Bug 1566891

Summary: Set ACL policy in distrubte online will be failed which do check ACL permission
Product: [Community] GlusterFS Reporter: George <george.lian>
Component: access-controlAssignee: Susant Kumar Palai <spalai>
Status: CLOSED UPSTREAM QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: mainlineCC: bugs, jthottan, spalai
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-12 12:39:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description George 2018-04-13 07:14:27 UTC 
Description of problem:

set ACL policy online in client B, and do FOP in client A, most of FOP will be failed while do ACL permission check.

Version-Release number of selected component (if applicable):


How reproducible:
setup glusterFS with replicated, I suppose distribte also exist same issue.
and 2 mount point in 2 node, 
glustefs mount point on node A we called it client A.
glustefs mount point on node B we called it client B

Steps to Reproduce:
Note: If not specify client B, the following action is all on client A.
1)	Mount a direcot /mnt/test on gluste volume test
2)	Create a userid with name acl_usr1 with id 1126, and gourp id 1125
3)	Make sure a directory not root directory be there, let’s say /mnt/test/a
4)	Clear acl set on /mnt/test/a
setfacl --remove-all /mnt/test/a
5)	Su acl_usr1 (user id is 1126)
6)	Cd /mnt/test/a will be failed. (it’s correct.)
7)	On client B , set acl policy 
setfacl -m "g:1125:rwx" /mnt/test/a
8)	On client A cd /mnt/test/a will be success. (it’s correct)
9)	mkdir 111 failed 
bash-4.4$ mkdir 111
mkdir: cannot create directory '111': Permission denied
10)	on client B do this operation again
root@ubuntu:/mnt/test/a# setfacl -m "g:1125:rwx" /mnt/test/a
root@ubuntu:/mnt/test/a# su acl_usr1
acl_usr1@ubuntu:/mnt/test/a$ mkdir 111
mkdir on client B success!
11)	On client A repeat create directory 111,112
bash-4.4$ mkdir 111
mkdir: cannot create directory '111': File exists
bash-4.4$ mkdir 112
mkdir: cannot create directory '112': Permission denied



Actual results:
mkdir a new directory failed when ACL is set the right permission

Expected results:
mkdir a new directory SHALL be success when ACL is set the right permission


Additional info:
Comment 1 George 2018-04-13 07:22:04 UTC 
From the code study for posix-acl Xlator part, I have some concern for the following 2 point.
1)     Configure item “md-cache.cache-posix-acl” is not implement , though the item is defined in md-cache xlator.
2)     There are more logic in posix_acl_FOP(posix_acl_lookup,posix_acl_create, and so on)  have the following code script:
        if (acl_permits (frame, loc->parent, POSIX_ACL_EXECUTE))
                goto green;
        else
                goto red;
 
the above code will check the inode’s parent acl whether the ACL policy is met or not,  but if we set the ACL policy on the other client, 
the current client(mount point, glusterfs process) have no chance to get the ACL policy of parent inode in most case with the current implement of glusterfs , 
 
I suppose when ACL disabled, the lookup and getattr FOP for parent inode will be reduced due to  performance consider, but when ACL enabled, it will lead to ACL policy issue.

and 2 question:
1) do glusterfs support ACL distribute cases?
2) if yes, have there test case agaient distribute ACL setting online case?
Comment 2 Shyamsundar 2018-10-23 14:54:11 UTC 
Release 3.12 has been EOLd and this bug was still found to be in the NEW state, hence moving the version to mainline, to triage the same and take appropriate actions.
Comment 3 Worker Ant 2020-03-12 12:39:33 UTC 
This bug is moved to https://github.com/gluster/glusterfs/issues/921, and will be tracked there from now on. Visit GitHub issues URL for further details