Thanks Fred, Yes I have played with –allow-permission-change. It basically allows permissions to be changed by 1) chmod only or 2) set ACL only, or 3) either. So if you allow either, then chmod replaces any nfs4 ACL with the traditional Unix permission bits. I played with “setaclonly” and it disables the C library chmod() call so it returns an error code. So the chmod command fails with an error. Depending on its options rsync prints errors, in particular “rsync -a” which tries to preserve permissions. cp -r works fine.
Apparently SS supports three styles of permisisons: classic Unix mode bits, posix ACLs, or nfs4 ACLs. (Classic may just be a subset of posix ACLs) If you have a file with a nfs4 ACL and call chmod() on it, then that converts the nfs4 ACL to classic Unix mode bits. If you run mmgetacl -k native you see what looks like a posix ACL but it only has entries for user::, group::, and other::. And the nfs4 representation is analogous with special:owner@, special:group@, and special:everyone@. If you start with a posix ACL and call chmod() then you get the expected posix behavior. Chmod may modify the user::, mask::, and other:: entries but it leaves any other posix ACL entries intact. (Of course the mask:: may effectively remove permissions from some ACL entries.) Steve Losen Research Computing University of Virginia [email protected]<mailto:[email protected]> 434-924-0640 From: gpfsug-discuss <[email protected]> on behalf of Frederick Stock <[email protected]> Reply-To: gpfsug main discussion list <[email protected]> Date: Thursday, September 29, 2022 at 3:59 PM To: gpfsug main discussion list <[email protected]> Subject: Re: [gpfsug-discuss] Changing filesystem from -k all to -k nfs4 with mmchfs There is a setting at the fileset level (mmcrfileset/mmchfilest), --allow-permission-change, that allows you to control how ACLs and permission bits interact, including having both on a file. Fred Fred Stock, Spectrum Scale Development Advocacy [email protected]<mailto:[email protected]> | 720-430-8821 From: gpfsug-discuss <[email protected]> on behalf of Losen, Stephen C (scl) <[email protected]> Date: Thursday, September 29, 2022 at 3:16 PM To: gpfsug main discussion list <[email protected]> Subject: [EXTERNAL] [gpfsug-discuss] Changing filesystem from -k all to -k nfs4 with mmchfs Hi folks, Recently I asked what happens when you use “mmchfs -k nfs4” when you already have numerous files (we have millions) with posix ACLs. I have discovered the answer – NOTHING. No existing ACLs change. However, you cannot feed posix ACLs ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization. ZjQcmQRYFpfptBannerEnd Hi folks, Recently I asked what happens when you use “mmchfs -k nfs4” when you already have numerous files (we have millions) with posix ACLs. I have discovered the answer – NOTHING. No existing ACLs change. However, you cannot feed posix ACLs to mmputacl, it only accepts nfs4 ACLs. You cannot run setfacl, it fails. If you run mmgetacl it shows the ACL in nfs4 format. But if you use mmgetacl -k native it shows you the “real” ACL, which may be a posix ACL. If you have a default posix ACL set on a directory, new files inherit from the posix ACL and they themselves end up with a posix ACL. The behavior of chmod is different. If a file has a nfs4 ACL then chmod destroys it and replaces it with a nfs4 ACL that essentially mimics the permissions set by the chmod command. In particular, the new ACL only has ACEs for special:owner@, special:group@, and special:everyone@. Any other ACEs are lost. However, if the file has a posix ACL, then chmod works as expected for a posix ACL. It does not completely replace the ACL, but it may change the mask:: entry or the user:: entry or the other:: entry. If you set a nfs4 ACL on a file with a posix ACL, then it converts to a nfs4 ACL (mmgetacl -k native outputs the nfs4 ACL). Needless to say this is all rather confusing, but we had to run mmchfs -k nfs4 in order to enable SMB access, which we need. Steve Losen Research Computing University of Virginia [email protected]<mailto:[email protected]> 434-924-0640
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at gpfsug.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org
