NFSv4 ACL support in CSI PowerStore

docker-files/Dockerfile.centos

@@ -14,7 +14,7 @@ LABEL vendor="Dell Inc." \
 COPY licenses /licenses
 
 # dependencies, following by cleaning the cache
-RUN echo "%_netsharedpath /sys:/proc" >> /etc/rpm/macros.dist && yum update -y && yum install -y e2fsprogs xfsprogs nfs-utils which device-mapper-multipath \
+RUN echo "%_netsharedpath /sys:/proc" >> /etc/rpm/macros.dist && yum update -y && yum install -y e2fsprogs xfsprogs nfs-utils nfs4-acl-tools acl which device-mapper-multipath \
     && \
     yum clean all \
     && \

docker-files/Dockerfile.ubi

@@ -15,7 +15,7 @@ COPY licenses /licenses
 # dependencies, following by cleaning the cache
 RUN yum update -y \
     && \
-    yum install -y e2fsprogs xfsprogs nfs-utils which device-mapper-multipath \
+    yum install -y e2fsprogs xfsprogs nfs-utils nfs4-acl-tools acl which device-mapper-multipath \
     && \
     yum clean all \
     && \

docker-files/Dockerfile.ubi.alt

@@ -25,6 +25,8 @@ RUN yum -y update && \
 	e2fsprogs.x86_64 \
 	xfsprogs.x86_64 \
 	nfs-utils.x86_64 \
+	nfs4-acl-tools \
+	acl \
 	which \
 	device-mapper-multipath \
 	&& \

docker-files/Dockerfile.ubi.min

@@ -19,6 +19,8 @@ RUN microdnf update -y \
 	e2fsprogs \
 	xfsprogs \
 	nfs-utils \
+    nfs4-acl-tools \
+    acl \
 	which \
 	device-mapper-multipath \
 	&& \

go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/dell/gocsi v1.5.0
 	github.com/dell/gofsutil v1.7.1-0.20220204052137-9928a2dc48d8
 	github.com/dell/goiscsi v1.2.0
-	github.com/dell/gopowerstore v1.6.1-0.20211223095101-c47391fc979f
+	github.com/dell/gopowerstore v1.6.1-0.20220214164327-12bc4206c198
 	github.com/fsnotify/fsnotify v1.4.9
 	github.com/golang/mock v1.4.4
 	github.com/golang/protobuf v1.5.2

go.sum

@@ -83,8 +83,8 @@ github.com/dell/gofsutil v1.7.1-0.20220204052137-9928a2dc48d8/go.mod h1:0tAefmK/
 github.com/dell/goiscsi v1.1.0/go.mod h1:MfuMjbKWsh/MOb0VDW20C+LFYRIOfWKGiAxWkeM5TKo=
 github.com/dell/goiscsi v1.2.0 h1:ocQs4pz2Fw2vr73RVAQBKwpN468SK4TZHPLhU7/FB9A=
 github.com/dell/goiscsi v1.2.0/go.mod h1:MfuMjbKWsh/MOb0VDW20C+LFYRIOfWKGiAxWkeM5TKo=
-github.com/dell/gopowerstore v1.6.1-0.20211223095101-c47391fc979f h1:F+aAuMlcTUV/F6eWYoM94+I6MR94gVE3g8ZY65DGzbE=
-github.com/dell/gopowerstore v1.6.1-0.20211223095101-c47391fc979f/go.mod h1:0ziQJ1iuZYDV+P53ua+VeH+rIylYT9WNjGSI/7aPly0=
+github.com/dell/gopowerstore v1.6.1-0.20220214164327-12bc4206c198 h1:yOIMDcJ9fjuBHytDf32rjowoL8WM1VPuB7Yh8TYG1eU=
+github.com/dell/gopowerstore v1.6.1-0.20220214164327-12bc4206c198/go.mod h1:0ziQJ1iuZYDV+P53ua+VeH+rIylYT9WNjGSI/7aPly0=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=

helm/csi-powerstore/templates/controller.yaml

@@ -272,6 +272,8 @@ spec:
               value: {{ .Values.driverName }}
             - name: X_CSI_POWERSTORE_EXTERNAL_ACCESS
               value: {{ .Values.externalAccess }}
+            - name: X_CSI_NFS_ACLS
+              value: "{{ .Values.nfsAcls }}"
             - name: X_CSI_POWERSTORE_CONFIG_PATH
               value: /powerstore-config/config
             - name: X_CSI_POWERSTORE_CONFIG_PARAMS_PATH

helm/csi-powerstore/values.yaml

@@ -34,6 +34,21 @@ externalAccess:
 # Default value: None
 imagePullPolicy: IfNotPresent
 
