Ah, that might be an issue. It’s hard to gets POSIX<->NFS V4 ACL conversion as 
best as possible (again, impossible to make it perfect, even for POSIX->NFS V4).


It would be good to fix all these conversion issues (without copying code from 
the kernel – note the license differences…)




From: Sagar M D [mailto:sagar...@gmail.com] 
Sent: Wednesday, February 21, 2018 10:12 PM
To: Sriram Patil <srir...@vmware.com>
Cc: Frank Filz <ffilz...@mindspring.com>; Supriti Singh 
<supriti.si...@suse.com>; nfs-ganesha-devel@lists.sourceforge.net
Subject: Re: [Nfs-ganesha-devel] ACL support




Kernel nfs reorders the ACE in ACL and i think it puts more restrictive ACEs 
first in the list. But i see NFS Ganesha is not doing it,is reordering the 
responsibility of  FSAL ?

Is there any plans to support reordering ?





On Mon, Feb 19, 2018 at 11:43 AM, Sagar M D <sagar...@gmail.com 
<mailto:sagar...@gmail.com> > wrote:



Setting ATTR_ACL in supported_attrs helped. Now I could able to get the V4 
ACLs. Thanks!.


Currently we are doing what you are suggesting i.e we are persistently saving 
the in-memory representation of ganesha NFSV4 ACL on disk.

And I'm not sure whether we are ready to check in our fsal into ganesha yet. We 
will discuss this internally.



On Fri, Feb 16, 2018 at 9:21 PM, Sriram Patil <srir...@vmware.com 
<mailto:srir...@vmware.com> > wrote:

Thank you for the correction, Frank.


Sagar, there are a couple of more things that you have not mentioned yet,


1.      Have you set ATTR_ACL in supported_attrs field of your FSALs static 
fsinfo? (check usage of function nfs4_Fattr_Supported to know why this is 
2.      You may also want to take a look at ENABLE_RFC_ACL flag. This is not 
for enabling ACLs but it is used for access checks in fsal_check_access_acl.


- Sriram


From: Frank Filz <ffilz...@mindspring.com <mailto:ffilz...@mindspring.com> >
Date: Friday, February 16, 2018 at 8:19 PM
To: Sriram Patil <srir...@vmware.com <mailto:srir...@vmware.com> >, 'Sagar M D' 
<sagar...@gmail.com <mailto:sagar...@gmail.com> >, 'Supriti Singh' 
Cc: "nfs-ganesha-devel@lists.sourceforge.net 
<mailto:nfs-ganesha-devel@lists.sourceforge.net> " 
<mailto:nfs-ganesha-devel@lists.sourceforge.net> >
Subject: RE: [Nfs-ganesha-devel] ACL support


It isn’t quite true that NFS v4 ACLs are a superset of POSIX ACLs, but that’s 
another detail.


Sriram is right, Ganesha doesn’t support the NFS v3 sideband protocol for POSIX 
ACLs. At this point Ganesha has the following support for ACLs:


FSAL_GLUSTER has a translation from client side NFS v4 ACLs to server side 
POSIX ACLs. In V2.7 we plan to move this support to the FSAL common code so it 
is available to more FSALs (and we will hook it up for FSAL_VFS at that point). 
Note that the conversion is not perfect due to NFS v4 ACLs not actually being a 
superset of POSIX ACLs.


FSAL_GPFS has native support for NFS v4 ACLs.


At this time Ganesha is only set up to handle NFS v4 ACLs via the FSAL API. If 
your file system can support NFS v4 ACLs natively, then all you need to do is 
provide a mechanism to transfer between Ganesha’s in memory representation of 
an NFS v4 ACL and your on-disk representation. If your file system can only 
support POSIX ACLs, then you will need the translation code from FSAL_GLUSTER 
(or write your own).


I’d also like to add my usual plug, if you have an out of tree FSAL, we 
encourage you to submit your FSAL into the tree. That allows us a better 
understanding of how Ganesha is being used, and we are less likely to change 
APIs in a way that breaks your FSAL (or we will change your FSAL with the API 




From: Sriram Patil [mailto:srir...@vmware.com <mailto:srir...@vmware.com> ] 
Sent: Friday, February 16, 2018 2:51 AM
To: Sagar M D <sagar...@gmail.com <mailto:sagar...@gmail.com> >; Supriti Singh 
<supriti.si...@suse.com <mailto:supriti.si...@suse.com> >
Cc: nfs-ganesha-devel@lists.sourceforge.net 
Subject: Re: [Nfs-ganesha-devel] ACL support


Hi Sagar,


I see in your conf file that you are using NFSv4. POSIX acls do not work on 
NFSv4. NFSv4 acls are a superset of POSIX acls. For using NFSv4 acls you need 
to use nfs4_getfacl and nfs4_setfacl commands from the client. You can find 
these commands in nfs4-acl-tools package.


- Sriram


From: Sagar M D <sagar...@gmail.com <mailto:sagar...@gmail.com> >
Date: Friday, February 16, 2018 at 3:20 PM
To: Supriti Singh <supriti.si...@suse.com <mailto:supriti.si...@suse.com> >
Cc: "nfs-ganesha-devel@lists.sourceforge.net 
<mailto:nfs-ganesha-devel@lists.sourceforge.net> " 
Subject: Re: [Nfs-ganesha-devel] ACL support


I quickly checked on VFS FSAL using below EXPORT block. I see same issue on vfs 
fsal also. Any suggestion here please ?

Operation to request attribute not supported.
Failed to instantiate ACL.

        Export_Id = 77;

# Exported path (mandatory)
        Path = /home;

# Pseudo Path (required for NFS v4)
        Pseudo = /home;

# Required for access (default is None)
# Could use CLIENT blocks instead
        Access_Type = RW;
        Disable_ACL = FALSE;
        NFS_Protocols = 4;
        Squash = no_root_squash;

# Exporting FSAL
        FSAL {
                Name = VFS;





On Fri, Feb 16, 2018 at 2:25 PM, Sagar M D <sagar...@gmail.com 
<mailto:sagar...@gmail.com> > wrote:



We are testing our own FSAL.





On Fri, Feb 16, 2018 at 2:15 PM, Supriti Singh <supriti.si...@suse.com 
<mailto:supriti.si...@suse.com> > wrote:

Hi Sagar,

Which FSAL are you using? 




Supriti Singh  

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,

HRB 21284 (AG Nürnberg)

>>> Sagar M D <sagar...@gmail.com <mailto:sagar...@gmail.com> > 02/16/18 9:15 
>>> AM >>>


We are setting below value in our EXPORT block to enable ACL.
Disable_ACL = FALSE;

However when try to do any ACL operation it throws get below error:-
Operation to request attribute not supported.
Failed to instantiate ACL.

On further analysis, i found that getattr call on our fsal  export's root 
folder is returning 3 (ALLOW | DENY) in aclsupport field. But getattr call on 
pseudo export is returning "0" in aclsupport field.



Is there anything else in fsal to be taken care to enable acls ?









Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Nfs-ganesha-devel mailing list

Reply via email to