Description of problem:
set ACL policy online in client B, and do FOP in client A, most of FOP will be failed while do ACL permission check.
Version-Release number of selected component (if applicable):
setup glusterFS with replicated, I suppose distribte also exist same issue.
and 2 mount point in 2 node,
glustefs mount point on node A we called it client A.
glustefs mount point on node B we called it client B
Steps to Reproduce:
Note: If not specify client B, the following action is all on client A.
1) Mount a direcot /mnt/test on gluste volume test
2) Create a userid with name acl_usr1 with id 1126, and gourp id 1125
3) Make sure a directory not root directory be there, let’s say /mnt/test/a
4) Clear acl set on /mnt/test/a
setfacl --remove-all /mnt/test/a
5) Su acl_usr1 (user id is 1126)
6) Cd /mnt/test/a will be failed. (it’s correct.)
7) On client B , set acl policy
setfacl -m "g:1125:rwx" /mnt/test/a
8) On client A cd /mnt/test/a will be success. (it’s correct)
9) mkdir 111 failed
bash-4.4$ mkdir 111
mkdir: cannot create directory '111': Permission denied
10) on client B do this operation again
root@ubuntu:/mnt/test/a# setfacl -m "g:1125:rwx" /mnt/test/a
root@ubuntu:/mnt/test/a# su acl_usr1
acl_usr1@ubuntu:/mnt/test/a$ mkdir 111
mkdir on client B success!
11) On client A repeat create directory 111,112
bash-4.4$ mkdir 111
mkdir: cannot create directory '111': File exists
bash-4.4$ mkdir 112
mkdir: cannot create directory '112': Permission denied
mkdir a new directory failed when ACL is set the right permission
mkdir a new directory SHALL be success when ACL is set the right permission
From the code study for posix-acl Xlator part, I have some concern for the following 2 point.
1) Configure item “md-cache.cache-posix-acl” is not implement , though the item is defined in md-cache xlator.
2) There are more logic in posix_acl_FOP(posix_acl_lookup,posix_acl_create, and so on) have the following code script:
if (acl_permits (frame, loc->parent, POSIX_ACL_EXECUTE))
the above code will check the inode’s parent acl whether the ACL policy is met or not, but if we set the ACL policy on the other client,
the current client(mount point, glusterfs process) have no chance to get the ACL policy of parent inode in most case with the current implement of glusterfs ,
I suppose when ACL disabled, the lookup and getattr FOP for parent inode will be reduced due to performance consider, but when ACL enabled, it will lead to ACL policy issue.
and 2 question:
1) do glusterfs support ACL distribute cases?
2) if yes, have there test case agaient distribute ACL setting online case?
Release 3.12 has been EOLd and this bug was still found to be in the NEW state, hence moving the version to mainline, to triage the same and take appropriate actions.
This bug is moved to https://github.com/gluster/glusterfs/issues/921, and will be tracked there from now on. Visit GitHub issues URL for further details