On Tue, Mar 29, 2022 at 2:31 PM tizo <tizone@xxxxxxxxx> wrote: > > It seems to me that Posix ACLs in a mounted gluterfs volume are not > being translated to NFSv4 ACLs at all when exported (kernel NFS). > Exporting a local filesystem with XFS and exactly the same Posix ACLs > work as expected (NFSv4 ACLs are translated right from Posix ACLs). > More details: > > OS: Rocky Linux release 8.5 (Green Obsidian) > > fstab for the exported directories: > > /dev/mapper/vg_kvm_sistema-lv_directo_informatica > /exports/directo_informatica xfs defaults 0 0 > gluster02.fnr.gub.uy:/gv0_inf /exports/gv0_inf/ glusterfs defaults,acl 0 0 > > Mount for the exported directories: > > /dev/mapper/vg_kvm_sistema-lv_directo_informatica on > /exports/directo_informatica type xfs > (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota) > gluster02.fnr.gub.uy:/gv0_inf on /exports/gv0_inf type fuse.glusterfs > (rw,relatime,user_id=0,group_id=0,allow_other,max_read=131072) > > exports file: > > /exports > *(sec=krb5p,secure,rw,sync,no_wdelay,no_subtree_check,root_squash,fsid=0) > /exports/directo_informatica > *(sec=krb5p,secure,rw,sync,no_wdelay,no_subtree_check,root_squash,mountpoint) > /exports/gv0_inf > *(sec=krb5p,secure,rw,sync,no_wdelay,no_subtree_check,root_squash,mountpoint,fsid=2) > > Exported directories ACLs: > > # getfacl /exports/directo_informatica/ > getfacl: Removing leading '/' from absolute path names > # file: exports/directo_informatica/ > # owner: root > # group: root > user::rwx > user:root:rwx > group::r-x > group:root:r-x > group:informatica@xxxxxxxxxxxxxxxxx:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:group::r-x > default:group:root:r-x > default:group:informatica@xxxxxxxxxxxxxxxxx:rwx > default:mask::rwx > default:other::--- > > # getfacl /exports/gv0_inf/ > getfacl: Removing leading '/' from absolute path names > # file: exports/gv0_inf/ > # owner: root > # group: root > user::rwx > user:root:rwx > group::r-x > group:root:r-x > group:informatica@xxxxxxxxxxxxxxxxx:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:group::r-x > default:group:root:r-x > default:group:informatica@xxxxxxxxxxxxxxxxx:rwx > default:mask::rwx > default:other::--- > > Directories mounted remotely (same server for the tests): > > gluster02.adtest.fnr.gub.uy:/directo_informatica on /prueba2 type nfs4 > (rw,relatime,vers=4.2,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=10.2.100.8,local_lock=none,addr=10.2.100.8) > gluster02.adtest.fnr.gub.uy:/gv0_inf on /prueba type nfs4 > (rw,relatime,vers=4.2,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=10.2.100.8,local_lock=none,addr=10.2.100.8) > > NFSv4 ACLs remotely: > > $ nfs4_getfacl /prueba2 > # file: /prueba2 > A::OWNER@:rwaDxtTcCy > A::root@xxxxxxxxxxxxxxxxx:rwaDxtcy > A::GROUP@:rxtcy > A:g:root@xxxxxxxxxxxxxxxxx:rxtcy > A:g:informatica@xxxxxxxxxxxxxxxxx@idmpru.fnr.gub.uy:rwaDxtcy > A::EVERYONE@:tcy > A:fdi:OWNER@:rwaDxtTcCy > A:fdi:root@xxxxxxxxxxxxxxxxx:rwaDxtcy > A:fdi:GROUP@:rxtcy > A:fdig:root@xxxxxxxxxxxxxxxxx:rxtcy > A:fdig:informatica@xxxxxxxxxxxxxxxxx@idmpru.fnr.gub.uy:rwaDxtcy > A:fdi:EVERYONE@:tcy > > $ nfs4_getfacl /prueba > # file: /prueba > A::OWNER@:rwaDxtTcCy > A::GROUP@:rwaDxtcy > A::EVERYONE@:tcy > > I have tried other alternatives with different results, but no one > solved my problem completely. For example, with NFS Ganesha it seems > there is an idmap problem. Anyway, I've been talking about it with > Strahil Nikolov and he pointed out that as my case was a complex one I > should write to this list. Although that, I tried to present it in the > most simple way I could, avoiding details about the users and the > authentication systems, as it seems to me that with kernel NFS the > problem is related to Posix to NFSv4 ACLs translation. > > Any help is appreciated. Thanks very much. I could solve this problem. After doing some more tests, I realised that I only had problems when a user accessing the NFS mount had the group of the ACL as a secondary group. If there was an ACL with the user, or his primary group, everything work as expected (although NFSv4 ACLs are not showing as they should in either case, but I don't really care about it as long as it works), Knowing that it was a problem with the groups, I search a little more, and found this page: https://docs.gluster.org/en/main/Administrator-Guide/Handling-of-users-with-many-groups. In our case, the users don't have so many groups, so it didn't look like the solution. But I tried the options listed there one by one just in case, and it turned out that the option resolve-gids for the fuse client when mounting the glusterfs partition did the trick. Don't know exactly why, but it's good enough for me. Thanks very much! ------- Community Meeting Calendar: Schedule - Every 2nd and 4th Tuesday at 14:30 IST / 09:00 UTC Bridge: https://meet.google.com/cpu-eiue-hvk Gluster-devel mailing list Gluster-devel@xxxxxxxxxxx https://lists.gluster.org/mailman/listinfo/gluster-devel
