[Gluster-devel] [RFE] Ability to force permissions while creating files/directories on a volume

Niels de Vos ndevos at redhat.com
Thu Aug 10 09:59:36 UTC 2017 

I'd like to get feedback on the feature proposal explained in
https://github.com/gluster/glusterfs/issues/301:

  Ability to force permissions while creating files/directories on a volume

The description of the feature is included for reference below.

Thanks!
Niels


Some users have troubles with applications that create files on a
Gluster Volume. The files are expected to be writeable by others in the
same group, but the default system umask (client-side) may prevent this.
In their own words:

> We would like to be able to specify, at a gluster volume level, the default
> permissions that a directory or file is given when they are created,
> irrespective of the client's umask.
> 
> I believe samba provides similar functionality via the following config
> settings:
> 
> create mask
> force create mode
> create directory mask
> force directory mode

The above referenced options are documented in the `smb.conf` man-page.

With this functionality it will be possible to:
- have applications and users in a group for this writeable application data
- create the directory that will contain the data
- have the group own the directory (`chgrp`)
- set the setgid-bit on the directory (`chmod`)
- files created in the directory will be group-owned by the right group
  (not necessarily primary group of the user)
- permissions of the new file can be set to `rw-rw-r--` by default,
  independent of the `0022` default umask for most client-side systems

This last point requires modification of the umask (`create mask`
options) on the bricks while the creation of files/directories is done,
or overriding the requested permissions when passed (`force create mode`
options).

One of the use-cases where this would be useful, is containers in
OpenShift. An application in a container will get a random (in a defined
range) `uid`/`gid`. However if additional permissions for the
application is needed an additional `gid` can be passed. This additional
`gid` can give the application the ability to read/write data on a
filesystem as long as the permissions on the filesystem allow this. Once
the application creates files, the owner will be `random uid` / `random
gid` and standard `rw-r--r--` permissions. Setting the `setgid` bit can
prevent the `random gid` assignment, volume options can adjust the
default permissions to `rw-rw-r--`.

More information about the Gluster-devel mailing list