Some time ago, a user asked about whether GlusterFS could support ACLs enforced on the server side instead of the client side. It turned out that most of the code was already there, and - with some help from Avati - I was able to verify that it worked. However, we agreed that it was unsuitable for this to be default behavior, so some work remained to make it run-time configurable. I have now done that work, with the result in the github pull request at this bug's reference URL. I'll repeat the commit/pull-request comment here for posterity. --- By default, the behavior is the same as currently - ACLs are interpreted and enforced on the client. To use server-side ACLs: (1) Make sure that your server-side filesystems support the "acl" option and are mounted with it. (2) Add "option use-set-fsid true" to all of your server-side storage/posix translators. (3) Mount with "-o default-permissions=false" on the client side. Note that the GlusterFS native protocol has no way to transmit supplementary group IDs, so accesses relying on those might fail even if the ACL is set correctly. This might be the subject of a future patch.
PATCH: http://patches.gluster.com/patch/7721 in release-3.2 (byte-order: htole*/letoh* and htobe*/betoh* for forced endian conversions)
PATCH: http://patches.gluster.com/patch/7722 in release-3.2 (dht: set linkto xattr with linkfile create (mknod))
PATCH: http://patches.gluster.com/patch/7723 in release-3.2 (fuse: fill frame->root->groups with aux gids of the process)
PATCH: http://patches.gluster.com/patch/7724 in release-3.2 (fuse: introduce "noacl" option to disable ACL checks)
PATCH: http://patches.gluster.com/patch/7725 in release-3.2 (storage/posix: set ACL keys during new entry/inode creations)
PATCH: http://patches.gluster.com/patch/7726 in release-3.2 (posix-acl: implementation of POSIX ACL as a translator)
PATCH: http://patches.gluster.com/patch/7727 in release-3.2 (access-control: superseded by posix-acl translator)
PATCH: http://patches.gluster.com/patch/7728 in release-3.2 (glusterfs: add --acl command line option to load ACLs on the client side)
PATCH: http://patches.gluster.com/patch/7729 in release-3.2 (mount.glusterfs: support -o acl parameter)
PATCH: http://patches.gluster.com/patch/7730 in master (byte-order: htole*/letoh* and htobe*/betoh* for forced endian conversions)
PATCH: http://patches.gluster.com/patch/7731 in master (dht: set linkto xattr with linkfile create (mknod))
PATCH: http://patches.gluster.com/patch/7732 in master (fuse: fill frame->root->groups with aux gids of the process)
PATCH: http://patches.gluster.com/patch/7798 in master (fuse: introduce "noacl" option to disable ACL checks)
PATCH: http://patches.gluster.com/patch/7734 in master (storage/posix: set ACL keys during new entry/inode creations)
PATCH: http://patches.gluster.com/patch/7735 in master (posix-acl: implementation of POSIX ACL as a translator)
PATCH: http://patches.gluster.com/patch/7736 in master (access-control: superseded by posix-acl translator)
PATCH: http://patches.gluster.com/patch/7737 in master (glusterfs: add --acl command line option to load ACLs on the client side)
PATCH: http://patches.gluster.com/patch/7738 in master (mount.glusterfs: support -o acl parameter)
PATCH: http://patches.gluster.com/patch/7810 in release-3.2 (posix-acl: perform access checks on read/write/truncate for NFS calls)
PATCH: http://patches.gluster.com/patch/7883 in master (posix-acl: perform access checks on read/write/truncate for NFS calls)
CHANGE: http://review.gluster.com/332 (In configurations with a uid mapper, super user ID could be mapped) merged in master by Anand Avati (avati)
already in 3.2.x branch, and also in upstream