+# nfsAcls: enables setting permissions on NFS mount directory
+# This value acts as default value for NFS ACL (nfsAcls), if not specified for an array config in secret
+# Permissions can be specified in two formats:
+#   1) Unix mode (NFSv3)
+#   2) NFSv4 ACLs (NFSv4)
+#      NFSv4 ACLs are supported on NFSv4 share only.
+# Allowed values:
+#   1) Unix mode: valid octal mode number
+#      Examples: "0777", "777", "0755"
+#   2) NFSv4 acls: valid NFSv4 acls, seperated by comma
+#      Examples: "A::OWNER@:RWX,A::GROUP@:RWX", "A::OWNER@:rxtncy"
+# Optional: true
+# Default value: "0777"
+nfsAcls: "0777"
+
 # controller: configure controller specific parameters
 controller:
   # controllerCount: defines the number of csi-powerscale controller pods to deploy to

pkg/array/array.go

@@ -116,6 +116,7 @@ type PowerStoreArray struct {
 	BlockProtocol common.TransportType `yaml:"blockProtocol"`
 	Insecure      bool                 `yaml:"skipCertificateValidation"`
 	IsDefault     bool                 `yaml:"isDefault"`
+	NfsAcls       string               `yaml:"nfsAcls"`
 
 	Client gopowerstore.Client
 	IP     string

pkg/common/common.go

@@ -72,6 +72,10 @@ const (
 	KeyArrayVolumeName = "Name"
 	// KeyProtocol key value to check in request parameters for volume name
 	KeyProtocol = "Protocol"
+	// KeyNfsACL key value to specify NFS ACLs for NFS volume
+	KeyNfsACL = "nfsAcls"
+	// KeyNasName key value to specify NAS server name
+	KeyNasName = "nasName"
 	// VerboseName longer description of the driver
 	VerboseName = "CSI Driver for Dell EMC PowerStore"
 	// FcTransport indicates that FC is chosen as a SCSI transport protocol

pkg/common/envvars.go

@@ -82,4 +82,7 @@ const (
 
 	// EnvIsHealthMonitorEnabled specifies if health monitor is enabled.
 	EnvIsHealthMonitorEnabled = "X_CSI_HEALTH_MONITOR_ENABLED"
+
+	// EnvNfsAcls specifies acls to be set on NFS mount directory
+	EnvNfsAcls = "X_CSI_NFS_ACLS"
 )

pkg/controller/controller.go

@@ -58,6 +58,7 @@ type Service struct {
 	Fs fs.Interface
 
 	externalAccess string
+	nfsAcls        string
 
 	array.Locker
 
@@ -85,6 +86,13 @@ func (s *Service) Init() error {
 		s.isHealthMonitorEnabled, _ = strconv.ParseBool(isHealthMonitorEnabled)
 	}
 
+	s.nfsAcls = ""
+	if nfsAcls, ok := csictx.LookupEnv(ctx, common.EnvNfsAcls); ok {
+		if nfsAcls != "" {
+			s.nfsAcls = nfsAcls
+		}
+	}
+
 	return nil
 }
 
@@ -132,6 +140,7 @@ func (s *Service) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest
 	var creator VolumeCreator
 	var protocol string
 
+	nfsAcls := s.nfsAcls
 	if useNFS {
 		protocol = "nfs"
 		nasParamsName, ok := params[KeyNasName]
@@ -144,6 +153,12 @@ func (s *Service) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest
 				nasName: arr.GetNasName(),
 			}
 		}
+
+		if params[common.KeyNfsACL] != "" {
+			nfsAcls = params[common.KeyNfsACL] // Storage class takes precedence
+		} else if arr.NfsAcls != "" {
+			nfsAcls = arr.NfsAcls // Secrets next
+		}
 	} else {
 		protocol = "scsi"
 		creator = &SCSICreator{}
@@ -308,6 +323,12 @@ func (s *Service) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest
 	volumeResponse.VolumeContext[common.KeyArrayID] = arr.GetGlobalID()
 	volumeResponse.VolumeContext[common.KeyArrayVolumeName] = req.Name
 	volumeResponse.VolumeContext[common.KeyProtocol] = protocol
+
+	if useNFS {
+		volumeResponse.VolumeContext[common.KeyNfsACL] = nfsAcls
+		volumeResponse.VolumeContext[common.KeyNasName] = arr.GetNasName()
+	}
+
 	volumeResponse.VolumeId = volumeResponse.VolumeId + "/" + arr.GetGlobalID() + "/" + protocol
 	volumeResponse.AccessibleTopology = topology
 	return &csi.CreateVolumeResponse{

