Ceph » CephFS

Now with better formatting:

Running Ceph 12.2.2

Create Filesystem fresh on this version.

FUSE-mounted filesystem with client_acl_type=posix_acl and fuse_default_permissions=0.

ACLs can be set by root with setfacl and queried with getfacl.

 # touch test2
 # chmod 0600 test2
 # setfacl -m g:sysadmin:rwx test2
 # getfacl test2
# file: test2
# owner: root
# group: root
user::rw-
group::---
group:sysadmin:rwx
mask::rwx
other::---

A member of the group sysadmin should have access to a file or directory but access is denied.

 $ ls -la test2
ls: test2: Permission denied
-rw-rwx--- 1 root root 6 Dez  8 17:33 test2*
 $ getfacl test2
# file: test2
# owner: root
# group: root
user::rw-
group::---
group:sysadmin:rwx
mask::rwx
other::---
 $ cat test2
cat: test2: Permission denied

The kernel client in Ubuntu 17.10 (4.13.0-17-generic) does not have this issue, but it does not show if ACLs are set (with the + sign after the Unix permissions).

1. file: test2
2. owner: root
3. group: root
   user::rw-
   group::---
   group:sysadmin:rwx
   mask::rwx
   other::---
   $ echo "Hello World" > test2
   $ cat test2
   Hello World
   ```

I can't reproduce it on Fedora 26. please provide versions of kernel and fuse-libs installed on the machine that ran ceph-fuse

If fuse-libs version < 2.8, ceph-fuse can't get supplementary groups of an user. group ACL only apply for users who primary group is the given one.

no '+ sign' is caused by ls code

static int
file_has_acl_cache (char const *file, struct fileinfo *f)
{
  /* st_dev of the most recently processed device for which we've
     found that file_has_acl fails indicating lack of support.  */
  static dev_t unsupported_device;

  if (f->stat.st_dev == unsupported_device)
    {
      errno = ENOTSUP;
      return 0;
    }

  /* Zero errno so that we can distinguish between two 0-returning cases:
     "has-ACL-support, but only a default ACL" and "no ACL support". */
  errno = 0;
  int n = file_has_acl (file, &f->stat);
  if (n <= 0 && errno_unsupported (errno))
    unsupported_device = f->stat.st_dev;
  return n;
}

For non-snapshotted inode, ceph always set st_dev to 0.

Zheng Yan wrote:

I can't reproduce it on Fedora 26. please provide versions of kernel and fuse-libs installed on the machine that ran ceph-fuse

The client is Ubuntu 17.10 with ceph-fuse 12.2.0 and libfuse 2.9.7, kernel version is 4.13.0-17

Robert Sander wrote:

Zheng Yan wrote:

I can't reproduce it on Fedora 26. please provide versions of kernel and fuse-libs installed on the machine that ran ceph-fuse

The client is Ubuntu 17.10 with ceph-fuse 12.2.0 and libfuse 2.9.7, kernel version is 4.13.0-17

Testing the same filesystem with Ubuntu 16.04, libfuse 2.9.4 and ceph-fuse 12.2.2 everything works as expected, even ls.

Now the only question remains is why does the kernel cephfs module does not expose the ACL capability to ls?

Robert Sander wrote:

Robert Sander wrote:

Zheng Yan wrote:

I can't reproduce it on Fedora 26. please provide versions of kernel and fuse-libs installed on the machine that ran ceph-fuse

The client is Ubuntu 17.10 with ceph-fuse 12.2.0 and libfuse 2.9.7, kernel version is 4.13.0-17

Testing the same filesystem with Ubuntu 16.04, libfuse 2.9.4 and ceph-fuse 12.2.2 everything works as expected, even ls.

Now the only question remains is why does the kernel cephfs module does not expose the ACL capability to ls?

For stat(2), cephfs module uses st_dev to return snapid of inode. For head inode, st_dev is 0. 'st_dev == 0' confuse ls code