Description of problem: set ACL policy online in client B, and do FOP in client A, most of FOP will be failed while do ACL permission check. Version-Release number of selected component (if applicable): How reproducible: setup glusterFS with replicated, I suppose distribte also exist same issue. and 2 mount point in 2 node, glustefs mount point on node A we called it client A. glustefs mount point on node B we called it client B Steps to Reproduce: Note: If not specify client B, the following action is all on client A. 1) Mount a direcot /mnt/test on gluste volume test 2) Create a userid with name acl_usr1 with id 1126, and gourp id 1125 3) Make sure a directory not root directory be there, let’s say /mnt/test/a 4) Clear acl set on /mnt/test/a setfacl --remove-all /mnt/test/a 5) Su acl_usr1 (user id is 1126) 6) Cd /mnt/test/a will be failed. (it’s correct.) 7) On client B , set acl policy setfacl -m "g:1125:rwx" /mnt/test/a 8) On client A cd /mnt/test/a will be success. (it’s correct) 9) mkdir 111 failed bash-4.4$ mkdir 111 mkdir: cannot create directory '111': Permission denied 10) on client B do this operation again root@ubuntu:/mnt/test/a# setfacl -m "g:1125:rwx" /mnt/test/a root@ubuntu:/mnt/test/a# su acl_usr1 acl_usr1@ubuntu:/mnt/test/a$ mkdir 111 mkdir on client B success! 11) On client A repeat create directory 111,112 bash-4.4$ mkdir 111 mkdir: cannot create directory '111': File exists bash-4.4$ mkdir 112 mkdir: cannot create directory '112': Permission denied Actual results: mkdir a new directory failed when ACL is set the right permission Expected results: mkdir a new directory SHALL be success when ACL is set the right permission Additional info:
From the code study for posix-acl Xlator part, I have some concern for the following 2 point. 1) Configure item “md-cache.cache-posix-acl” is not implement , though the item is defined in md-cache xlator. 2) There are more logic in posix_acl_FOP(posix_acl_lookup,posix_acl_create, and so on) have the following code script: if (acl_permits (frame, loc->parent, POSIX_ACL_EXECUTE)) goto green; else goto red; the above code will check the inode’s parent acl whether the ACL policy is met or not, but if we set the ACL policy on the other client, the current client(mount point, glusterfs process) have no chance to get the ACL policy of parent inode in most case with the current implement of glusterfs , I suppose when ACL disabled, the lookup and getattr FOP for parent inode will be reduced due to performance consider, but when ACL enabled, it will lead to ACL policy issue. and 2 question: 1) do glusterfs support ACL distribute cases? 2) if yes, have there test case agaient distribute ACL setting online case?
Release 3.12 has been EOLd and this bug was still found to be in the NEW state, hence moving the version to mainline, to triage the same and take appropriate actions.
This bug is moved to https://github.com/gluster/glusterfs/issues/921, and will be tracked there from now on. Visit GitHub issues URL for further details