pkg/controller/controller_test.go

@@ -75,6 +75,8 @@ const (
 	validReplicationPrefix    = "/" + controller.KeyReplicationEnabled
 	validVolumeGroupName      = "VGName"
 	validRemoteSystemGlobalID = "PS111111111111"
+	validNfsAcls              = "A::OWNER@:RWX"
+	validNfsServerID          = "24aefac2-a796-47dc-886a-c73ff8c1a671"
 )
 
 var (
@@ -119,6 +121,7 @@ func setVariables() {
 	arrays[secondValidID] = second
 
 	csictx.Setenv(context.Background(), common.EnvReplicationPrefix, "replication.storage.dell.com")
+	csictx.Setenv(context.Background(), common.EnvNfsAcls, "A::OWNER@:RWX")
 
 	ctrlSvc = &controller.Service{Fs: fsMock}
 	ctrlSvc.SetArrays(arrays)
@@ -388,6 +391,126 @@ var _ = Describe("CSIControllerService", func() {
 							common.KeyArrayVolumeName: "my-vol",
 							common.KeyProtocol:        "nfs",
 							common.KeyArrayID:         secondValidID,
+							common.KeyNfsACL:          "A::OWNER@:RWX",
+							common.KeyNasName:         validNasName,
+						},
+					},
+				}))
+			})
+		})
+
+		When("creating nfs volume with NFS acls in array config and storage class", func() {
+			It("should successfully create nfs volume with storage class NFS acls in volume response", func() {
+				clientMock.On("GetNASByName", mock.Anything, validNasName).Return(gopowerstore.NAS{ID: validNasID}, nil)
+				clientMock.On("CreateFS", mock.Anything, mock.Anything).Return(gopowerstore.CreateResponse{ID: validBaseVolID}, nil)
+				clientMock.On("GetNfsServer", mock.Anything, mock.Anything).Return(gopowerstore.NFSServerInstance{Id: validNfsServerID, IsNFSv4Enabled: true}, nil)
+
+				ctrlSvc.Arrays()[secondValidID].NfsAcls = "A::GROUP@:RWX"
+
+				req := getTypicalCreateVolumeNFSRequest("my-vol", validVolSize)
+				req.Parameters[common.KeyNfsACL] = "0777"
+				req.Parameters[common.KeyArrayID] = secondValidID
+
+				res, err := ctrlSvc.CreateVolume(context.Background(), req)
+				Expect(err).To(BeNil())
+				Expect(res).To(Equal(&csi.CreateVolumeResponse{
+					Volume: &csi.Volume{
+						CapacityBytes: validVolSize,
+						VolumeId:      filepath.Join(validBaseVolID, secondValidID, "nfs"),
+						VolumeContext: map[string]string{
+							common.KeyArrayVolumeName: "my-vol",
+							common.KeyProtocol:        "nfs",
+							common.KeyArrayID:         secondValidID,
+							common.KeyNfsACL:          "0777",
+							common.KeyNasName:         validNasName,
+						},
+					},
+				}))
+			})
+		})
+
+		When("creating nfs volume with NFS acls in array config and not in storage class", func() {
+			It("should successfully create nfs volume with array config NFS acls in volume response", func() {
+				clientMock.On("GetNASByName", mock.Anything, validNasName).Return(gopowerstore.NAS{ID: validNasID}, nil)
+				clientMock.On("CreateFS", mock.Anything, mock.Anything).Return(gopowerstore.CreateResponse{ID: validBaseVolID}, nil)
+				clientMock.On("GetNfsServer", mock.Anything, mock.Anything).Return(gopowerstore.NFSServerInstance{Id: validNfsServerID, IsNFSv4Enabled: true}, nil)
+
+				ctrlSvc.Arrays()[secondValidID].NfsAcls = "A::GROUP@:RWX"
+
+				req := getTypicalCreateVolumeNFSRequest("my-vol", validVolSize)
+				req.Parameters[common.KeyArrayID] = secondValidID
+
+				res, err := ctrlSvc.CreateVolume(context.Background(), req)
+				Expect(err).To(BeNil())
+				Expect(res).To(Equal(&csi.CreateVolumeResponse{
+					Volume: &csi.Volume{
+						CapacityBytes: validVolSize,
+						VolumeId:      filepath.Join(validBaseVolID, secondValidID, "nfs"),
+						VolumeContext: map[string]string{
+							common.KeyArrayVolumeName: "my-vol",
+							common.KeyProtocol:        "nfs",
+							common.KeyArrayID:         secondValidID,
+							common.KeyNfsACL:          "A::GROUP@:RWX",
+							common.KeyNasName:         validNasName,
+						},
+					},
+				}))
+			})
+		})
+
+		When("creating nfs volume with NFS acls not in array config and not in storage class", func() {
