[gpfsug-discuss] How to use nfs4_getfacl (or set) on GPFS cluster
Ilan Schwarts
ilan84 at gmail.com
Tue Aug 8 05:28:20 BST 2017
Hi,
The command should work from server side i know.. but isnt the scenario of:
Root user, that is mounted via nfsv4 to a gpfs filesystem, cannot edit any
of the mounted files/dirs acls?
The acls are editable only from server side?
Thanks!
On Aug 8, 2017 00:10, "James Davis" <jamiedavis at us.ibm.com> wrote:
> Hi Ilan,
>
> 1. Your command might work from the server side; you said you tried it
> from the client side. Could you find anything in the docs about this? I
> could not.
>
> 2. I can share this NFSv4-themed wrapper around mmputacl if it would be
> useful to you. You would have to run it from the GPFS side, not the NFS
> client side.
>
> Regards,
>
> Jamie
>
> # ./updateNFSv4ACL -h
> Update the NFSv4 ACL governing a file's access permissions.
> Appends to the existing ACL, overwriting conflicting permissions.
> Usage: ./updateNFSv4ACL -file /path/to/file { ADD_PERM_SPEC |
> DEL_PERM_SPEC }+
> ADD_PERM_SPEC: { -owningUser PERM | -owningGroup PERM | -other PERM |
> -ace nameType:name:PERM:aceType }
> DEL_PERM_SPEC: { -noACEFor nameType:name }
> PERM: Specify a string composed of one or more of the following letters
> in no particular order:
> r (ead)
> w (rite)
> a (ppend) Must agree with write
> x (execute)
> d (elete)
> D (elete child) Dirs only
> t (read attrs)
> T (write attrs)
> c (read ACL)
> C (write ACL)
> o (change owner)
> You can also provide these, but they will have no effect in GPFS:
> n (read named attrs)
> N (write named attrs)
> y (support synchronous I/O)
>
> To indicate no permissions, give a -
> nameType: 'user' or 'group'.
> aceType: 'allow' or 'deny'.
> Examples: ./updateNFSv4ACL -file /fs1/f -owningUser rtc -owningGroup
> rwaxdtc -other '-'
> Assign these permissions to 'owner', 'group', 'other'.
> ./updateNFSv4ACL -file /fs1/f -ace 'user:pfs001:rtc:allow'
> -noACEFor 'group:fvt001'
> Allow user pfs001 read/read attrs/read ACL permission
> Remove all ACEs (allow and deny) for group fvt001.
> Notes:
> Permissions you do not allow are denied by default.
> See the GPFS docs for some other restrictions.
> ace is short for Access Control Entry
>
>
> ----- Original message -----
> From: Ilan Schwarts <ilan84 at gmail.com>
> Sent by: gpfsug-discuss-bounces at spectrumscale.org
> To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
> Cc:
> Subject: [gpfsug-discuss] How to use nfs4_getfacl (or set) on GPFS cluster
> Date: Mon, Aug 7, 2017 9:27 AM
>
> Hi all,
> My setup is 2 nodes GPFS and 1 machine as NFS Client.
> All machines (3 total) run CentOS 7.2
>
> The 3rd CentOS machine (not part of the cluster) used as NFS Client.
>
> I mount the NFS Client machine to one of the nodes: mount -t nfs
> 10.10.158.61:/fs_gpfs01/nfs /mnt/nfs4
>
> This gives me the following:
>
> [root at CentOS7286-64 ~]# mount -v | grep gpfs
> 10.10.158.61:/fs_gpfs01/nfs on /mnt/nfs4 type nfs4
> (rw,relatime,vers=4.0,rsize=524288,wsize=524288,namlen=
> 255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,
> clientaddr=10.10.149.188,local_lock=none,addr=10.10.158.61)
>
> Now, From the Client NFS Machine, I go to the mount directory ("cd
> /mnt/nfs4") and try to set an acl. Since NFSv4 should be supported, I
> use nfs4_getfacl:
> [root at CentOS7286-64 nfs4]# nfs4_getfacl mydir11
> Operation to request attribute not supported.
> [root at CentOS7286-64 nfs4]#
>
> From the NODE machine i see the status:
> [root at LH20-GPFS1 fs_gpfs01]# mmlsfs fs_gpfs01
> flag value description
> ------------------- ------------------------ ------------------------------
> -----
> -f 8192 Minimum fragment size in bytes
> -i 4096 Inode size in bytes
> -I 16384 Indirect block size in bytes
> -m 1 Default number of metadata
> replicas
> -M 2 Maximum number of metadata
> replicas
> -r 1 Default number of data
> replicas
> -R 2 Maximum number of data
> replicas
> -j cluster Block allocation type
> -D nfs4 File locking semantics in
> effect
> -k nfs4 ACL semantics in effect
> -n 32 Estimated number of nodes
> that will mount file system
> -B 262144 Block size
> -Q none Quotas accounting enabled
> none Quotas enforced
> none Default quotas enabled
> --perfileset-quota No Per-fileset quota enforcement
> --filesetdf No Fileset df enabled?
> -V 16.00 (4.2.2.0) File system version
> --create-time Wed Jul 5 12:28:39 2017 File system creation time
> -z No Is DMAPI enabled?
> -L 4194304 Logfile size
> -E Yes Exact mtime mount option
> -S No Suppress atime mount option
> -K whenpossible Strict replica allocation
> option
> --fastea Yes Fast external attributes
> enabled?
> --encryption No Encryption enabled?
> --inode-limit 171840 Maximum number of inodes
> in all inode spaces
> --log-replicas 0 Number of log replicas
> --is4KAligned Yes is4KAligned?
> --rapid-repair Yes rapidRepair enabled?
> --write-cache-threshold 0 HAWC Threshold (max 65536)
> -P system Disk storage pools in file
> system
> -d nynsd1;nynsd2 Disks in file system
> -A yes Automatic mount option
> -o none Additional mount options
> -T /fs_gpfs01 Default mount point
> --mount-priority 0 Mount priority
>
>
>
> I saw this thread:
> https://serverfault.com/questions/655112/nfsv4-acls-on-gpfs/722200
>
> Is it still relevant ? Since 2014..
>
> Thanks !
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>
>
>
>
>
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20170808/0e20196d/attachment-0002.htm>
More information about the gpfsug-discuss
mailing list