Bug 961670

Summary: fuse-root-squash: read happens even
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Saurabh <saujain>
Component: glusterdAssignee: Bug Updates Notification Mailing List <rhs-bugs>
Status: CLOSED EOL QA Contact: Saurabh <saujain>
Severity: high Docs Contact:
Priority: high    
Version: 2.1CC: mzywusko, rhs-bugs, rwheeler, vbellur
Target Milestone: ---Keywords: ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
Cause: open-behind delaying the open calls Consequence: in fuse when root-squash is enabled, the file can be read even though it does not have read permissions i.e root requests will be converted to nfsnobody and as per the file permissions nfsnobody does not have the read permission. Workaround (if any): Turn off open-behind Result: With open-behind turned off it behaves properly i.e file with no read permissions for others cannot be read upon requests getting root-squashed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-03 17:25:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Saurabh 2013-05-10 08:56:19 UTC 
Description of problem:
root-squash enabled and still from fuse mount the file can be read whereas from nfs mount point it works fine

Version-Release number of selected component (if applicable):
glusterfs-3.4.0.5rhs-1.el6rhs.x86_64

How reproducible:
Happening on this build, always.

Steps to Reproduce:
1. volume create, start volume
2. nfs and fuse mount on different clients
3. on nfs mount, create a file "f"
4. on nfs mount point, chmod 700 f
5. root-squash enable
6. on nfs mount , cat a and cat >> a
7. on fuse mount, cat a and cat >> a
  
Actual results:
logs of nfs mount,
[root@rhel6 nfs-test]# cat a
cat: a: Permission denied
[root@rhel6 nfs-test]# cat >> a
-bash: a: Permission denied
[root@rhel6 nfs-test]#

logs of fuse mount,
[root@rhsauto020 glusterfs-test]# cat a
Hello World
I am here
[root@rhsauto020 glusterfs-test]# 
[root@rhsauto020 glusterfs-test]# cat >> a
boom 
cat: write error: Permission denied
cat: write error: Permission denied
[root@rhsauto020 glusterfs-test]# 

[root@rhsauto020 glusterfs-test]# ls -l
total 1
-rwx------. 1 root root 22 May 10 07:22 a
drwxr-xr-x. 2 root root 36 May 10 07:01 dir
-rw-r--r--. 1 root root  0 May 10 14:12 l


/var/log/glusterfs/<mount-point>.log

[2013-05-10 08:46:56.687226] I [client-handshake.c:450:client_set_lk_version_cbk] 0-dist-rep-client-10: Server lk version = 1
[2013-05-10 08:47:32.699920] W [client-rpc-fops.c:464:client3_3_open_cbk] 0-dist-rep-client-10: remote operation failed: Permission denied. Path: /a (2e2463f0-c62f-4400-b27e-77f014e7f2bd)
[2013-05-10 08:47:32.700066] W [client-rpc-fops.c:464:client3_3_open_cbk] 0-dist-rep-client-11: remote operation failed: Permission denied. Path: /a (2e2463f0-c62f-4400-b27e-77f014e7f2bd)
[2013-05-10 08:47:32.700129] W [fuse-bridge.c:2127:fuse_writev_cbk] 0-glusterfs-fuse: 252: WRITE => -1 (Permission denied)
[2013-05-10 08:47:32.700884] W [fuse-bridge.c:1132:fuse_err_cbk] 0-glusterfs-fuse: 253: FLUSH() ERR => -1 (Permission denied)
[2013-05-10 08:47:43.946713] W [client-rpc-fops.c:2058:client3_3_create_cbk] 0-dist-rep-client-0: remote operation failed: Permission denied. Path: /m
[2013-05-10 08:47:43.946969] W [client-rpc-fops.c:2058:client3_3_create_cbk] 0-dist-rep-client-1: remote operation failed: Permission denied. Path: /m
[2013-05-10 08:47:43.947048] W [fuse-bridge.c:1829:fuse_create_cbk] 0-glusterfs-fuse: 257: /m => -1 (Permission denied)
[2013-05-10 08:47:43.948254] W [defaults.c:1291:default_release] (-->/usr/lib64/glusterfs/3.4.0.4rhs/xlator/cluster/replicate.so(afr_create_done+0x13d) [0x7fd6af776c3d] (-->/usr/lib64/glusterfs/3.4.0.4rhs/xlator/cluster/replicate.so(afr_local_cleanup+0x15c) [0x7fd6af7aecac] (-->/usr/lib64/libglusterfs.so.0(fd_unref+0x144) [0x7fd6b63f8c24]))) 0-fuse: xlator does not implement release_cbk
[2013-05-10 08:49:46.261745] W [client-rpc-fops.c:464:client3_3_open_cbk] 0-dist-rep-client-11: remote operation failed: Permission denied. Path: /a (2e2463f0-c62f-4400-b27e-77f014e7f2bd)
[2013-05-10 08:49:46.261866] W [client-rpc-fops.c:464:client3_3_open_cbk] 0-dist-rep-client-10: remote operation failed: Permission denied. Path: /a (2e2463f0-c62f-4400-b27e-77f014e7f2bd)
[2013-05-10 08:49:46.261924] W [fuse-bridge.c:2127:fuse_writev_cbk] 0-glusterfs-fuse: 287: WRITE => -1 (Permission denied)
[2013-05-10 08:49:46.262766] W [fuse-bridge.c:1132:fuse_err_cbk] 0-glusterfs-fuse: 288: FLUSH() ERR => -1 (Permission denied)


Expected results:

the read is suppose to fail, write should not wait for write and say "Permission Denied", rather an attempt to write should fail directly.

Additional info:
Comment 2 Raghavendra Bhat 2013-05-13 11:47:04 UTC 
Can you please turn off open-behind xlator and check if the same issue happens?
Comment 5 Raghavendra Bhat 2013-05-15 11:24:16 UTC 
I repeated the below steps:

1. volume create, start volume
2. fuse mount
3. on fuse mount, create a file "f"
4. on fuse mount point, chmod 700 f
5. root-squash enable
6. turn off open-behind.
6. on fuse mount , cat a and cat >> a

I got the proper o/p as mentioned in comment #1.

cat file
cat: file: Permission denied
[root@hp-dl380pgen8-02-vm-12 glusterfs]# cat >> file
bash: file: Permission denied

ls -l file
-rwx------ 1 root root 5 May 15 07:19 file


Volume Name: mirror
Type: Replicate
Volume ID: 46d13827-7b3b-4dc9-a599-85e299e089d4
Status: Started
Number of Bricks: 1 x 2 = 2
Transport-type: tcp
Bricks:
Brick1: hp-dl380pgen8-02-vm-11.lab.bos.redhat.com:/export/mirror
Brick2: hp-dl380pgen8-02-vm-13.lab.bos.redhat.com:/export/mirror
Options Reconfigured:
performance.open-behind: off
server.root-squash: enable

As of now the work around for the issue is turning off open-behind.
Comment 6 Vivek Agarwal 2015-12-03 17:25:00 UTC 
Thank you for submitting this issue for consideration in Red Hat Gluster Storage. The release for which you requested us to review, is now End of Life. Please See https://access.redhat.com/support/policy/updates/rhs/

If you can reproduce this bug against a currently maintained version of Red Hat Gluster Storage, please feel free to file a new report against the current release.