<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<div>
<div dir="auto" style="direction:ltr; margin:0; padding:0; font-family:sans-serif; font-size:11pt; color:black">
Only the top level of the project is root:root, not all files. The owner inherit is like CREATOROWNER in Windows, so the parent owner isn't inherited, but the permission inherits to newly created files.<br>
<br>
</div>
<div dir="auto" style="direction:ltr; margin:0; padding:0; font-family:sans-serif; font-size:11pt; color:black">
It was a while ago we worked out our permission defaults but without it we could have users create a file/directory but not be able to edit/change it as whilst the group had permission, the owner didn't.<br>
<br>
</div>
<div dir="auto" style="direction:ltr; margin:0; padding:0; font-family:sans-serif; font-size:11pt; color:black">
I should note we are all at 5.x code and not 4.2.<br>
<br>
</div>
<div dir="auto" style="direction:ltr; margin:0; padding:0; font-family:sans-serif; font-size:11pt; color:black">
Simon</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> gpfsug-discuss-bounces@spectrumscale.org <gpfsug-discuss-bounces@spectrumscale.org> on behalf of Paul Ward <p.ward@nhm.ac.uk><br>
<b>Sent:</b> Tuesday, October 15, 2019 5:15:50 PM<br>
<b>To:</b> gpfsug main discussion list <gpfsug-discuss@spectrumscale.org><br>
<b>Subject:</b> Re: [gpfsug-discuss] default owner and group for POSIX ACLs</font>
<div> </div>
</div>
</div>
<font size="2"><span style="font-size:11pt;">
<div class="PlainText">An amalgamated answer...<br>
<br>
> You do realize that will mean backing everything up again...<br>
<br>
>From the tests that I have done, it appears not.<br>
A Spectrum protect incremental backup performs an 'update' when the ACL is changed via mmputacl or chown.<br>
when I do a backup after an mmputacl or chown ACL change on a migrated file, it isn't recalled, so it cant be backing up the file.<br>
<br>
If I do the same change from windows over a smb mount, it does cause the file to be recalled and backedup.<br>
<br>
<br>
<br>
> ...I am not sure why you need POSIX ACL's if you are running Linux...<br>
>From what I have recently read...<br>
<a href="https://www.ibm.com/support/knowledgecenter/en/STXKQY_4.2.0/com.ibm.spectrum.scale.v4r2.adm.doc/bl1adm_admnfsaclg.htm">https://www.ibm.com/support/knowledgecenter/en/STXKQY_4.2.0/com.ibm.spectrum.scale.v4r2.adm.doc/bl1adm_admnfsaclg.htm</a><br>
"Linux does not allow a file system to be NFS V4 exported unless it supports POSIX ACLs."<br>
<br>
As I said this system has had roles added to it. The original purpose was to only support NFS exports, then as a staging area for IT, as end user access wasn't needed, only POSIX permissions were used.<br>
No it has end user SMB mounts.<br>
<br>
>“chmodAndSetAcl”<br>
Saw this recently - will look at changing to that!<br>
<a href="https://www.ibm.com/support/knowledgecenter/en/STXKQY_4.2.0/com.ibm.spectrum.scale.v4r2.adm.doc/bl1adm_authoriziefileprotocolusers.htm">https://www.ibm.com/support/knowledgecenter/en/STXKQY_4.2.0/com.ibm.spectrum.scale.v4r2.adm.doc/bl1adm_authoriziefileprotocolusers.htm</a><br>
"To allow proper use of ACLs, it is recommended to prevent chmod from overwriting the ACLs by setting this parameter to setAclOnly or chmodAndSetAcl."<br>
<br>
>#owner:root<br>
OK so you do have root as the owner.<br>
<br>
> special:owner@:rwxc:allow:FileInherit:DirInherit<br>
And have it propagated to children.<br>
<br>
> group:gITS_BEAR_2019- some-project:rwxc:allow:FileInherit:DirInherit<br>
We by default assign two groups to a folder, a RW and R only. <br>
<br>
> special:everyone@:----:allow<br>
> special:owner@:rwxc:allow<br>
> special:group@:rwx-:allow<br>
I have been removing these.<br>
<br>
<br>
This seems to work, but was set via windows:<br>
POSIX:<br>
d--------- 2 root root 512 Apr 11 2019 <group><br>
<br>
<br>
<br>
#NFSv4 ACL<br>
#owner:root<br>
