Bug 1238561

Summary: FSAL_GLUSTER : nfs4_getfacl do not display DENY entries
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Jiffin <jthottan>
Component: nfs-ganeshaAssignee: Jiffin <jthottan>
Status: CLOSED ERRATA QA Contact: Matt Zywusko <mzywusko>
Severity: medium Docs Contact:
Priority: medium    
Version: rhgs-3.1CC: akhakhar, asriram, asrivast, bmohanra, byarlaga, jthottan, kkeithle, mzywusko, ndevos, nlevinki, sankarshan, skoduri, smohan
Target Milestone: ---Keywords: ZStream
Target Release: RHGS 3.1.2   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: nfs-ganesha-2.2.0-10 Doc Type: Bug Fix
Doc Text:
Although Deny entires are handled in nfs4_setfacl, it cannot be stored in the backend(DENY entry cannot connvert in POSIX acl). Due to this, DENY entries won't display in nfs4_getfacl. With this fix, posix acl are populated based on both ALLOW and DENY entry using algorthim mentioned in https://tools.ietf.org/html/draft-ietf-nfsv4-acl-mapping-05. nfs4_getfacl will now print the DENY entries if necessary.
 Story Points: ---
Clone Of: 1238558 Environment:
Last Closed: 2016-03-01 05:27:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1238558, 1251471    
Bug Blocks: 1216951, 1260783    

Description Jiffin 2015-07-02 07:16:53 UTC 
+++ This bug was initially created as a clone of Bug #1238558 +++

Description of problem:

Although DENY entries handle properly in the acl implementation, it is not displayed in nfs4_getfacl().

Version-Release number of selected component (if applicable):
mainline

How reproducible:
always

Steps to Reproduce:
1. Create a volume
2. export the volume through nfs-ganesha
3. mount the volume using nfsv4.
4. set an DENY acl which will create DENY entry in the list using nfs4_setfacl.
5. call nfs4_getfacl().

Actual results:
DENY entries are not displayed 

Expected results:
should display DENY entries

Additional info:
if even it is not displayed, permissions which are not shown in ALLOW entry will be considered as denied ones.
Comment 2 Jiffin 2015-07-06 06:21:49 UTC 
The only know issue here DENY entries won't display when u call nfs4_getfacl(). But DENY entries will handle properly with in the current implementation, i.e there is no functionality issue with DENY entries.

The user should understand that if the permission bit is not set in ALLOW entry 
it should be considered as DENY
Comment 4 monti lawrence 2015-07-22 21:02:14 UTC 
Doc text is edited. Please sign off to be included in Known Issues.
Comment 5 Jiffin 2015-07-23 07:12:17 UTC 
Verified the doc text
Comment 8 Jiffin 2015-08-27 09:37:33 UTC 
Moving the devel acks since this bug depends on BZ1251471, that bug depend on another two bugs . So can defer to next release. The fix is only merged on upstream ganesha.
Comment 12 Jiffin 2015-09-09 09:08:56 UTC 
The patch merged in upstream https://review.gerrithub.io/#/c/241287/
Comment 14 Saurabh 2015-11-03 14:30:10 UTC 
# nfs4_getfacl /mnt/acl_test/file2 
A::OWNER@:rwatTcCy
A::1601:rwatcy
D::niels@.eng.blr.redhat.com:rwa
A::niels@.eng.blr.redhat.com:tcy
A::GROUP@:rwatcy
A::EVERYONE@:watcy


The deny entry is getting displayed.
verified on nfs-ganesha-2.2.0-10.el7rhgs.x86_64
Comment 17 errata-xmlrpc 2016-03-01 05:27:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0193.html