Bug 1200453

Summary: Permission denied for user with many secondary groups
Product: [Community] GlusterFS Reporter: Aleksey <a.khaustov13>
Component: fuseAssignee: Niels de Vos <ndevos>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.6.2CC: a.khaustov13, bugs, gluster-bugs, ndevos
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-18 11:48:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Aleksey 2015-03-10 15:22:57 UTC 
Description of problem:


Version-Release number of selected component (if applicable):

OS: RHEL5.10 
Gluster 3.5 3.6

How reproducible:

Suppose there is FUSE client mount point as /glusterfs.
In this directory there are some subdirectory with different
owner/groups like htis:


$ ls -l /glusterfs/
drwxr-x---   testuser1 testuser1  dir1
drwxr-x---   testuser2 testuser2  dir2
drwxr-x---   testuser3 testuser3  dir3
drwxr-x---   testuser4 testuser4  dir4
........
drwxr-x---   testuser200 testuser200  dir200

Note, that all directory have 750 mode.
Next create user:
useradd testuser 
usermod -a -G testuser1, .... ,testuser200 testuser
su - testuser
ls /glusterfs/dir1

ls: /glusterfs/dir1/: Permission denied


Steps to Reproduce:
1.
2.
3.

Actual results:

Permission denied

Expected results:

User testuser can do ls on subdirectory from above example. 

Additional info:
Comment 1 Niels de Vos 2015-03-17 12:25:42 UTC 
You should be able to get this to work by setting the server.manage-gids volume option. This moves the resolving of all the auxiliary groups to the bricks. By default, the FUSE client sends a list of the groups where the user belongs to, and the RPC protocol limits this list to approx. 93 groups.

See http://review.gluster.org/7202 for a little more details.

Please let me know if this helps you.
Comment 2 Aleksey 2015-03-18 11:01:03 UTC 
Thank you very mach - now it's working.
But this solution will be working only when the same user/groups exist on both machine:
where block device physically mount as  bricks and on the FUSE client - am i right ?
Comment 3 Niels de Vos 2015-03-18 11:48:29 UTC 
Yes, using server.manage-gids requires that the servers hosting the bricks for the volume can resolve all the groups of the user by using the UID. The GlusterFS protocol passes the UID (numeric, not the name/string), to getgroups(2).

I think this answers your questions about this problem, therefore I am closing this bug. Thanks, Niels.