[gpfsug-discuss] Adding to an existing GPFS ACL

Jonathan Buzzard jonathan.buzzard at strath.ac.uk
Wed Mar 27 22:58:15 GMT 2019


On 27/03/2019 15:59, Buterbaugh, Kevin L wrote:

[SNIP]

> So am I missing something?

Nope you are not missing anything. Setting NFSv4 ACL's on GPFS on 
*LINUX* has always been a steaming pile of Brontosaurus droppings.

I have been on about since 2011... Search the mailing list archives.

>  Is there an easier solution than writing a 
> script which recurses over the fileset, gets the existing ACL with 
> mmgetacl and outputs that to a file, edits that file to add in the new 
> group, and passes that as input to mmputacl?  That seems very cumbersome 
> and error prone, especially if I’m the one writing the script!
> 

The best option is to get yourself a pSeries machine, install AIX and 
GPFS and use the native AIX ACL command to set the ACL's. This works 
because AIX has a mechanism for passing NFSv4 ACL's through it's VFS 
interface. The RichACL kernel patches for Linux to give it the same 
functionality went nowhere. Noting that the XFS and JFS file systems, 
internally have NFSv4 ACL support.

The next best option is to export it as an NSFv4 file system and use a 
Linux/FreeBSD machine to set the ACL's (a Mac might even work). Expect 
performance to not be great.

The next best option is to do an SMB export, mount it on Linux and use 
setcifsacl or map it on Windows and use cacls command. Some 
experimentation on working out exactly how NFSv4 ACLS get mapped to 
Windows ACLS would be advisable before a mass apply though. I don't 
think it is possible to set all NFSv4 ACL options using this method.

Probably the best option, but which is not publicly available is to use 
my modified version of the Linux nfs4_setacl command :-)

You just modify nfs4_acl_for_path.c and nfs4_set_acl.c so they 
read/write the GPFS ACL struct and convert between the GPFS 
representation and the internal data structure used by the 
nfs4-acl-tools to hold NFSv4 ACL's.

However I have not put it any where public because the GPFS API 
documentation is incomplete when it comes to ACL's. Consequently I can't 
be sure it is safe so I am not releasing it. I have two questions that I 
would like answering before I make it public. I will ask them for the 
third time, in hopes someone at IBM is actually listening.

  1. What's the purpose of a special flag to indicate that it is smbd
     setting the ACL? Does this tie in with the undocumented "mmchfs -k
     samba" feature?

  2. There is a whole bunch of stuff in the documentation about v4.1
     ACL's. How does one trigger that. All I seem to be able to do is
     get POSIX and v4 ACL's. Do you get v4.1 ACL's if you set the file
     system to "Samba" ACL's or am I missing something.

The other option is to write a script. Personally I would use 
Perl/Python rather than a shell script as it would be easier to read the 
result of mmgetacl into a buffer, append the extra bits and write it out 
again with mmputacl. It is horribly slow however if you have millions of 
files to iterate over. Trust me back in 2011 I had Perl scripts for 
setting ACL's.

The final option though not quick would be for IBM to actually implement 
a mmsetfacl command. Surely it would not be too hard to take the code 
from AIX and modify the bits that set ACL's to use the GPFS API. 
Alternatively take the FreeBSD ACL commands and use them as a starting 
point. However I would not hold your breath for IBM if you expect them 
to fix the situation.


JAB.

-- 
Jonathan A. Buzzard                         Tel: +44141-5483420
HPC System Administrator, ARCHIE-WeSt.
University of Strathclyde, John Anderson Building, Glasgow. G4 0NG



More information about the gpfsug-discuss mailing list