Re: NFSv4 permissions issues with an exported glusterfs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

When you mount the gluster with 'mount -t glusterfs -o acl gluster_volume_fileserver1:/volume /mnt' and then when you execute 'getfacl /mnt' , what is the output ?
I assume (based on the kerberos) that both systems have the same uid/gids . Can you reproduce it , if you remove the krb5 mount options ?

Any reason not to use the FUSE client ? (BSD/Unix systems ?)
It's far more tested to use NFS Ganesha and Gluster has some scripts to configure HA setup for the NFS.
Another not very common (but working ) setup is to recompile the Gluster aource with the gNFS enabled , so you can use the built-in NFS server.


Best Regards,
Strahil Nikolov

On Mon, Mar 28, 2022 at 12:36, tizo
<tizone@xxxxxxxxx> wrote:
I have posted this problem exactly in Server Fault and in Linux NFS,
but it has not been answered yet. Maybe you can help me.

I have a situation with kernel NFS server. I have two exports with
exactly the same ACLs, with full permissions for the
/exports/directo_informatica/, which is the mount point for an LV with
XFS, and the other is /exports/gv0_inf/, which is the mount point for
a glusterfs. The first export works right when mounting it remotely
with NFS, and accessing it with a user of the group
informatica@xxxxxxxxxxxxxxx. The second one doesn't: it can be mounted
correctly, but when trying to access it with the same user it gives
"Permission denied".

If I access directly to the NFS server (ssh) with the same user of the
previous tests, I can access both directories inside /exports/ without
problems. More details at following:

OS: Rocky Linux release 8.5 (Green Obsidian)

fstab for the exported directories:

/dev/mapper/vg_kvm_sistema-lv_directo_informatica
/exports/directo_informatica xfs defaults 0 0
glustersrv02.xx.xx.xx:/gv0_inf /exports/gv0_inf/ glusterfs defaults,acl 0 0

Mount for the exported directories:

/dev/mapper/vg_kvm_sistema-lv_directo_informatica on
/exports/directo_informatica type xfs
(rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
glustersrv02.xx.xx.xx:/gv0_inf on /exports/gv0_inf type fuse.glusterfs
(rw,relatime,user_id=0,group_id=0,allow_other,max_read=131072)

exports file:

/exports
*(sec=krb5p,secure,rw,sync,no_wdelay,no_subtree_check,root_squash,fsid=0)
/exports/directo_informatica
*(sec=krb5p,secure,rw,sync,no_wdelay,no_subtree_check,root_squash,mountpoint)
/exports/gv0_inf
*(sec=krb5p,secure,rw,sync,no_wdelay,no_subtree_check,root_squash,mountpoint,fsid=2)

Exported directories ACLs:

# getfacl /exports/directo_informatica/
getfacl: Removing leading '/' from absolute path names
# file: exports/directo_informatica/
# owner: root
# group: root
user::rwx
user:root:rwx
group::r-x
group:root:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:root:r-x
default:group:informatica@xxxxxxxxxxxxxxx:rwx
default:mask::rwx
default:other::---

# getfacl /exports/gv0_inf/
getfacl: Removing leading '/' from absolute path names
# file: exports/gv0_inf/
# owner: root
# group: root
user::rwx
user:root:rwx
group::r-x
group:root:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:root:r-x
default:group:informatica@xxxxxxxxxxxxxxx:rwx
default:mask::rwx
default:other::---

Directories mounted remoteley:

gluster02.adtest.xx.xx.xx:/directo_informatica on /prueba2 type nfs4
(rw,relatime,vers=4.2,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=10.2.100.8,local_lock=none,addr=10.2.100.8)
gluster02.adtest.xx.xx.xx:/gv0_inf on /prueba type nfs4
(rw,relatime,vers=4.2,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=10.2.100.8,local_lock=none,addr=10.2.100.8)

NFSv4 ACLs remotely:

$ nfs4_getfacl /prueba2
# file: /prueba2
A::OWNER@:rwaDxtTcCy
A::GROUP@:rxtcy
A:g:informatica@xxxxxxxxxxxxxxx@idmpru.xx.xx.xx:rwaDxtcy
A::EVERYONE@:tcy
A:fdi:OWNER@:rwaDxtTcCy
A:fdi:root@xxxxxxxxxxxxxxx:rwaDxtcy
A:fdi:GROUP@:rxtcy
A:fdig:informatica@xxxxxxxxxxxxxxx@idmpru.xx.xx.xx:rwaDxtcy
A:fdi:EVERYONE@:tcy

$ nfs4_getfacl /prueba
# file: /prueba
A::OWNER@:rwaDxtTcCy
A::GROUP@:rwaDxtcy
A::EVERYONE@:tcy

The only additional question for this list, is if you think that this
problem could be avoided with NFS Ganesha.

Any help is appreciated. Thanks very much.
________



Community Meeting Calendar:

Schedule -
Every 2nd and 4th Tuesday at 14:30 IST / 09:00 UTC
Gluster-users mailing list
________



Community Meeting Calendar:

Schedule -
Every 2nd and 4th Tuesday at 14:30 IST / 09:00 UTC
Bridge: https://meet.google.com/cpu-eiue-hvk
Gluster-users mailing list
Gluster-users@xxxxxxxxxxx
https://lists.gluster.org/mailman/listinfo/gluster-users
[Index of Archives]     [Gluster Development]     [Linux Filesytems Development]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux