Hello everyone, I have a question with how permissions are handled within lustre for users that are not known to the lustre servers. We came across this while configuring a new web server (apache). For various reasons, we decided to mount our lustre filesystem on the web server and use it to host the files we want to serve. During the initial setup of the web server, we were using a document root pointing to either local storage or an NFS filesystem and everything was working fine. But when we tried to host files on the lustre filesystem, we’d get permission denied errors, even though the files and all directories in the path had permissions that should have made them readable to anyone (go+rX). After digging a little more, the httpd processes were being run under the “apache” user, which had a numerical UID and GID on the web server that was neither in the local /etc/passwd on our lustre servers or our LDAP (UID=GID=48 if it makes a difference). We are aware that the files on the weg server need to be readable by the service account running the httpd processes but they should have been with the 644/755 permissions. We were able to verify that manually becoming the “apache” user on the web server would indeed produce “permission denied” errors when trying to manually list directory contents on the lustre filesystem. Getting more information has been a challenge since we are getting nothing in the logs at all – we’ve checked /var/log/messages and /var/log/secure on both the lustre client (web server) and the lustre servers. In order to get lustre-hosted files working we had to add a service account to our LDAP and run the httpd processes with that account. Our web server is also joined to our LDAP so this way the service account is known by both the web server and lustre servers, which are also joined to our LDAP. Our lustre servers are using mdt.*.identity_upcall=/usr/sbin/l_getidentity and we are running lustre servers and clients based on 2.14.
Is this really the expected behavior? Will lustre refuse access to files with 644/755 permissions if the user (i.e. UID/GID) is unknown to the servers? Thanks, Darby
_______________________________________________ lustre-discuss mailing list [email protected] http://lists.lustre.org/listinfo.cgi/lustre-discuss-lustre.org
