<mailto:ceph-users-leave@xxxxxxx>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx <mailto:ceph-users@xxxxxxx>
To unsubscribe send an email to ceph-users-leave@xxxxxxx
<mailto:ceph-users-leave@xxxxxxx>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
