On Fri, Mar 23, 2018 at 8:49 PM, Yan, Zheng <uker...@gmail.com> wrote:
> On Fri, Mar 23, 2018 at 9:50 PM, Josh Haft <pacc...@gmail.com> wrote: > > On Fri, Mar 23, 2018 at 12:14 AM, Yan, Zheng <uker...@gmail.com> wrote: > >> > >> On Fri, Mar 23, 2018 at 5:14 AM, Josh Haft <pacc...@gmail.com> wrote: > >> > Hello! > >> > > >> > I'm running Ceph 12.2.2 with one primary and one standby MDS. Mounting > >> > CephFS via ceph-fuse (to leverage quotas), and enabled ACLs by adding > >> > fuse_default_permissions=0 and client_acl_type=posix_acl to the mount > >> > options. I then export this mount via NFS and the clients mount > NFS4.1. > >> > > >> does fuse_default_permissions=0 work? > > > > Yes, ACLs work as expected when I set fuse_default_permissions=0. > > > >> > After doing some in-depth testing it seems I'm unable to allow access > from > >> > the NFS clients to a directory/file based on group membership when the > >> > underlying CephFS was mounted with ACL support. This issue appears > using > >> > both filesystem permissions (e.g. chgrp) and NFSv4 ACLs. However, > ACLs do > >> > work if the principal is a user instead of a group. If I disable ACL > support > >> > on the ceph-fuse mount, things work as expected using fs permissions; > >> > obviously I don't get ACL support. > >> > > >> > As an intermediate step I did check whether this works directly on the > >> > CephFS filesystem - on the NFS server - and it does. So it appears to > be an > >> > issue re-exporting it via NFS. > >> > > >> > I do not see this issue when mounting CephFS via the kernel, > exporting via > >> > NFS, and re-running these tests. > >> > > >> > I searched the ML and bug reports but only found this - > >> > http://tracker.ceph.com/issues/12617 - which seems close to the > issue I'm > >> > running into, but was closed as resolved 2+ years ago. > >> > > >> > Has anyone else run into this? Am I missing something obvious? > >> > > >> > >> ceph-fuse does permission check according to localhost's config of > >> supplement group. that's why you see this behavior. > > > > You're saying both the NFS client and server (where ceph-fuse is > > running) need to use the same directory backend? (they are) > > I should have mentioned I'm using LDAP/AD on client and server, so I > > don't think that is the problem. > > > > Either way, I would not expect the behavior to change simply by > > enabling ACLs, especially when I'm using filesystem permissions, and > > ACLs aren't part of the equation. > > More specifically, ceph-fuse find which groups request initiator are > in by function fuse_req_getgroups(). this function does tricks on > "/proc/%lu/task/%lu/status". It only works when nfs client and > ceph-fuse are running on the same machine. > > So why does this work when I'm using ceph-fuse but ACLs are disabled? > > >> Yan, Zheng > >> > >> > Thanks! > >> > Josh > >> > > >> > > >> > _______________________________________________ > >> > ceph-users mailing list > >> > ceph-users@lists.ceph.com > >> > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > >> > >
_______________________________________________ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
