We are running 1.8.0.180 and seem to have an issue with ACLs that I hope someone can help us with. We have ACLs enabled on Lustre and can write them and read them just fine. However, Lustre does not seems to respect ACLs like Linux should. An example: drwxrwx---+ 3 user1 root 4.0K 2009-10-26 14:29 zz # file: zz # owner: yanzzee # group: root user::rwx group::rwx group:group1:rwx mask::rwx other::--- So user1 is the owner of directory zz and root is the group owner, but group1 has full permissions on directory through ACLs. User2 is a member of group1, but is not able to list or modify the directory. This same set-up works in tmp and is what I am used to. In order for it to work on Lustre, I have to set the Default ACL for the group before access is granted. If I remove all the default ACLs, it still works. Is there something that I am doing wrong that the behavior is not what I expect from other filesystems? Thanks, Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.lustre.org/pipermail/lustre-discuss/attachments/20091026/0e23024e/attachment.html
Well, my little trick isn''t working right now. I''m not sure how to debug this. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Mon, Oct 26, 2009 at 3:03 PM, Robert LeBlanc <robert at leblancnet.us>wrote:> We are running 1.8.0.180 and seem to have an issue with ACLs that I hope > someone can help us with. We have ACLs enabled on Lustre and can write them > and read them just fine. However, Lustre does not seems to respect ACLs like > Linux should. An example: > > drwxrwx---+ 3 user1 root 4.0K 2009-10-26 14:29 zz > > # file: zz > # owner: yanzzee > # group: root > user::rwx > group::rwx > group:group1:rwx > mask::rwx > other::--- > > So user1 is the owner of directory zz and root is the group owner, but > group1 has full permissions on directory through ACLs. User2 is a member of > group1, but is not able to list or modify the directory. This same set-up > works in tmp and is what I am used to. In order for it to work on Lustre, I > have to set the Default ACL for the group before access is granted. If I > remove all the default ACLs, it still works. Is there something that I am > doing wrong that the behavior is not what I expect from other filesystems? > > Thanks, > > Robert LeBlanc > Life Sciences & Undergraduate Education Computer Support > Brigham Young University >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.lustre.org/pipermail/lustre-discuss/attachments/20091026/2f5cd45d/attachment.html
On Mon, 26 Oct 2009, Robert LeBlanc wrote:> Well, my little trick isn''t working right now. I''m not sure how to debug > this. > > > remove all the default ACLs, it still works. Is there something that I am > > doing wrong that the behavior is not what I expect from other filesystems?Regarding this, additional question, is there any "hidden" delay between setting such ACLs on file/dir/inode, and the ACL a entry actually has? I mean, are posix extended ACLs effective immediately? Regards, DT -- I use Sendmail for MTA, Debian Linux for OS, Windowmaker for WM, Rand for philosophy, and The Last Buell for a ride. And I consider these best of the best a man can get. Please, let me know, when a better stuff''ll arrive, so I could pick it up and include in this list. Thank you. -
Hi! On Mon, Oct 26, 2009 at 05:35:36PM -0600, Robert LeBlanc wrote:> Well, my little trick isn''t working right now. I''m not sure how to debug > this.With Lustre, the MDS authorizes access when a client first touches a certain file. Once it''s cached, the client handles authorization itself. If you experience erratic behaviour, this point to a difference in either nameservice or ACL configuration between MDS and client. Are ACLs turned on on the MDT? Does user2 show up as a member of group1 on the MDS? Is the Lustre group upcall configured? Regards, Daniel.
On Mon, Oct 26, 2009 at 6:44 PM, Daniel Kobras <kobras at linux.de> wrote:> Hi! > > On Mon, Oct 26, 2009 at 05:35:36PM -0600, Robert LeBlanc wrote: > > Well, my little trick isn''t working right now. I''m not sure how to debug > > this. > > With Lustre, the MDS authorizes access when a client first touches a > certain > file. Once it''s cached, the client handles authorization itself. If you > experience erratic behaviour, this point to a difference in either > nameservice > or ACL configuration between MDS and client. Are ACLs turned on on the MDT? > Does user2 show up as a member of group1 on the MDS? Is the Lustre group > upcall > configured? > >ACL is configured on the MDS, I tried on a Lustre FS where it wasn''t turned on and got an operation not supported error. We are using Samba for our nameservice and we switched from RID to Hash for UID and GID. I noticed a couple of things that may be part of the problem. The MDS was not switched over to the Hash method and the mdt.group_upcall was set to none. I''ll change both of thoes and see if things improve. Makes me wonder why it worked at all (and the directories that it did work with still do) in the first place. My testing was done all on the same client, not on different clients. I''ll report back my findings. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.lustre.org/pipermail/lustre-discuss/attachments/20091027/b9c858bc/attachment.html