Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Files created by ZoL have an empty NFSv4 ACL #6391

Closed
Low-power opened this issue Jul 23, 2017 · 12 comments
Closed

Files created by ZoL have an empty NFSv4 ACL #6391

Low-power opened this issue Jul 23, 2017 · 12 comments
Labels
Status: Stale No recent activity for issue Type: Defect Incorrect behavior (e.g. crash, hang)

Comments

@Low-power
Copy link
Contributor

Low-power commented Jul 23, 2017

System information

Type Version/Name
Distribution Name Debian GNU/Linux
Distribution Version 8
Linux Kernel 3.16.0-4-686-pae
Architecture i386
ZFS Version 0.6.5.11
SPL Version 0.6.5.11

Describe the problem you're observing

I known that the NFSv4 ACL for ZoL in currently unimplemented due to the leak of user land tools for Linux, but files on ZFS having empty ACL cases problem when interact with other platforms that support NFSv4 ACL for ZFS.

Describe how to reproduce the problem

Put a file on a pool, and export this pool on Linux
Import the pool on a Solaris OS (the pool is created with an version that both OpenZFS and Solaris supports)
Looking the file by an non-root user

[whr@WHRsWorkPC]:[25]:[/mnt/1]:$ ls -l todo
-rw-r--r-- 1 root root 11 2017-07-23 18:38 todo

Looks like I have the reading permission to this file, but...

[whr@WHRsWorkPC]:[26]:[/mnt/1]:$ cat todo
cat: todo: Permission denied

Because the file have empty ACL

[whr@WHRsWorkPC]:[27]:[/mnt/1]:$ /usr/bin/ls -lv todo
ls: can't read ACL on todo: Permission denied
-rw-r--r--   1 root     root          11  7月 23 18:38 todo
[whr@WHRsWorkPC]:[28]:[/mnt/1]:$ sudo /usr/bin/ls -lv todo
密码:
-rw-r--r--   1 root     root          11  7月 23 18:38 todo
[whr@WHRsWorkPC]:[29]:[/mnt/1]:$ 

Create a default ACL from permissions mode for this file by using chmod command will fix this

[whr@WHRsWorkPC]:[29]:[/mnt/1]:$ sudo chmod 644 todo
[whr@WHRsWorkPC]:[30]:[/mnt/1]:$ /usr/bin/ls -lv todo
-rw-r--r--   1 root     root          11  7月 23 18:38 todo
     0:owner@:read_data/write_data/append_data/read_xattr/write_xattr
         /read_attributes/write_attributes/read_acl/write_acl/write_owner
         /synchronize:allow
     1:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow
     2:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
         :allow
[whr@WHRsWorkPC]:[31]:[/mnt/1]:$ cat todo
Report bug
[whr@WHRsWorkPC]:[32]:[/mnt/1]:$ 

I think ZoL should add a module parameter or a property to turn on a behavior, that create the NFSv4 ACL from corresponding file mode when chmod(2) or creat(2) files, even this ACL is currently meaningless on Linux.

@bunder2015
Copy link
Contributor

Do you have ACL's enabled on the dataset?

from man zfs(8):

When a file system has the acltype property set to off (the default) then ACLs are disabled.

@Low-power
Copy link
Contributor Author

According to zfs(8), only POSIX ACL is currently supported by ZoL, and it is completely separated from the NFSv4 ACL in ZFS internally.

Setting the acltype  property to  posixacl indicates Posix ACLs should be used. Posix ACLs are 
specific to Linux and are not functional on other platforms.  Posix ACLs are stored as an xattr 
and therefore will not overwrite any existing ZFS/NFSv4 ACLs which may be set.
Currently only posixacls are supported on Linux.

@bunder2015
Copy link
Contributor

Yes, sorry it appears I was mistaken. I did some looking around and it looks like this works under nfs v3 but nfs v4 does things differently.

@ghfields
Copy link
Contributor

#4966
Just adding this comment to link NFS ACL Tickets.

@tuxoko
Copy link
Contributor

tuxoko commented Jul 24, 2017

Are you even using NFS in the problem you reported? Also, the filesystem on Linux don't need to explicit support nfs4 acl, because the nfs kernel server will translate it from posixacl. So if you enable posixacl on the filesystem it should be fine.

@Low-power
Copy link
Contributor Author

I'm not talking about NFS, but the NFSv4 ACL that is supported by the ZFS internally.
From my description, the file is shared to another OS by exporting/importing the pool, not by mounting NFS.

@tuxoko
Copy link
Contributor

tuxoko commented Jul 24, 2017

I see what you mean. While it's possible to implement it, there are certain things to consider. For example, the NFS server on Linux export ACL by translating POSIX ACL, which means we'll have to translate NFS4 ACL to POSIX ACL first. But since the translation is not possible to be perfect. It might create problems.

@Low-power
Copy link
Contributor Author

In fact, I don't use neither POSIX ACL and NFSv4 ACL, but missing ACL make files inaccessible from some other platforms, so before NFSv4 ACL for ZoL is fully implemented just translate file permission mode to NFSv4 ACL should be enough to resolve this problem.

@stale
Copy link

stale bot commented Aug 25, 2020

This issue has been automatically marked as "stale" because it has not had any activity for a while. It will be closed in 90 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the Status: Stale No recent activity for issue label Aug 25, 2020
@Low-power
Copy link
Contributor Author

This issue shouldn't be closed because it is yet to be fixed.

@stale stale bot removed the Status: Stale No recent activity for issue label Aug 25, 2020
@behlendorf behlendorf added the Type: Defect Incorrect behavior (e.g. crash, hang) label Aug 25, 2020
@stale
Copy link

stale bot commented Aug 25, 2021

This issue has been automatically marked as "stale" because it has not had any activity for a while. It will be closed in 90 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the Status: Stale No recent activity for issue label Aug 25, 2021
@Low-power
Copy link
Contributor Author

This issue appears be fixed now; files created using OpenZFS 2.0.4 now have the proper default ACL entries that worked correctly under Solaris:

$ /usr/bin/ls -lv test-file
-rw-r--r--   1 root     root         192  8月 26 14:58 test-file
     0:owner@:read_data/write_data/append_data/read_xattr/write_xattr
         /read_attributes/write_attributes/read_acl/write_acl/write_owner
         /synchronize:allow
     1:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow
     2:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
         :allow

I guess it was fixed by implementing NFSv4 ACL support for FreeBSD.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Status: Stale No recent activity for issue Type: Defect Incorrect behavior (e.g. crash, hang)
Projects
None yet
Development

No branches or pull requests

5 participants