Re: [gpfsug-discuss] Using setfacl vs. mmputacl

[Frederick Stock]

To add to Olaf's response, Scale 4.2 is now out of support, as of October 1, 2020.  I do not know if this behavior would change with a more recent release of Scale but it is worth giving that a try if you can.  The most current release of Scale is 5.1.0.2.

Fred
_______________________________________________________
Fred Stock | Spectrum Scale Development Advocacy | 720-430-8821
sto...@us.ibm.com

 

 

----- Original message -----
From: "Olaf Weiser" <olaf.wei...@de.ibm.com>
Sent by: gpfsug-discuss-boun...@spectrumscale.org
To: gpfsug-discuss@spectrumscale.org
Cc: gpfsug-discuss@spectrumscale.org
Subject: [EXTERNAL] Re: [gpfsug-discuss] Using setfacl vs. mmputacl
Date: Mon, Mar 1, 2021 7:46 AM
 

Hallo Stephen,

 

behavior ... or better to say ... predicted behavior for chmod and ACLs .. is not an easy thing or only  , if  you stay in either POSIX world or NFSv4 world

 

to be POSIX compliant, a chmod overwrites ACLs

 

GPFS was enhanced to ignore overwrites to ACLs on chmod by a parameter.. and I can't remember exactly when, but in your very old version (blink blink, please update) it shoud be already there...  ... .. Then(later) it was even more enhanced to better mitigate between the world's ...

 

You need to have in mind... in case you use kernelNFS ... the linux kernel NFS required a so called lossy mapping ... because at the time of writing the kernel-NFS, there was no linux file system available,  supporting native NFSv4 ACLs... so there was no other way .. than "lossy" map NFSv4 ACLs into POSIX ACLs (long time ago) ...

 

but as always.. everything in IT business has some history.. ;-)

 

later in GPFS, we introduced, that you can fine grained allow behavior of chmod , NFSv4 ACLs, POSIX ACls or both .... -and - do that per file set level

 

--allow-permission-change PermissionChangeMode
        Specifies the new permission change mode. This mode
        controls how chmod and ACL operations are handled on
        objects in the fileset. Valid modes are as follows:

        chmodOnly
                 Specifies that only the UNIX change mode
                 operation (chmod) is allowed to change access
                 permissions (ACL commands and API will not be
                 accepted).

        setAclOnly
                 Specifies that permissions can be changed using
                 ACL commands and API only (chmod will not be
                 accepted).

        chmodAndSetAcl
                 Specifies that chmod and ACL operations are
                 permitted. If the chmod command (or setattr
                 file operation) is issued, the result depends
                 on the type of ACL that was previously
                 controlling access to the object:

                 *  If the object had a Posix ACL, it will be
                    modified accordingly.

                 *  If the object had an NFSv4 ACL, it will be
                    replaced by the given UNIX mode bits.

                 Note:  This is the default setting when a
                 fileset is created.

        chmodAndUpdateAcl
                 Specifies that chmod and ACL operations are
                 permitted. If chmod is issued, the ACL will be
                 updated by privileges derived from UNIX mode
                 bits.

 

hope this helps ..

 

 

----- Original message -----
From: "Losen, Stephen C (scl)" <s...@virginia.edu>
Sent by: gpfsug-discuss-boun...@spectrumscale.org
To: gpfsug main discussion list <gpfsug-discuss@spectrumscale.org>
Cc:
Subject: [EXTERNAL] [gpfsug-discuss] Using setfacl vs. mmputacl
Date: Mon, Mar 1, 2021 1:31 PM
 

Hi folks,
Experimenting with POSIX ACLs on GPFS 4.2 and noticed that the Linux command setfacl clears "c" permissions that were set with mmputacl. So if I have this:

...
group:group1:rwxc
mask::rwxc
...

and I modify a different entry with:

setfacl -m group:group2:r-x dirname

then the "c" permissions above get cleared and I end up with
...
group:group1:rwx-
mask::rwx-
...

I discovered that chmod does not clear the "c" mode. Is there any filesystem option to change this behavior to leave "c" modes in place?

Steve Losen
Research Computing
University of Virginia
s...@virginia.edu   434-924-0640

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
https://urldefense.proofpoint.com/v2/url?u=http-3A__gpfsug.org_mailman_listinfo_gpfsug-2Ddiscuss&d=DwICAg&c=jf_iaSHvJObTbx-siA1ZOg&r=QInBVUG2345zpTXGAPvczeXAfnCgUNXuJEI_-wZlDDs&m=Cb4nCNXx2mpY3MW5kuFoMZe8SsgXt-2_m6k7OMk50v8&s=FxuSoG7O3C3D-I-NblJA4tsPcsXlkF0JGTSormvlYiE&e= 
 

 

 

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
https://urldefense.proofpoint.com/v2/url?u=http-3A__gpfsug.org_mailman_listinfo_gpfsug-2Ddiscuss&d=DwICAg&c=jf_iaSHvJObTbx-siA1ZOg&r=p_1XEUyoJ7-VJxF_w8h9gJh8_Wj0Pey73LCLLoxodpw&m=LhD8G4vGI6iP_cAv61i-8S7oCxTqceBjD2tIjt3Mo4I&s=9zZCf_3LLk7t3bZPMMnQRs6ZAn954cw6MyS1ik-ag5s&e= 

 

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss