Bug 1200453 - Permission denied for user with many secondary groups
Summary: Permission denied for user with many secondary groups
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: GlusterFS
Classification: Community
Component: fuse
Version: 3.6.2
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Niels de Vos
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-03-10 15:22 UTC by Aleksey
Modified: 2015-03-18 11:48 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-03-18 11:48:29 UTC
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Embargoed:


Attachments (Terms of Use)

Description Aleksey 2015-03-10 15:22:57 UTC
Description of problem:


Version-Release number of selected component (if applicable):

OS: RHEL5.10 
Gluster 3.5 3.6

How reproducible:

Suppose there is FUSE client mount point as /glusterfs.
In this directory there are some subdirectory with different
owner/groups like htis:


$ ls -l /glusterfs/
drwxr-x---   testuser1 testuser1  dir1
drwxr-x---   testuser2 testuser2  dir2
drwxr-x---   testuser3 testuser3  dir3
drwxr-x---   testuser4 testuser4  dir4
........
drwxr-x---   testuser200 testuser200  dir200

Note, that all directory have 750 mode.
Next create user:
useradd testuser 
usermod -a -G testuser1, .... ,testuser200 testuser
su - testuser
ls /glusterfs/dir1

ls: /glusterfs/dir1/: Permission denied


Steps to Reproduce:
1.
2.
3.

Actual results:

Permission denied

Expected results:

User testuser can do ls on subdirectory from above example. 

Additional info:

Comment 1 Niels de Vos 2015-03-17 12:25:42 UTC
You should be able to get this to work by setting the server.manage-gids volume option. This moves the resolving of all the auxiliary groups to the bricks. By default, the FUSE client sends a list of the groups where the user belongs to, and the RPC protocol limits this list to approx. 93 groups.

See http://review.gluster.org/7202 for a little more details.

Please let me know if this helps you.

Comment 2 Aleksey 2015-03-18 11:01:03 UTC
Thank you very mach - now it's working.
But this solution will be working only when the same user/groups exist on both machine:
where block device physically mount as  bricks and on the FUSE client - am i right ?

Comment 3 Niels de Vos 2015-03-18 11:48:29 UTC
Yes, using server.manage-gids requires that the servers hosting the bricks for the volume can resolve all the groups of the user by using the UID. The GlusterFS protocol passes the UID (numeric, not the name/string), to getgroups(2).

I think this answers your questions about this problem, therefore I am closing this bug. Thanks, Niels.


Note You need to log in before you can comment on or make changes to this bug.