I know I am missing something here and it is probably due to lack of experience dealing with ACLs as all other storage we distil down to just posix UGO permissions.
We have Windows native clients creating data. There are SMB clients of various flavors accessing data via CES. Then there are Linux native clients that interface between gpfs and other NFS filers for data movement. What I am running into is around inheriting permissions so that windows native and smb clients have access based on the users group membership that remains sane while also being able to migrate files off to nfs filers with reasonable posix permissions. Here is the top level directory that is the lab name and there is a matching group. That directory is the highest point where an ACL has been set with inheritance. The directory listed is one created from a Windows Native client. The issue I am running into is that that largec7 directory that was created is having the posix permissions set to nothing for the owner. The ACL that results is okay but when that folder or anything in it is synced off to another filer that only has the basic posix permission it acts kinda wonky. The user was able to fix up his files on the other filer because he was still the owner but I would like to make it work properly. [root@gpfs-dm1 smith]# ls -la drwxrwsr-x 84 root smith 16384 Oct 30 23:22 . d---rwsr-x 2 tim smith 4096 Oct 30 23:22 largec7 drwx--S--- 2 tim smith 4096 Oct 24 00:17 CFA1 [root@gpfs-dm1 smith]# mmgetacl . #NFSv4 ACL #owner:root #group:smith special:owner@:rwxc:allow:FileInherit:DirInherit (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED special:group@:rwxc:allow:FileInherit:DirInherit (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED special:everyone@:r-x-:allow:FileInherit:DirInherit (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED [root@gpfs-dm1 smith]# mmgetacl largec7 #NFSv4 ACL #owner:tim #group:smith #ACL flags: # DACL_PRESENT # DACL_AUTO_INHERITED # SACL_AUTO_INHERITED user:root:rwxc:allow:FileInherit:DirInherit:Inherited (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED special:group@:rwxc:allow:FileInherit:DirInherit:Inherited (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED special:everyone@:r-x-:allow:FileInherit:DirInherit:Inherited (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED In contrast the CFA1 directory was created prior to the file and directory inheritance being put in place. That worked okay as long as it was only that user but the lack of group access is a problem and what led to trying to sort out the inherited ACLs in the first place. [root@gpfs-dm1 smith]# ls -l drwx--S--- 2 tim smith 4096 Oct 24 00:17 CFA1 [root@gpfs-dm1 smith]# mmgetacl CFA1 #NFSv4 ACL #owner:tim #group:smith #ACL flags: # DACL_PRESENT # DACL_AUTO_INHERITED # SACL_AUTO_INHERITED special:owner@:rwxc:allow (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (X)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED user:15000001:rwxc:allow (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (X)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED user:15000306:r-x-:allow (X)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED Thank you for any suggestions. -- Rob Lines Sr. HPC Engineer HHMI Janelia Research Campus
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
