[gpfsug-discuss] Inherited ACLs and multi-protocol access

Lines, Robert linesr at janelia.hhmi.org
Thu Oct 31 15:23:59 GMT 2019 

I know I am missing something here and it is probably due to lack of experience dealing with ACLs as all other storage we distil down to just posix UGO permissions.

We have Windows native clients creating data.  There are SMB clients of various flavors accessing data via CES.  Then there are Linux native clients that interface between gpfs and other NFS filers for data movement.

What I am running into is around inheriting permissions so that windows native and smb clients have access based on the users group membership that remains sane while also being able to migrate files off to nfs filers with reasonable posix permissions.

Here is the top level directory that is the lab name and there is a matching group.  That directory is the highest point where an ACL has been set with inheritance.  The directory listed is one created from a Windows Native client.  The issue I am running into is that that largec7 directory that was created is having the posix permissions set to nothing for the owner.  The ACL that results is okay but when that folder or anything in it is synced off to another filer that only has the basic posix permission it acts kinda wonky.  The user was able to fix up his files on the other filer because he was still the owner but I would like to make it work properly.


[root at gpfs-dm1 smith]# ls -la
drwxrwsr-x 84 root  smith       16384 Oct 30 23:22 .
d---rwsr-x  2 tim   smith        4096 Oct 30 23:22 largec7
drwx--S---  2 tim   smith        4096 Oct 24 00:17 CFA1

[root at gpfs-dm1 smith]# mmgetacl .
#NFSv4 ACL
#owner:root
#group:smith
special:owner@:rwxc:allow:FileInherit:DirInherit
(X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
(-)DELETE    (X)DELETE_CHILD (X)CHOWN        (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

special:group@:rwxc:allow:FileInherit:DirInherit
(X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
(-)DELETE    (X)DELETE_CHILD (X)CHOWN        (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

special:everyone@:r-x-:allow:FileInherit:DirInherit
(X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
(-)DELETE    (-)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED

[root at gpfs-dm1 smith]# mmgetacl largec7
#NFSv4 ACL
#owner:tim
#group:smith
#ACL flags:
#  DACL_PRESENT
#  DACL_AUTO_INHERITED
#  SACL_AUTO_INHERITED
user:root:rwxc:allow:FileInherit:DirInherit:Inherited
(X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
(-)DELETE    (X)DELETE_CHILD (X)CHOWN        (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

special:group@:rwxc:allow:FileInherit:DirInherit:Inherited
(X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
(-)DELETE    (X)DELETE_CHILD (X)CHOWN        (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

special:everyone@:r-x-:allow:FileInherit:DirInherit:Inherited
(X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
(-)DELETE    (-)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED

In contrast the CFA1 directory was created prior to the file and directory inheritance being put in place.  That worked okay as long as it was only that user but the lack of group access is a problem and what led to trying to sort out the inherited ACLs in the first place.

[root at gpfs-dm1 smith]# ls -l
drwx--S---  2 tim   smith        4096 Oct 24 00:17 CFA1

[root at gpfs-dm1 smith]# mmgetacl CFA1
#NFSv4 ACL
#owner:tim
#group:smith
#ACL flags:
#  DACL_PRESENT
#  DACL_AUTO_INHERITED
#  SACL_AUTO_INHERITED
special:owner@:rwxc:allow
(X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
(X)DELETE    (X)DELETE_CHILD (X)CHOWN        (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

user:15000001:rwxc:allow
(X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
(X)DELETE    (X)DELETE_CHILD (X)CHOWN        (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED

user:15000306:r-x-:allow
(X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL  (X)READ_ATTR  (X)READ_NAMED
(-)DELETE    (-)DELETE_CHILD (-)CHOWN        (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED



Thank you for any suggestions.


--
Rob Lines
Sr. HPC Engineer
HHMI Janelia Research Campus

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20191031/3b47e403/attachment-0001.htm>

More information about the gpfsug-discuss mailing list