+			It("should successfully create nfs volume with default NFS acls in volume response", func() {
+				clientMock.On("GetNASByName", mock.Anything, validNasName).Return(gopowerstore.NAS{ID: validNasID}, nil)
+				clientMock.On("CreateFS", mock.Anything, mock.Anything).Return(gopowerstore.CreateResponse{ID: validBaseVolID}, nil)
+				clientMock.On("GetNfsServer", mock.Anything, mock.Anything).Return(gopowerstore.NFSServerInstance{Id: validNfsServerID, IsNFSv4Enabled: true}, nil)
+
+				req := getTypicalCreateVolumeNFSRequest("my-vol", validVolSize)
+				req.Parameters[common.KeyArrayID] = secondValidID
+
+				res, err := ctrlSvc.CreateVolume(context.Background(), req)
+				Expect(err).To(BeNil())
+				Expect(res).To(Equal(&csi.CreateVolumeResponse{
+					Volume: &csi.Volume{
+						CapacityBytes: validVolSize,
+						VolumeId:      filepath.Join(validBaseVolID, secondValidID, "nfs"),
+						VolumeContext: map[string]string{
+							common.KeyArrayVolumeName: "my-vol",
+							common.KeyProtocol:        "nfs",
+							common.KeyArrayID:         secondValidID,
+							common.KeyNfsACL:          "A::OWNER@:RWX",
+							common.KeyNasName:         validNasName,
+						},
+					},
+				}))
+			})
+		})
+
+		When("creating nfs volume with NFS acls in not in secrets & default", func() {
+			It("should successfully create nfs volume with empty NFS acls in volume response", func() {
+				clientMock.On("GetNASByName", mock.Anything, validNasName).Return(gopowerstore.NAS{ID: validNasID}, nil)
+				clientMock.On("CreateFS", mock.Anything, mock.Anything).Return(gopowerstore.CreateResponse{ID: validBaseVolID}, nil)
+				clientMock.On("GetNfsServer", mock.Anything, mock.Anything).Return(gopowerstore.NFSServerInstance{Id: validNfsServerID, IsNFSv4Enabled: true}, nil)
+
+				req := getTypicalCreateVolumeNFSRequest("my-vol", validVolSize)
+				req.Parameters[common.KeyArrayID] = secondValidID
+
+				ctrlSvc.Arrays()[secondValidID].NfsAcls = ""
+				csictx.Setenv(context.Background(), common.EnvNfsAcls, "")
+
+				_ = ctrlSvc.Init()
+
+				res, err := ctrlSvc.CreateVolume(context.Background(), req)
+				Expect(err).To(BeNil())
+				Expect(res).To(Equal(&csi.CreateVolumeResponse{
+					Volume: &csi.Volume{
+						CapacityBytes: validVolSize,
+						VolumeId:      filepath.Join(validBaseVolID, secondValidID, "nfs"),
+						VolumeContext: map[string]string{
+							common.KeyArrayVolumeName: "my-vol",
+							common.KeyProtocol:        "nfs",
+							common.KeyArrayID:         secondValidID,
+							common.KeyNfsACL:          "",
+							common.KeyNasName:         validNasName,
 						},
 					},
 				}))
@@ -457,6 +580,8 @@ var _ = Describe("CSIControllerService", func() {
 							common.KeyArrayVolumeName: "my-vol",
 							common.KeyProtocol:        "nfs",
 							common.KeyArrayID:         secondValidID,
+							common.KeyNfsACL:          "A::OWNER@:RWX",
+							common.KeyNasName:         validNasName,
 						},
 					},
 				}))
@@ -1533,6 +1658,7 @@ var _ = Describe("CSIControllerService", func() {
 						"ExportID":      nfsID,
 						"allowRoot":     "",
 						"HostIP":        "127.0.0.1",
+						"nfsAcls":       "",
 					},
 				}))
 			})
@@ -1654,6 +1780,7 @@ var _ = Describe("CSIControllerService", func() {
 						"allowRoot":     "",
 						"HostIP":        "127.0.0.1",
 						"NatIP":         "10.0.0.1",
+						"nfsAcls":       "",
 					},
 				}))
 			})

pkg/controller/publisher.go

@@ -267,6 +267,7 @@ func (n *NfsPublisher) Publish(ctx context.Context, req *csi.ControllerPublishVo
 	}
 	publishContext[common.KeyExportID] = export.ID
 	publishContext[common.KeyAllowRoot] = req.VolumeContext[common.KeyAllowRoot]
+	publishContext[common.KeyNfsACL] = req.VolumeContext[common.KeyNfsACL]
 	return &csi.ControllerPublishVolumeResponse{PublishContext: publishContext}, nil
 }