+++ This bug was initially created as a clone of Bug #1459971 +++ Description of problem: Similar to system.posix_acl_* xattrs, all users should be able to read virtual acl xattrs too (glusterfs.posix-acl-*). Otherwise it shall result in EACCESS error when any non-root user is trying to ACL of any file created under gluster volume. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Start NFS-ganesha using a non-root user 2. Export a volume via NFS-Ganesha 3. Mount the volume using NFSv4 4. Try to read/get acl. Actual results: It results in "Permission denied" error. Expected results: All users should be able to read POSIX ACLs for any file. Additional info:
Patch posted upstream for review - https://review.gluster.org/17493
I believe this issue blocks BZ 1450836 and given the later is already approved for rhgs-3.3.0, this bug needs to be fixed for rhgs-3.3.0 and hence giving devel_ack.
Downstream patch: https://code.engineering.redhat.com/gerrit/108787
Verified this bug on # rpm -qa | grep ganesha glusterfs-ganesha-3.8.4-34.el7rhgs.x86_64 nfs-ganesha-2.4.4-16.el7rhgs.x86_64 nfs-ganesha-gluster-2.4.4-16.el7rhgs.x86_64 ----------- Reproduced on 3.2 ----------- [root@dhcp37-192 posix]# touch ms [root@dhcp37-192 posix]# ll total 0 -rw-r--r--. 1 root root 0 Jul 24 13:07 ms [root@dhcp37-192 posix]# chmod 700 ms [root@dhcp37-192 posix]# ll total 0 -rwx------. 1 root root 0 Jul 24 13:07 ms [root@dhcp37-192 posix]# getfattr -n glusterfs.posix.acl /mnt/ganesha32_async/posix/ms getfattr: Removing leading '/' from absolute path names # file: mnt/ganesha32_async/posix/ms glusterfs.posix.acl="u::rwx,g::---,o::---" [root@dhcp37-192 posix]# su user1 [user1@dhcp37-192 posix]$ getfattr -n glusterfs.posix.acl /mnt/ganesha32_async/posix/ms /mnt/ganesha32_async/posix/ms: glusterfs.posix.acl: Permission denied [user1@dhcp37-192 posix]$ =================================== ---------- Verified on 3.3. ---------- [root@dhcp37-192 posix]# touch ms [root@dhcp37-192 posix]# ll total 0 -rw-r--r--. 1 root root 0 Jul 24 13:08 ms [root@dhcp37-192 posix]# chmod 700 ms [root@dhcp37-192 posix]# ll total 0 -rwx------. 1 root root 0 Jul 24 13:08 ms [root@dhcp37-192 posix]# getfattr -n glusterfs.posix.acl /mnt/ganesha33_disperse/posix/ms getfattr: Removing leading '/' from absolute path names # file: mnt/ganesha33_disperse/posix/ms glusterfs.posix.acl="u::rwx,g::---,o::---" [root@dhcp37-192 posix]# su user1 [user1@dhcp37-192 posix]$ getfattr -n glusterfs.posix.acl /mnt/ganesha33_disperse/posix/ms getfattr: Removing leading '/' from absolute path names # file: mnt/ganesha33_disperse/posix/ms glusterfs.posix.acl="u::rwx,g::---,o::---" Moving this bug to verified state.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2774