#group:root<br>
#ACL flags:<br>
# DACL_PRESENT<br>
# DACL_AUTO_INHERITED<br>
# SACL_AUTO_INHERITED<br>
# NULL_SACL<br>
group:dg-<group>-ro:r-x-:allow:FileInherit:DirInherit<br>
(X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED<br>
(-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED<br>
<br>
group:dg-<group>-rwm:rwx-:allow:FileInherit:DirInherit<br>
(X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED<br>
(X)DELETE (X)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED<br>
<br>
group:dl-<service-desk-access-to-view-permissions>:r-x-:allow:FileInherit:DirInherit:Inherited<br>
(X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED<br>
(-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED<br>
<br>
So is root as the owner the norm?<br>
<br>
Kindest regards,<br>
Paul<br>
<br>
Paul Ward<br>
TS Infrastructure Architect<br>
Natural History Museum<br>
T: 02079426450<br>
E: p.ward@nhm.ac.uk<br>
<br>
-----Original Message-----<br>
From: gpfsug-discuss-bounces@spectrumscale.org <gpfsug-discuss-bounces@spectrumscale.org> On Behalf Of Jonathan Buzzard<br>
Sent: 15 October 2019 15:30<br>
To: gpfsug main discussion list <gpfsug-discuss@spectrumscale.org><br>
Subject: Re: [gpfsug-discuss] default owner and group for POSIX ACLs<br>
<br>
On Tue, 2019-10-15 at 12:34 +0000, Paul Ward wrote:<br>
> We are in the process of changing the way GPFS assigns UID/GIDs from <br>
> internal tdb to using AD RIDs with an offset that matches our linux <br>
> systems. We, therefore, need to change the ACLs for all the files in <br>
> GPFS (up to 80 million).<br>
<br>
You do realize that will mean backing everything up again...<br>
<br>
> We are running in mixed ACL mode, with some POSIX and some NFSv4 ACLs <br>
> being applied. (This system was set up 14 years ago and has changed <br>
> roles over time) We are running on linux, so need to have POSIX <br>
> permissions enabled.<br>
<br>
We run on Linux and only have NFSv4 ACL's applied. I am not sure why you need POSIX ACL's if you are running Linux. Very very few applications will actually check ACL's or even for that matter permissions. They just do an fopen call or similar and the OS either
goes yeah or neah, and the app needs to do something in the case of neah.<br>
<br>
> <br>
> What I want to know for those in a similar environment, what do you <br>
> have as the POSIX owner and group, when NFSv4 ACLs are in use?<br>
> root:root<br>
> <br>
> or do you have all files owned by a filesystem administrator account <br>
> and group:<br>
> <ad service account>:<ad fileserver admin group><br>
> <br>
> on our samba shares we have :<br>
> admin users = @<ad fileserver admin group> <br>
> So don’t actually need the group defined in POSIX.<br>
> <br>
<br>
Samba works much better with NFSv4 ACL's.<br>
<br>
JAB.<br>
<br>
-- <br>
Jonathan A. Buzzard Tel: +44141-5483420<br>
HPC System Administrator, ARCHIE-WeSt.<br>
University of Strathclyde, John Anderson Building, Glasgow. G4 0NG<br>
<br>
<br>
<br>
_______________________________________________<br>
gpfsug-discuss mailing list<br>
gpfsug-discuss at spectrumscale.org<br>
<a href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7Cp.ward%40nhm.ac.uk%7C54e024b8b52b4a70208e08d7517c47fc%7C73a29c014e78437fa0d4c8553e1960c1%7C1%7C0%7C637067466552637538&sdata=v43g1MEBnRBZP%2B5J7ORvywIq6poqhK24fTsCco0IEDo%3D&reserved=0">https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7Cp.ward%40nhm.ac.uk%7C54e024b8b52b4a70208e08d7517c47fc%7C73a29c014e78437fa0d4c8553e1960c1%7C1%7C0%7C637067466552637538&sdata=v43g1MEBnRBZP%2B5J7ORvywIq6poqhK24fTsCco0IEDo%3D&reserved=0</a><br>
_______________________________________________<br>
gpfsug-discuss mailing list<br>
gpfsug-discuss at spectrumscale.org<br>
<a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss">http://gpfsug.org/mailman/listinfo/gpfsug-discuss</a><br>
</div>
</span></font>
</body>
</html>