Bug 1284701 - FUSE mount does not honor all user groups
FUSE mount does not honor all user groups
Status: NEW
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: fuse (Show other bugs)
unspecified
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: Bug Updates Notification Mailing List
storage-qa-internal@redhat.com
: ZStream
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-23 18:39 EST by Jared Hancock
Modified: 2018-01-12 13:14 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jared Hancock 2015-11-23 18:39:15 EST
Description of problem:
If a user is a member of more than 32 groups, the total groups list is not inspected by the Gluster FUSE mount. I know this was recently mitigated with Gluster version 3.6 with the --resolve-gids mount option. fuse-helpers.c line 146 (https://github.com/gluster/glusterfs/blob/master/xlators/mount/fuse/src/fuse-helpers.c#L146) seems to limit this to 32 specifically; however, the modern Linux kernel does not seem to maintain the limit at 32 (see include/linux/cred.h line 36 (https://github.com/torvalds/linux/blob/master/include/linux/cred.h#L36)). In Linux the first block of gids is limited to 32 groups, but more than 32 groups are maintained in memory and are reported by /proc/xxx/status. For example, my user is a member of 50 groups:

$ cat /proc/25894/status
...
Groups: 100513 102561 103023 118135 118141 118142 118157 118161 118170 118195 118199 118203 118737 118749 118824 119007 120104 120443 120486 121200 121220 121424 121438 122073 122085 122088 122116 122138 122139 122148 122153 122373 122450 131270 132517 132518 132519 132520 132521 132522 132523 132524 132525 132533 132535 132538 132540 134566 201116 201122
...


Version-Release number of selected component (if applicable):
Linux 4.1.7
GlusterFS 3.6.5

How reproducible:
Always: Create a user with and associate with more than 32 groups

Steps to Reproduce:
1. Mount a Gluster volume with FUSE
2. Create a folder, change group owner or set ACLs
3. Attempt to access it by a user who is a member of the group with access

Actual results:
bcs-nas shares # sudo -u DOMAIN/c5232 ls -l opr
ls: cannot open directory opr: Permission denied


Expected results:
ctoc-nas shares # sudo -u DOMAIN/c5232 ls -l opr
total 0

Additional info:
I was able to build the source changing the FUSE_MAX_AUX_GROUPS to 80 on my system and am able to use FUSE with ACLs and my enormous group listing without any other modification. The host named `ctoc-nas` in the above "Expected Results" is using the modified codebase.
Comment 2 Jared Hancock 2015-11-24 11:15:45 EST
I created a pull request at the glusterfs repo, https://github.com/gluster/glusterfs/pull/41, which suggests dropping the 32 limit in favor of the limit imposed when using the `resolve-gids` switch.

Note You need to log in before you can comment on or make changes to this bug.