[gpfsug-discuss] DACLs and nfs4-acl-tools

Mon Feb 26 20:37:52 GMT 2024

When ACLs contain the DACL/SACL flags, nfs4_getfacl producing incorrect/unexpected output is a known problem.

This is because the nfs4-acl-tools manage DACL and SACL via the extended attributes system.nfs4_dacl and system.nfs4_sacl, respectively.

The system.nfs4_acl attribute, which Scale currently supports, only expect NFSv4 ACLs without such flags. There are two issues in Scale with system.nfs4_acl: mmxcp accesses the system.nfs4_acl attribute, which does not expose the ACL flags. On the other hand, the nfs4-acl-tools access the system.nfs4_acl attribute and that does not present ACL with the ACL flags set correctly.

In Scale, the ACL flags are stored as another field in the ACL data structure that results in a different ACL header length compared to a regular NFSv4 ACL without the flags. When modifying ACLs via Samba/SMB/Windows, the ACL flags are always set. If one wants to clear those ACL flags, mmputacl or nfs4_setfacl -S can be performed. A future Scale release is under consideration to address this gap with the ACL flags. If there are mixed OS environments (e.g Windows and Linux) and data is exported for SMB clients, it is recommended to manage ACLs from a Windows client.

https://www.ibm.com/docs/en/storage-scale/5.1.9?topic=users-working-acls

Anh Dao
Storage Scale Developer
adao at ibm.com
From: gpfsug-discuss <gpfsug-discuss-bounces at gpfsug.org> on behalf of Jan-Frode Myklebust <janfrode at tanso.net>
Date: Monday, February 26, 2024 at 11:19 AM
To: gpfsug main discussion list <gpfsug-discuss at gpfsug.org>
Subject: [EXTERNAL] Re: [gpfsug-discuss] DACLs and nfs4-acl-tools
It’s not just the nfs4_setfacl tool. Also cp and rsync will fail to cooy such ACLs. I have an RFE for this : https: //ideas. ibm. com/ideas/GPFS-I-986 -jf man. 26. feb. 2024 kl. 18: 27 skrev Robert Horton <robert. horton@ icr. ac. uk>: Hello,
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
Report Suspicious <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/PjiDSg!12-vrJF3prOyMQvwNA4NTvuZV-UwL8nUzX1Xd2FqZ4Uaz85QpnrLfsaZTjPihs_gRnNQnINY4kE-qNWudUbUrVBZ1Ob-_FxzjMMWueeQN_MQDmN6nZqtdTrQ$>

ZjQcmQRYFpfptBannerEnd
It’s not just the nfs4_setfacl tool. Also cp and rsync will fail to cooy such ACLs.

I have an RFE for this :

https://ideas.ibm.com/ideas/GPFS-I-986

  -jf

man. 26. feb. 2024 kl. 18:27 skrev Robert Horton <robert.horton at icr.ac.uk<mailto:robert.horton at icr.ac.uk>>:
Hello,

We’ve been using nfs4_get/setfacl to manage nfs4 acls as an alternative to the mm commands for a few months. It mostly works pretty well – in particular it’s simple to set permissions with inheritance flags recursively on a directory structure and it’s easy to add an ace for a user/group without affecting existing permissions.

We’ve noticed though that when permissions have been changed via SMB they get these DACL ACL flags set:

# mmgetacl NewTest
#NFSv4 ACL
#owner:ICR\rhorton
#group:ICR\infotech
#ACL flags:
#  DACL_PRESENT
#  DACL_AUTO_INHERITED
#  SACL_AUTO_INHERITED
#  NULL_SACL
user:ICR\rhorton:r-x-:allow:FileInherit:DirInherit
(X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
(-)DELETE    (-)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED

…which upsets nfs4_getfacl:

# nfs4_getfacl NewTest
# file: NewTest
A::bin:C
Bad Ace Type:768
Error while printing ACE.

It gets worse if someone does a nfs4_getfacl -R -a <new ace> as it sometimes ends up replacing the existing ACEs with one for a ‘bin’ user.

I’m guessing that with ACL flags present the presented system.nfs4_acl extended attribute isn’t in a form that nfs4-acl-tools expects..?

So…

  1.  What do the DACL flags actually do? Where are they stored? Is there a way to check for / modify them? I can see them referenced in https://www.ibm.com/docs/en/storage-scale/5.1.9?topic=users-authorizing-file-protocol but still not entirely clear. Is it possible to get the Samba gpfs module to not set them? I’m guessing not from https://www.samba.org/samba/docs/current/man-html/vfs_gpfs.8.html<https://www.samba.org/samba/docs/current/man-html/vfs_gpfs.8.html>
  2.  Am I right in thinking this is a Scale bug? If so is it possible to get it fixed 😉 ?
  3.  How do other people manage ACLs?

Background: It’s an ESS5000. Client access is via a remote mount to an HPC system, a large number of Windows/Mac/few Linux SMB clients and a handful of NFS (4) clients via CES. We’re on 5.1.9, although the cluster and fs versions are a bit behind. -k is nfs4.

Any thoughts appreciated!

Thanks,
Rob

Robert Horton | Scientific Computing Infrastructure Lead
The Institute of Cancer Research | 237 Fulham Road, London, SW3 6JB<https://www.google.com/maps/search/237+Fulham+Road,+London,+SW3+6JB?entry=gmail&source=g>
T +44 (0) 20 7153 5350 | E robert.horton at icr.ac.uk<mailto:robert.horton at icr.ac.uk> | W www.icr.ac.uk<http://www.icr.ac.uk/> | Twitter @ICR_London<https://twitter.com/ICR_London>
Facebook www.facebook.com/theinstituteofcancerresearch<http://www.facebook.com/theinstituteofcancerresearch>
Making the discoveries that defeat cancer
[ICR Logo]<http://www.icr.ac.uk/>

The Institute of Cancer Research: Royal Cancer Hospital, a charitable Company Limited by Guarantee, Registered in England under Company No. 534147 with its Registered Office at 123 Old Brompton Road, London SW7 3RP<https://www.google.com/maps/search/123+Old+Brompton+Road,+London+SW7+3RP?entry=gmail&source=g>.

This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer and network.
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at gpfsug.org<http://gpfsug.org>
http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org<http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20240226/7ac180b5/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 3162 bytes
Desc: image001.gif
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20240226/7ac180b5/attachment-0001.gif>