Stephen, (And Helge, some interesting SMB stuff at the very end), The answer is no, it won't cause a conversion or take a long time, but that is a bit of speculation based on the documentation...
--- inexplicably long answer below --- The GPFS documentation quite clearly states that ACL's are managed on a per file basis, so you may have intermingled POSIX and NFS4 ACL's. Past versions going back to 3.1 seem to indicate they work the same way.. https://www.ibm.com/docs/en/spectrum-scale/4.2.0?topic=lists-nfs-v4-acl-administration A simple test: $ mmlsfs ${FS} -k flag value description ------------------- ------------------------ ----------------------------------- -k all ACL semantics in effect $ touch nfsv4acl posixacl $ mmgetacl -k nfs4 nfsv4acl | mmputacl nfsv4acl $ mmgetacl -k posix posixacl | mmputacl posixacl $ mmgetacl nfsv4acl #NFSv4 ACL #owner:XXXXXXXXXXXX #group:XXX special:owner@:rw-c:allow (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (-)DELETE_CHILD (X)CHOWN (-)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED ... $ mmgetacl posixacl #owner:XXXXXXXXXXX #group:XXX user::rw-c ... $ mmgetacl -k nfs4 posixacl #NFSv4 ACL #owner:XXXXXXXXXXXX #group:XXX special:owner@:rw-c:allow (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED ... The man page for -k indicates that the user can't *ASSIGN *these ACL's it doesn't state that it won't serve or store them, so going to a more restricted mode doesn't seem to indicate that it would remove the existing ACL's. It also doesn't indicate that any conversion is happening in any circumstance (from a mmchfs). Finally the mmgetacl command has a man page that explains EXACTLY what is going on: 1. By default, mmgetacl returns the ACL in a format consistent with the file system setting, specified using the -k flag on the mmcrfs or mmchfs commands. If the setting is posix, the ACL is shown as a traditional ACL. If the setting is nfs4, the ACL is shown as an NFS V4 ACL. If the setting is all, the ACL is returned in its true form. 2. The command mmgetacl -k nfs4 always produces an NFS V4 ACL. 3. The command mmgetacl -k posix always produces a traditional ACL. 4. The command mmgetacl -k native always shows the ACL in its true form regardless of the file system setting. So the short answer is after changing -k to nfsv4 it seems mmgetacl would intuit that you want to see ACL's in nfsv4 format since POSIX isn't allowed. But you can run mmgetacl -k native to see what ACL was (and continues to be) stored for the file object. I can't change any of my FS's to not be -k all, so I couldn't test out my mmgetacl assertions. Maybe I got some details wrong here but this one seems pretty straight forward based on the documentation. Also I'm not sure I'd say that a mention of a flag embedded in a ksh script is "documented" but I expect it is more related to how SMB integrates to Spectrum Scale and perhaps there is some secret sauce leveraged here. We don't do SMB on Scale, but if I we were, this would be an interesting read: https://manpages.debian.org/testing/samba-vfs-modules/vfs_gpfs.8.en.html. Alec On Tue, Aug 30, 2022 at 3:03 AM Helge Hauglin <[email protected]> wrote: > Hi Stephen. > > > Also I didn't mention that we also need NFSv4 access and > > native GPFS, this will not be SMB-only. It will actually be mostly > > GPFS native. > > Beware that when writing via SMB, samba default permissions will be applied > to new files and folders, which might not give the permissions your > users need. > > On our CES clusters, the samba default permission is 0755 / 0744 [1]. > We want either 0770 or 0775 by default. This we get by setting these > permissions in NFSv4 ACLs in relevant folders, plus turn on inheritance > for the ACEs to new files and folders. The side effect of having NFSv4 > ACLs with inheritance is that 'umask' in processes writing via GPFS or > NFS is ignored. I have not tried. but I guees it works similarly with > POSIX ACLs. > > [1] > > | # testparm -s -v | grep mask > | Load smb config files from /var/mmfs/ces/smb.conf > | [...] > | create mask = 0744 > | directory mask = 0755 > > > I don't think existing ACLs will be adversely > > affected. In a test filesystem with "-k all" I set some POSIX ACLs and > > converted the filesystem to "-k nfs4" and the result looked > > reasonable. Plus I ran mmgetacl -k nfs4 on numerous files/dirs with > > POSIX ACLs in our production filesystem and the results looked > > promising. > > I would recommend standardizing on one type of ACLs, which will give you > less variants to deal with, simplifying administration. > > -- > Regards, > > Helge Hauglin > > ---------------------------------------------------------------- > Mr. Helge Hauglin, Senior Engineer > System administrator > Center for Information Technology, University of Oslo, Norway > > _______________________________________________ > gpfsug-discuss mailing list > gpfsug-discuss at gpfsug.org > http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org >
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at gpfsug.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org
