Bug 1514363

Summary: Glusterfs client file access permission control incorrect
Product: [Community] GlusterFS Reporter: coyang <congxueyang>
Component: fuseAssignee: Csaba Henk <csaba>
Status: CLOSED EOL QA Contact:
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.10CC: bugs, congxueyang, rgowdapp
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-20 18:25:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
step by step guide for this problem none

Description coyang 2017-11-17 08:44:38 UTC 
Created attachment 1354046 [details]
step by step guide for this problem

Description of problem:
glusterfs client point file 

Version-Release number of selected component (if applicable):


How reproducible:

Env description
3 nodes sn-0/1/2 take as glusterfs server node.
creaate a 2 way replicate volume export and mount the volume from another glusterfs client node mn-0.
[root@sn-0:/root]
# gluster pool list
UUID                    Hostname    State
55183779-2af2-4693-bf8b-f60aecc72bf2    sn-1.local  Connected 
9acb143b-cc90-4e06-9870-1187272a8dfc    sn-2.local  Connected 
1404829b-a823-4911-baa0-9768e534de90    localhost   Connected 
[root@sn-0:/root]
# gluster peer status 
Number of Peers: 2

Hostname: sn-1.local
Uuid: 55183779-2af2-4693-bf8b-f60aecc72bf2
State: Peer in Cluster (Connected)

Hostname: sn-2.local
Uuid: 9acb143b-cc90-4e06-9870-1187272a8dfc
State: Peer in Cluster (Connected)
[root@sn-0:/root]
# gluster v info export 

Volume Name: export
Type: Replicate
Volume ID: 4d6e0035-41b1-4989-939a-1f5e800f738f
Status: Started
Snapshot Count: 0
Number of Bricks: 1 x 2 = 2
Transport-type: tcp
Bricks:
Brick1: sn-0.local:/mnt/bricks/export/brick
Brick2: sn-1.local:/mnt/bricks/export/brick
Options Reconfigured:
network.ping-timeout: 42
server.allow-insecure: on
cluster.consistent-metadata: on
cluster.server-quorum-type: server
transport.address-family: inet
nfs.disable: on
cluster.server-quorum-ratio: 51%
[root@sn-0:/root]
# gluster v status export
Status of volume: export
Gluster process                             TCP Port  RDMA Port  Online  Pid
------------------------------------------------------------------------------
Brick sn-0.local:/mnt/bricks/export/brick   49156     0          Y       7493 
Brick sn-1.local:/mnt/bricks/export/brick   49156     0          Y       6574 
Self-heal Daemon on localhost               N/A       N/A        Y       10048
Self-heal Daemon on sn-1.local              N/A       N/A        Y       8682 
Self-heal Daemon on sn-2.local              N/A       N/A        Y       8540 

Task Status of Volume export
------------------------------------------------------------------------------
There are no active volume tasks
Step by step guide
Pre condition
user robot is a normal user

robot:x:10000:0:Robot user for test automation purposes:/home/robot:/bin/bash

/mnt/export is the mount point

[robot@mn-0:/home/robot]
$ findmnt |grep export |grep -v tmp
├─/mnt/export                    sn-0.local:/export                                         fuse.glusterfs rw,relatime,user_id=0,group_id=0,allow_other,max_read=131072
create directory in /mnt/export named test and robot user don't have permission to access it.
[robot@mn-0:/home/robot]
$ stat /mnt/export/test
stat: cannot stat '/mnt/export/test': Permission denied
[robot@mn-0:/home/robot]
$ sudo stat /mnt/export/test
  File: /mnt/export/test
  Size: 4096        Blocks: 8          IO Block: 131072 directory
Device: 25h/37d Inode: 10834584126020128969  Links: 2
Access: (2755/drwxr-sr-x)  Uid: (    0/    root)   Gid: (  615/_nokfsuifileshare)
Access: 2017-11-17 09:52:37.737000000 +0200
Modify: 2017-11-17 09:53:57.183000000 +0200
Change: 2017-11-17 09:53:57.183000000 +0200
 Birth: -

Steps to Reproduce:

1. use sudo "dd if=/dev/zero of=/mnt/export/test/testfile bs=4K count=1 ;" create a file
2. ls the file as root user, then use robot user to ls the file

sudo ls -l /mnt/export/test/testfile &&  ls -l /mnt/export/test/testfile 

Actual results:
the first and second ls are return success

[robot@mn-0:/home/robot]
$ sudo ls -l /mnt/export/test/testfile &&  ls -l /mnt/export/test/testfile 
-rw-r--r-- 1 root _nokfsuifileshare 4096 Nov 17 09:53 /mnt/export/test/testfile
-rw-r--r-- 1 root _nokfsuifileshare 4096 Nov 17 09:53 /mnt/export/test/testfile

Expected results:
the second ls should return Permission denied.

Additional info:
after sleep 1 seconds or drop cache, the second ls will return fail.

[robot@mn-0:/home/robot]
$ sudo ls -l /mnt/export/test/testfile && sleep 1 && ls -l /mnt/export/test/testfile
-rw-r--r-- 1 root _nokfsuifileshare 4096 Nov 17 09:53 /mnt/export/test/testfile
ls: cannot access '/mnt/export/test/testfile': Permission denied
[robot@mn-0:/home/robot]
$ sudo ls -l /mnt/export/test/testfile && sleep 1 && ls -l /mnt/export/test/testfile
-rw-r--r-- 1 root _nokfsuifileshare 4096 Nov 17 09:53 /mnt/export/test/testfile
ls: cannot access '/mnt/export/test/testfile': Permission denied
[robot@mn-0:/home/robot]
$ sudo ls -l /mnt/export/test/testfile && sudo bash -c " echo 3 > /proc/sys/vm/drop_caches " && ls -l /mnt/export/test/testfile
-rw-r--r-- 1 root _nokfsuifileshare 4096 Nov 17 09:53 /mnt/export/test/testfile
ls: cannot access '/mnt/export/test/testfile': Permission denied
Comment 1 coyang 2017-11-20 05:58:32 UTC 
This problem seems in fuse entry cache, I changed the ZR_ENTRY_TIMEOUT_OPT timeout value from 1.0 to 0.01, seems this problem has solved.
fuse-bridge.c line 5381 (glusterfs 3.10.6)
struct volume_options options[] = {
...
        { .key  = {ZR_ENTRY_TIMEOUT_OPT},
          .type = GF_OPTION_TYPE_DOUBLE,
          .default_value = "1.0"
        },
Comment 2 coyang 2017-11-24 03:23:43 UTC 
function call list:
fuse_lookup 
    |
    \-->fuse_lookup_resume
        |
        \--> fuse_lookup_cbk
                |
                \-->fuse_entry_cbk
                    |
                    \--> calc_timeout_sec
Comment 3 Shyamsundar 2018-06-20 18:25:25 UTC 
This bug reported is against a version of Gluster that is no longer maintained (or has been EOL'd). See https://www.gluster.org/release-schedule/ for the versions currently maintained.

As a result this bug is being closed.

If the bug persists on a maintained version of gluster or against the mainline gluster repository, request that it be reopened and the Version field be marked appropriately.