[Gluster-users] NFSv4 permissions issues with an exported glusterfs
tizo
tizone at gmail.com
Mon Mar 21 17:21:22 UTC 2022
I have posted this problem exactly in Server Fault and in Linux NFS,
but it has not been answered yet. Maybe you can help me.
I have a situation with kernel NFS server. I have two exports with
exactly the same ACLs, with full permissions for the
informatica at adtest.xx.xx.xx group. One is
/exports/directo_informatica/, which is the mount point for an LV with
XFS, and the other is /exports/gv0_inf/, which is the mount point for
a glusterfs. The first export works right when mounting it remotely
with NFS, and accessing it with a user of the group
informatica at adtest.xx.xx.xx. The second one doesn't: it can be mounted
correctly, but when trying to access it with the same user it gives
"Permission denied".
If I access directly to the NFS server (ssh) with the same user of the
previous tests, I can access both directories inside /exports/ without
problems. More details at following:
OS: Rocky Linux release 8.5 (Green Obsidian)
fstab for the exported directories:
/dev/mapper/vg_kvm_sistema-lv_directo_informatica
/exports/directo_informatica xfs defaults 0 0
glustersrv02.xx.xx.xx:/gv0_inf /exports/gv0_inf/ glusterfs defaults,acl 0 0
Mount for the exported directories:
/dev/mapper/vg_kvm_sistema-lv_directo_informatica on
/exports/directo_informatica type xfs
(rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
glustersrv02.xx.xx.xx:/gv0_inf on /exports/gv0_inf type fuse.glusterfs
(rw,relatime,user_id=0,group_id=0,allow_other,max_read=131072)
exports file:
/exports
*(sec=krb5p,secure,rw,sync,no_wdelay,no_subtree_check,root_squash,fsid=0)
/exports/directo_informatica
*(sec=krb5p,secure,rw,sync,no_wdelay,no_subtree_check,root_squash,mountpoint)
/exports/gv0_inf
*(sec=krb5p,secure,rw,sync,no_wdelay,no_subtree_check,root_squash,mountpoint,fsid=2)
Exported directories ACLs:
# getfacl /exports/directo_informatica/
getfacl: Removing leading '/' from absolute path names
# file: exports/directo_informatica/
# owner: root
# group: root
user::rwx
user:root:rwx
group::r-x
group:root:r-x
group:informatica at adtest.xx.xx.xx:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:root:r-x
default:group:informatica at adtest.xx.xx.xx:rwx
default:mask::rwx
default:other::---
# getfacl /exports/gv0_inf/
getfacl: Removing leading '/' from absolute path names
# file: exports/gv0_inf/
# owner: root
# group: root
user::rwx
user:root:rwx
group::r-x
group:root:r-x
group:informatica at adtest.xx.xx.xx:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:root:r-x
default:group:informatica at adtest.xx.xx.xx:rwx
default:mask::rwx
default:other::---
Directories mounted remoteley:
gluster02.adtest.xx.xx.xx:/directo_informatica on /prueba2 type nfs4
(rw,relatime,vers=4.2,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=10.2.100.8,local_lock=none,addr=10.2.100.8)
gluster02.adtest.xx.xx.xx:/gv0_inf on /prueba type nfs4
(rw,relatime,vers=4.2,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=10.2.100.8,local_lock=none,addr=10.2.100.8)
NFSv4 ACLs remotely:
$ nfs4_getfacl /prueba2
# file: /prueba2
A::OWNER@:rwaDxtTcCy
A::root at idmpru.fnr.gub.uy:rwaDxtcy
A::GROUP@:rxtcy
A:g:root at idmpru.fnr.gub.uy:rxtcy
A:g:informatica at adtest.xx.xx.xx@idmpru.xx.xx.xx:rwaDxtcy
A::EVERYONE@:tcy
A:fdi:OWNER@:rwaDxtTcCy
A:fdi:root at idmpru.xx.xx.xx:rwaDxtcy
A:fdi:GROUP@:rxtcy
A:fdig:root at idmpru.xx.xx.xx:rxtcy
A:fdig:informatica at adtest.xx.xx.xx@idmpru.xx.xx.xx:rwaDxtcy
A:fdi:EVERYONE@:tcy
$ nfs4_getfacl /prueba
# file: /prueba
A::OWNER@:rwaDxtTcCy
A::GROUP@:rwaDxtcy
A::EVERYONE@:tcy
The only additional question for this list, is if you think that this
problem could be avoided with NFS Ganesha.
Any help is appreciated. Thanks very much.
More information about the Gluster-users
mailing list