Bug 1284701

Summary: FUSE mount does not honor all user groups
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Jared Hancock <jared.hancock>
Component: fuseAssignee: Bug Updates Notification Mailing List <rhs-bugs>
Status: CLOSED WONTFIX QA Contact: storage-qa-internal <storage-qa-internal>
Severity: medium Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: chrisw, csaba, nlevinki
Target Milestone: ---Keywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-16 17:49:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jared Hancock 2015-11-23 23:39:15 UTC
Description of problem:
If a user is a member of more than 32 groups, the total groups list is not inspected by the Gluster FUSE mount. I know this was recently mitigated with Gluster version 3.6 with the --resolve-gids mount option. fuse-helpers.c line 146 (https://github.com/gluster/glusterfs/blob/master/xlators/mount/fuse/src/fuse-helpers.c#L146) seems to limit this to 32 specifically; however, the modern Linux kernel does not seem to maintain the limit at 32 (see include/linux/cred.h line 36 (https://github.com/torvalds/linux/blob/master/include/linux/cred.h#L36)). In Linux the first block of gids is limited to 32 groups, but more than 32 groups are maintained in memory and are reported by /proc/xxx/status. For example, my user is a member of 50 groups:

$ cat /proc/25894/status
...
Groups: 100513 102561 103023 118135 118141 118142 118157 118161 118170 118195 118199 118203 118737 118749 118824 119007 120104 120443 120486 121200 121220 121424 121438 122073 122085 122088 122116 122138 122139 122148 122153 122373 122450 131270 132517 132518 132519 132520 132521 132522 132523 132524 132525 132533 132535 132538 132540 134566 201116 201122
...


Version-Release number of selected component (if applicable):
Linux 4.1.7
GlusterFS 3.6.5

How reproducible:
Always: Create a user with and associate with more than 32 groups

Steps to Reproduce:
1. Mount a Gluster volume with FUSE
2. Create a folder, change group owner or set ACLs
3. Attempt to access it by a user who is a member of the group with access

Actual results:
bcs-nas shares # sudo -u DOMAIN/c5232 ls -l opr
ls: cannot open directory opr: Permission denied


Expected results:
ctoc-nas shares # sudo -u DOMAIN/c5232 ls -l opr
total 0

Additional info:
I was able to build the source changing the FUSE_MAX_AUX_GROUPS to 80 on my system and am able to use FUSE with ACLs and my enormous group listing without any other modification. The host named `ctoc-nas` in the above "Expected Results" is using the modified codebase.

Comment 2 Jared Hancock 2015-11-24 16:15:45 UTC
I created a pull request at the glusterfs repo, https://github.com/gluster/glusterfs/pull/41, which suggests dropping the 32 limit in favor of the limit imposed when using the `resolve-gids` switch.