Bug 1368096
| Summary: | [ganesha+gdeploy]: Add a section to add client specific permissions in volume export block. | ||
|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Gluster Storage | Reporter: | Shashank Raj <sraj> |
| Component: | gdeploy | Assignee: | Sachidananda Urs <surs> |
| Status: | CLOSED ERRATA | QA Contact: | Manisha Saini <msaini> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rhgs-3.1 | CC: | jthottan, kkeithle, mzywusko, ndevos, rcyriac, rhinduja, rhs-bugs, skoduri, smohan, storage-qa-internal |
| Target Milestone: | --- | ||
| Target Release: | RHGS 3.2.0 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | gdeploy-2.0.1-5 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-23 05:08:25 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1351528 | ||
Rebase fixes the issue. 1.This script runs only for volume with name ganesha as default.
While creating volume with different name ,it fails with
[hosts]
dhcp47-165.lab.eng.blr.redhat.com
dhcp46-196.lab.eng.blr.redhat.com
dhcp47-184.lab.eng.blr.redhat.com
dhcp46-102.lab.eng.blr.redhat.com
[nfs-ganesha]
action=refresh-config
block-name=client
config-block=clients = 10.70.47.166;,allow_root_access = true;,access_type = "RW";,Protocols = "3";,anonymous_uid = 1440;,anonymous_gid = 72;
volname=nfsGanesha
Error:
failed: [dhcp46-102.lab.eng.blr.redhat.com] (item=clients = 10.70.47.166;,allow_root_access = true;,access_type = "RO";,Protocols = "3";,anonymous_uid = 1440;,anonymous_gid = 72;) => {"failed": true, "item": "clients = 10.70.47.166;,allow_root_access = true;,access_type = \"RO\";,Protocols = \"3\";,anonymous_uid = 1440;,anonymous_gid = 72;", "msg": "Destination /var/run/gluster/shared_storage/nfs-ganesha/exports/export.ganesha.conf does not exist !", "rc": 257}
failed: [dhcp46-102.lab.eng.blr.redhat.com] (item=}
2.Even tried with default name as ganesha,In that case even refresh-config is not working as expected.
Setting access_type = "RO" only prints a seperate line in export file,But in actual permissions are not set on client side.Still able to create files/delete files on client side with RO permissions:
EXPORT{
Export_Id= 3 ;
Path = "/ganesha";
FSAL {
name = GLUSTER;
hostname="localhost";
volume="ganesha";
}
Access_type = RW;
Disable_ACL = true;
Squash="No_root_squash";
Pseudo="/ganesha";
Protocols = "3", "4" ;
Transports = "UDP","TCP";
SecType = "sys";
client {
clients = 10.70.47.166;,allow_root_access = true;,access_type = "RO";,Protocols = "3";,anonymous_uid = 1440;,anonymous_gid = 72;
}
}
[root@dhcp47-165 gdeploy]# rpm -qa | grep gdeploy
gdeploy-2.0.1-4.el7rhgs.noarch
[root@dhcp47-165 gdeploy]# rpm -qa | grep ansible
ansible-2.2.0.0-1.el7.noarch
Manisha, The config file appears to be wrong. You are comma separating the values. The values should be pipe (|) separated. Please refer: https://github.com/gluster/gdeploy/blob/master/examples/add-client-block-refresh-config.conf I should have updated the bug with that detail. I'm sorry about that. If the volume is created with the name other then "ganesha",refresh config fails adding client permissions.
Steps to reproduce:
1.Create Ganesha 4 node cluster using gdeploy.
2.Create Volume with ganesha enable with name ganeshaVol
3.Mount it on client
4.Run refresh Config to add permissions of that client
[hosts]
dhcp46-241.lab.eng.blr.redhat.com
dhcp46-219.lab.eng.blr.redhat.com
dhcp47-159.lab.eng.blr.redhat.com
dhcp47-3.lab.eng.blr.redhat.com
[nfs-ganesha]
action=refresh-config
config-block=clients = 10.70.46.30;|allow_root_access = true;|access_type = "RO";|Protocols = "2", "3";|anonymous_uid = 1440;|anonymous_gid = 72;
volname=ganeshaVol
Actual Result:
Script fails with
failed: [dhcp46-219.lab.eng.blr.redhat.com] (item=Protocols = "2", "3";) => {"failed": true, "item": "Protocols = \"2\", \"3\";", "msg": "Destination /var/run/gluster/shared_storage/nfs-ganesha/exports/export.ganesha.conf does not exist !", "rc": 257}
Here it is always looking for export.ganesha.conf file.
Each time a volume is exported,a file gets created in
/var/run/gluster/shared_storage/nfs-ganesha/exports/
with name export.ganeshaVol.conf ((Having name of the volume).
As the refresh config to add client specific permissions in volume export block is failing
Hence marking this bug as Failed_QA
This is because of my assumption that the configuration file will be always named as /var/run/gluster/shared_storage/nfs-ganesha/exports/export.ganesha.conf Commit: https://github.com/gluster/gdeploy/commit/32cfe7300a51 fixes the issue. Verified this Bug on gdeploy-2.0.1-5.el7rhgs.noarch glusterfs-3.8.4-5.el7rhgs.x86_64 Currently there is only Support for adding permissions for single client in gdeploy. Raised a new bug to add permissions for multiple clients in gdeploy- https://bugzilla.redhat.com/show_bug.cgi?id=1397743 As support is added to add permission for single client in volume export block,Hence marking this Bug as verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2017-0482.html |
Description of problem: Add a section to add client specific permissions in volume export block. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: The parameter values and permission values given in the EXPORT block applies to any client that mounts the exported volume. To provide specific permissions to specific clients , introduce a client block inside the EXPORT block. For example, to assign specific permissions for client 10.00.00.01, add the following block in the EXPORT block. client { clients = 10.00.00.01; # IP of the client. allow_root_access = true; access_type = "RO"; # Read-only permissions Protocols = "3"; # Allow only NFSv3 protocol. anonymous_uid = 1440; anonymous_gid = 72; } All the other clients inherit the permissions that are declared outside the client block. Also as discussed with Jiffin: Client IP, allow_root_access and access_type are the important parameters which should be there. So lets target to add these in export block for any client, keeping in mind different values these parameters can take. client { clients = 10.00.00.01; # IP of the client. allow_root_access = true; access_type = "RO"; # Read-only permissions } Actual results: Expected results: Additional info: