Bug #22353
closed
kclient: ceph_getattr() return zero st_dev for normal inode
Added by Robert Sander over 6 years ago.
Updated about 6 years ago.
Category:
Correctness/Safety
Description
Running Ceph 12.2.2
Create Filesystem fresh on this version.
FUSE-mounted filesystem with client_acl_type=posix_acl and fuse_default_permissions=0.
ACLs can be set by root with setfacl and queried with getfacl.
- file: test2
- owner: root
- group: root
user::rw-
group::---
group:sysadmin:rwx
mask::rwx
other::---
- touch test2
- chmod 0600 test2
- setfacl -m g:sysadmin:rwx test2
- getfacl test2
A member of the group sysadmin should have access to a file or directory but access is denied.
- file: test2
- owner: root
- group: root
user::rw-
group::---
group:sysadmin:rwx
mask::rwx
other::---
$ cat test2
cat: test2: Permission denied
$ ls la test2
ls: test2: Permission denied
-rw-rwx-- 1 root root 6 Dez 8 17:33 test2*
$ getfacl test2
Now with better formatting:
Running Ceph 12.2.2
Create Filesystem fresh on this version.
FUSE-mounted filesystem with client_acl_type=posix_acl and fuse_default_permissions=0.
ACLs can be set by root with setfacl and queried with getfacl.
# touch test2
# chmod 0600 test2
# setfacl -m g:sysadmin:rwx test2
# getfacl test2
# file: test2
# owner: root
# group: root
user::rw-
group::---
group:sysadmin:rwx
mask::rwx
other::---
A member of the group sysadmin should have access to a file or directory but access is denied.
$ ls -la test2
ls: test2: Permission denied
-rw-rwx--- 1 root root 6 Dez 8 17:33 test2*
$ getfacl test2
# file: test2
# owner: root
# group: root
user::rw-
group::---
group:sysadmin:rwx
mask::rwx
other::---
$ cat test2
cat: test2: Permission denied
The kernel client in Ubuntu 17.10 (4.13.0-17-generic) does not have this issue, but it does not show if ACLs are set (with the + sign after the Unix permissions).
```
$ ls
ld test*
drwxrwx-- 1 root root 2 Dez 8 20:29 test/
rw-rwx-- 1 root root 6 Dez 8 17:33 test2*
$ getfacl test2
- file: test2
- owner: root
- group: root
user::rw-
group::---
group:sysadmin:rwx
mask::rwx
other::---
$ echo "Hello World" > test2
$ cat test2
Hello World
```
I can't reproduce it on Fedora 26. please provide versions of kernel and fuse-libs installed on the machine that ran ceph-fuse
If fuse-libs version < 2.8, ceph-fuse can't get supplementary groups of an user. group ACL only apply for users who primary group is the given one.
no '+ sign' is caused by ls code
static int
file_has_acl_cache (char const *file, struct fileinfo *f)
{
/* st_dev of the most recently processed device for which we've
found that file_has_acl fails indicating lack of support. */
static dev_t unsupported_device;
if (f->stat.st_dev == unsupported_device)
{
errno = ENOTSUP;
return 0;
}
/* Zero errno so that we can distinguish between two 0-returning cases:
"has-ACL-support, but only a default ACL" and "no ACL support". */
errno = 0;
int n = file_has_acl (file, &f->stat);
if (n <= 0 && errno_unsupported (errno))
unsupported_device = f->stat.st_dev;
return n;
}
For non-snapshotted inode, ceph always set st_dev to 0.
Zheng Yan wrote:
I can't reproduce it on Fedora 26. please provide versions of kernel and fuse-libs installed on the machine that ran ceph-fuse
The client is Ubuntu 17.10 with ceph-fuse 12.2.0 and libfuse 2.9.7, kernel version is 4.13.0-17
Robert Sander wrote:
Zheng Yan wrote:
I can't reproduce it on Fedora 26. please provide versions of kernel and fuse-libs installed on the machine that ran ceph-fuse
The client is Ubuntu 17.10 with ceph-fuse 12.2.0 and libfuse 2.9.7, kernel version is 4.13.0-17
Testing the same filesystem with Ubuntu 16.04, libfuse 2.9.4 and ceph-fuse 12.2.2 everything works as expected, even ls.
Now the only question remains is why does the kernel cephfs module does not expose the ACL capability to ls?
Robert Sander wrote:
Robert Sander wrote:
Zheng Yan wrote:
I can't reproduce it on Fedora 26. please provide versions of kernel and fuse-libs installed on the machine that ran ceph-fuse
The client is Ubuntu 17.10 with ceph-fuse 12.2.0 and libfuse 2.9.7, kernel version is 4.13.0-17
Testing the same filesystem with Ubuntu 16.04, libfuse 2.9.4 and ceph-fuse 12.2.2 everything works as expected, even ls.
Now the only question remains is why does the kernel cephfs module does not expose the ACL capability to ls?
For stat(2), cephfs module uses st_dev to return snapid of inode. For head inode, st_dev is 0. 'st_dev == 0' confuse ls code
- Subject changed from ACLs supported but not working for normal user to kclient: ceph_getattr() return zero st_dev for normal inode
- Assignee set to Zheng Yan
- Status changed from New to In Progress
- Status changed from In Progress to 7
- Status changed from 7 to Resolved
Also available in: Atom
PDF