Bug 1566891 - Set ACL policy in distrubte online will be failed which do check ACL permission
Summary: Set ACL policy in distrubte online will be failed which do check ACL permission
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: GlusterFS
Classification: Community
Component: access-control
Version: mainline
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Susant Kumar Palai
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-13 07:14 UTC by George
Modified: 2020-03-12 12:39 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-12 12:39:33 UTC
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:


Attachments (Terms of Use)

Description George 2018-04-13 07:14:27 UTC
Description of problem:

set ACL policy online in client B, and do FOP in client A, most of FOP will be failed while do ACL permission check.

Version-Release number of selected component (if applicable):


How reproducible:
setup glusterFS with replicated, I suppose distribte also exist same issue.
and 2 mount point in 2 node, 
glustefs mount point on node A we called it client A.
glustefs mount point on node B we called it client B

Steps to Reproduce:
Note: If not specify client B, the following action is all on client A.
1)	Mount a direcot /mnt/test on gluste volume test
2)	Create a userid with name acl_usr1 with id 1126, and gourp id 1125
3)	Make sure a directory not root directory be there, let’s say /mnt/test/a
4)	Clear acl set on /mnt/test/a
setfacl --remove-all /mnt/test/a
5)	Su acl_usr1 (user id is 1126)
6)	Cd /mnt/test/a will be failed. (it’s correct.)
7)	On client B , set acl policy 
setfacl -m "g:1125:rwx" /mnt/test/a
8)	On client A cd /mnt/test/a will be success. (it’s correct)
9)	mkdir 111 failed 
bash-4.4$ mkdir 111
mkdir: cannot create directory '111': Permission denied
10)	on client B do this operation again
root@ubuntu:/mnt/test/a# setfacl -m "g:1125:rwx" /mnt/test/a
root@ubuntu:/mnt/test/a# su acl_usr1
acl_usr1@ubuntu:/mnt/test/a$ mkdir 111
mkdir on client B success!
11)	On client A repeat create directory 111,112
bash-4.4$ mkdir 111
mkdir: cannot create directory '111': File exists
bash-4.4$ mkdir 112
mkdir: cannot create directory '112': Permission denied



Actual results:
mkdir a new directory failed when ACL is set the right permission

Expected results:
mkdir a new directory SHALL be success when ACL is set the right permission


Additional info:

Comment 1 George 2018-04-13 07:22:04 UTC
From the code study for posix-acl Xlator part, I have some concern for the following 2 point.
1)     Configure item “md-cache.cache-posix-acl” is not implement , though the item is defined in md-cache xlator.
2)     There are more logic in posix_acl_FOP(posix_acl_lookup,posix_acl_create, and so on)  have the following code script:
        if (acl_permits (frame, loc->parent, POSIX_ACL_EXECUTE))
                goto green;
        else
                goto red;
 
the above code will check the inode’s parent acl whether the ACL policy is met or not,  but if we set the ACL policy on the other client, 
the current client(mount point, glusterfs process) have no chance to get the ACL policy of parent inode in most case with the current implement of glusterfs , 
 
I suppose when ACL disabled, the lookup and getattr FOP for parent inode will be reduced due to  performance consider, but when ACL enabled, it will lead to ACL policy issue.

and 2 question:
1) do glusterfs support ACL distribute cases?
2) if yes, have there test case agaient distribute ACL setting online case?

Comment 2 Shyamsundar 2018-10-23 14:54:11 UTC
Release 3.12 has been EOLd and this bug was still found to be in the NEW state, hence moving the version to mainline, to triage the same and take appropriate actions.

Comment 3 Worker Ant 2020-03-12 12:39:33 UTC
This bug is moved to https://github.com/gluster/glusterfs/issues/921, and will be tracked there from now on. Visit GitHub issues URL for further details


Note You need to log in before you can comment on or make changes to this bug.