On Wed, Jul 29, 2015 at 05:22:31PM +0300, J?ri Palis
wrote:> Hi,
>
> Another issue with NFS and sec=sys mode. As we all know there is a
> limit of 15 security ids involved when running NFS in sec=sys mode.
> This limit makes effective and granular usage of ACL assigned through
> groups almost unusable. One way to overcome this limit is to use
> kerberised NFS but GlusterFS does not natively support this access
> mode . Another option, at least according to one email thread, states
> that GlusterFS has an option server.manage-gids which should mitigate
> this limit and raise it to 90 something. Is this the option, which
> can be used for increasing sec=sys limit. Sadly documentation does not
> have clear description about this option, what exactly this option
> does and how it should be used.
server.manage-gids is an option to resolve the groups of a uid in the
brick process. You probably need to also use the nfs.server-aux-gids
option so that the NFS-server resolves the gids of the uid accessing the
NFS-server.
The nfs.server-aux-gids option is used to overcome the
AUTH_SYS/AUTH_UNIX limit of (I thought 32?) groups.
The server.manage-gids option is used to overcome the GlusterFS protocol
limit of ~93 groups.
If your users do not belong to 90+ groups, you would not need to set the
server.manage-gids option, and nfs.server-aux-gids might be sufficient.
HTH,
Niels
>
> J.
>
>
> On 29 Jul 2015, at 16:16, Jiffin Tony Thottan <jthottan at
redhat.com> wrote:
>
> >
> >
> > On 29/07/15 18:04, J?ri Palis wrote:
> >> Hi,
> >>
> >> setfacl for dir on local filesystem:
> >>
> >> 1. set acl setfacl -m g:x_meie_sec-test02:rx test
> >> 2. get acl
> >>
> >> # getfacl test
> >> user::rwx
> >> group::r-x
> >> group:x_meie_sec-test02:r-x
> >> mask::r-x
> >> other::r-x
> >>
> >> setfacl for dir on GlusterFS volume which is NFS mounted to client
system
> >>
> >> 1. same command is used for setting ACE, no error is returned by
that command
> >> 2. get acl
> >>
> >> #getfacl test
> >> user::rwx
> >> group::r-x
> >> other::---
> >>
> >>
> >> If I use ordinary file as a target on GlusterFS like this
> >>
> >> setfacl -m g:x_meie_sec-test02:rw dummy
> >>
> >> then ACE entry is set for file dummy stored on GlusterFS
> >>
> >> # getfacl dummy
> >> user::rw-
> >> group::r--
> >> group:x_meie_sec-test02:rw-
> >> mask::rw-
> >> other::?
> >>
> >> So, as you can see setting ACLs for files works but does not work
for directories.
> >>
> >> This all is happening on CentOS7, running GlusterFS 3.7.2
> >
> > Hi Jyri,
> >
> > It seems there are couple of issues ,
> >
> > 1.) when u set a named group acl for file/directory, it clears the
permission of others too.
> > 2.) named group acl is not working properly for directories ,
> >
> > I will try the same on my setup and share my findings.
> > --
> > Jiffin
> >
> >> J.
> >> On 29 Jul 2015, at 15:16, Jiffin Thottan <jthottan at
redhat.com> wrote:
> >>
> >>>
> >>> ----- Original Message -----
> >>> From: "J?ri Palis" <jyri.palis at gmail.com>
> >>> To: gluster-users at gluster.org
> >>> Sent: Wednesday, July 29, 2015 4:19:20 PM
> >>> Subject: [Gluster-users] GlusterFS 3.7.2 and ACL
> >>>
> >>> Hi
> >>>
> >>> Setup:
> >>> GFS 3.7.2, NFS is used for host access
> >>>
> >>> Problem:
> >>> POSIX ACL work correctly when ACLs are applied to files but do
not work when ACLs are applied to directories on GFS volumes.
> >>>
> >>> How can I debug this issue more deeply?
> >>>
> >>> Can you please explain the issue with more details, i.e what
exactly not working properly , is it setting acl or any functionality issue, in
which client?
> >>> __
> >>> Jiffin
> >>>
> >>> Regards,
> >>> Jyri
> >>> _______________________________________________
> >>> Gluster-users mailing list
> >>> Gluster-users at gluster.org
> >>> http://www.gluster.org/mailman/listinfo/gluster-users
> >> _______________________________________________
> >> Gluster-users mailing list
> >> Gluster-users at gluster.org
> >> http://www.gluster.org/mailman/listinfo/gluster-users
> >
> > _______________________________________________
> > Gluster-users mailing list
> > Gluster-users at gluster.org
> > http://www.gluster.org/mailman/listinfo/gluster-users
>
> _______________________________________________
> Gluster-users mailing list
> Gluster-users at gluster.org
> http://www.gluster.org/mailman/listinfo/gluster-users