On Wed, Jul 29, 2015 at 05:22:31PM +0300, Jüri Palis wrote: > Hi, > > Another issue with NFS and sec=sys mode. As we all know there is a > limit of 15 security ids involved when running NFS in sec=sys mode. > This limit makes effective and granular usage of ACL assigned through > groups almost unusable. One way to overcome this limit is to use > kerberised NFS but GlusterFS does not natively support this access > mode . Another option, at least according to one email thread, states > that GlusterFS has an option server.manage-gids which should mitigate > this limit and raise it to 90 something. Is this the option, which > can be used for increasing sec=sys limit. Sadly documentation does not > have clear description about this option, what exactly this option > does and how it should be used. server.manage-gids is an option to resolve the groups of a uid in the brick process. You probably need to also use the nfs.server-aux-gids option so that the NFS-server resolves the gids of the uid accessing the NFS-server. The nfs.server-aux-gids option is used to overcome the AUTH_SYS/AUTH_UNIX limit of (I thought 32?) groups. The server.manage-gids option is used to overcome the GlusterFS protocol limit of ~93 groups. If your users do not belong to 90+ groups, you would not need to set the server.manage-gids option, and nfs.server-aux-gids might be sufficient. HTH, Niels > > J. > > > On 29 Jul 2015, at 16:16, Jiffin Tony Thottan <jthottan@xxxxxxxxxx> wrote: > > > > > > > On 29/07/15 18:04, Jüri Palis wrote: > >> Hi, > >> > >> setfacl for dir on local filesystem: > >> > >> 1. set acl setfacl -m g:x_meie_sec-test02:rx test > >> 2. get acl > >> > >> # getfacl test > >> user::rwx > >> group::r-x > >> group:x_meie_sec-test02:r-x > >> mask::r-x > >> other::r-x > >> > >> setfacl for dir on GlusterFS volume which is NFS mounted to client system > >> > >> 1. same command is used for setting ACE, no error is returned by that command > >> 2. get acl > >> > >> #getfacl test > >> user::rwx > >> group::r-x > >> other::--- > >> > >> > >> If I use ordinary file as a target on GlusterFS like this > >> > >> setfacl -m g:x_meie_sec-test02:rw dummy > >> > >> then ACE entry is set for file dummy stored on GlusterFS > >> > >> # getfacl dummy > >> user::rw- > >> group::r-- > >> group:x_meie_sec-test02:rw- > >> mask::rw- > >> other::— > >> > >> So, as you can see setting ACLs for files works but does not work for directories. > >> > >> This all is happening on CentOS7, running GlusterFS 3.7.2 > > > > Hi Jyri, > > > > It seems there are couple of issues , > > > > 1.) when u set a named group acl for file/directory, it clears the permission of others too. > > 2.) named group acl is not working properly for directories , > > > > I will try the same on my setup and share my findings. > > -- > > Jiffin > > > >> J. > >> On 29 Jul 2015, at 15:16, Jiffin Thottan <jthottan@xxxxxxxxxx> wrote: > >> > >>> > >>> ----- Original Message ----- > >>> From: "Jüri Palis" <jyri.palis@xxxxxxxxx> > >>> To: gluster-users@xxxxxxxxxxx > >>> Sent: Wednesday, July 29, 2015 4:19:20 PM > >>> Subject: GlusterFS 3.7.2 and ACL > >>> > >>> Hi > >>> > >>> Setup: > >>> GFS 3.7.2, NFS is used for host access > >>> > >>> Problem: > >>> POSIX ACL work correctly when ACLs are applied to files but do not work when ACLs are applied to directories on GFS volumes. > >>> > >>> How can I debug this issue more deeply? > >>> > >>> Can you please explain the issue with more details, i.e what exactly not working properly , is it setting acl or any functionality issue, in which client? > >>> __ > >>> Jiffin > >>> > >>> Regards, > >>> Jyri > >>> _______________________________________________ > >>> Gluster-users mailing list > >>> Gluster-users@xxxxxxxxxxx > >>> http://www.gluster.org/mailman/listinfo/gluster-users > >> _______________________________________________ > >> Gluster-users mailing list > >> Gluster-users@xxxxxxxxxxx > >> http://www.gluster.org/mailman/listinfo/gluster-users > > > > _______________________________________________ > > Gluster-users mailing list > > Gluster-users@xxxxxxxxxxx > > http://www.gluster.org/mailman/listinfo/gluster-users > > _______________________________________________ > Gluster-users mailing list > Gluster-users@xxxxxxxxxxx > http://www.gluster.org/mailman/listinfo/gluster-users _______________________________________________ Gluster-users mailing list Gluster-users@xxxxxxxxxxx http://www.gluster.org/mailman/listinfo/gluster-users
