[Gluster-devel] NFSv4 ACLs translation issue from GlusterFS mount

[tizo]

It seems to me that Posix ACLs in a mounted gluterfs volume are not
being translated to NFSv4 ACLs at all when exported (kernel NFS).
Exporting a local filesystem with XFS and exactly the same Posix ACLs
work as expected (NFSv4 ACLs are translated right from Posix ACLs).
More details:

OS: Rocky Linux release 8.5 (Green Obsidian)

fstab for the exported directories:

/dev/mapper/vg_kvm_sistema-lv_directo_informatica
/exports/directo_informatica      xfs     defaults       0 0
gluster02.fnr.gub.uy:/gv0_inf /exports/gv0_inf/ glusterfs defaults,acl 0 0

Mount for the exported directories:

/dev/mapper/vg_kvm_sistema-lv_directo_informatica on
/exports/directo_informatica type xfs
(rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
gluster02.fnr.gub.uy:/gv0_inf on /exports/gv0_inf type fuse.glusterfs
(rw,relatime,user_id=0,group_id=0,allow_other,max_read=131072)

exports file:

/exports
*(sec=krb5p,secure,rw,sync,no_wdelay,no_subtree_check,root_squash,fsid=0)
/exports/directo_informatica
*(sec=krb5p,secure,rw,sync,no_wdelay,no_subtree_check,root_squash,mountpoint)
/exports/gv0_inf
*(sec=krb5p,secure,rw,sync,no_wdelay,no_subtree_check,root_squash,mountpoint,fsid=2)

Exported directories ACLs:

# getfacl /exports/directo_informatica/
getfacl: Removing leading '/' from absolute path names
# file: exports/directo_informatica/
# owner: root
# group: root
user::rwx
user:root:rwx
group::r-x
group:root:r-x
group:informatica at adtest.fnr.gub.uy:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:root:r-x
default:group:informatica at adtest.fnr.gub.uy:rwx
default:mask::rwx
default:other::---

# getfacl /exports/gv0_inf/
getfacl: Removing leading '/' from absolute path names
# file: exports/gv0_inf/
# owner: root
# group: root
user::rwx
user:root:rwx
group::r-x
group:root:r-x
group:informatica at adtest.fnr.gub.uy:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:root:r-x
default:group:informatica at adtest.fnr.gub.uy:rwx
default:mask::rwx
default:other::---

Directories mounted remotely (same server for the tests):

gluster02.adtest.fnr.gub.uy:/directo_informatica on /prueba2 type nfs4
(rw,relatime,vers=4.2,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=10.2.100.8,local_lock=none,addr=10.2.100.8)
gluster02.adtest.fnr.gub.uy:/gv0_inf on /prueba type nfs4
(rw,relatime,vers=4.2,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=10.2.100.8,local_lock=none,addr=10.2.100.8)

NFSv4 ACLs remotely:

$ nfs4_getfacl /prueba2
# file: /prueba2
A::OWNER@:rwaDxtTcCy
A::root at idmpru.fnr.gub.uy:rwaDxtcy
A::GROUP@:rxtcy
A:g:root at idmpru.fnr.gub.uy:rxtcy
A:g:informatica at adtest.fnr.gub.uy@idmpru.fnr.gub.uy:rwaDxtcy
A::EVERYONE@:tcy
A:fdi:OWNER@:rwaDxtTcCy
A:fdi:root at idmpru.fnr.gub.uy:rwaDxtcy
A:fdi:GROUP@:rxtcy
A:fdig:root at idmpru.fnr.gub.uy:rxtcy
A:fdig:informatica at adtest.fnr.gub.uy@idmpru.fnr.gub.uy:rwaDxtcy
A:fdi:EVERYONE@:tcy

$ nfs4_getfacl /prueba
# file: /prueba
A::OWNER@:rwaDxtTcCy
A::GROUP@:rwaDxtcy
A::EVERYONE@:tcy

I have tried other alternatives with different results, but no one
solved my problem completely. For example, with NFS Ganesha it seems
there is an idmap problem. Anyway, I've been talking about it with
Strahil Nikolov and he pointed out that as my case was a complex one I
should write to this list. Although that, I tried to present it in the
most simple way I could, avoiding details about the users and the
authentication systems, as it seems to me that with kernel NFS the
problem is related to Posix to NFSv4 ACLs translation.

Any help is appreciated. Thanks very much.