From: Tim Rafert <tim.rafert@oracle.com>
To: linux-nfs@vger.kernel.org
Subject: ACL and NFSv4 expectations
Date: Fri, 22 Nov 2013 11:34:04 -0800 (PST) [thread overview]
Message-ID: <931f1e06-eca3-4f12-ad8a-99a93442409a@default> (raw)
Looking for assistance if the following are REAL issues or expected behavior using NFSv4 ACL (on linux ol6 and interoperating with solaris). Thanks in advance.
1) Is there a max # of entries that can be stored in an ACL? If so - what is it (or is dependent on the device)?
2) Is it up to my own implementation instead of the "NFS Client" on the OS to try and keep the ACLs clean/organized/etc? See my next question for further clarification
3) If a user adds the same ACE into an ACL multiple times - then it is actually added multiple times? For example:
bash-4.1$ nfs4_setfacl -aA:fd:OWNER@:rwaDdxtTnNCo,A:fdi:EVERYONE@:rxtncy,D::EVERYONE@:DT,A::user1@xyz.com:rwaxtc exampleDir
bash-4.1$ nfs4_getfacl exampleDir
A:fd:OWNER@:rwaDdxtTnNCo
A:fdi:EVERYONE@:rxtncy
D::EVERYONE@:DT
A::user1@xyz.com:rwaxtc
A:fdig:GROUP@:rxtncy
A:fdi:EVERYONE@:rxtncy
A::OWNER@:rwaDxtTnNcCoy
A:g:GROUP@:rxtncy
A::EVERYONE@:rxtncy
bash-4.1$ nfs4_setfacl -aA:fd:OWNER@:rwaDdxtTnNCo,A:fdi:EVERYONE@:rxtncy,D::EVERYONE@:DT,A::user1@xyz.com:rwaxtc exampleDir
bash-4.1$ nfs4_getfacl exampleDir
A:fd:OWNER@:rwaDdxtTnNCo
A:fdi:EVERYONE@:rxtncy
D::EVERYONE@:DT
A::user1@xyz.com:rwaxtc
A:fd:OWNER@:rwaDdxtTnNCo
A:fdi:EVERYONE@:rxtncy
D::EVERYONE@:DT
A::user1@xyz.com:rwaxtc
A:fdig:GROUP@:rxtncy
A:fdi:EVERYONE@:rxtncy
A::OWNER@:rwaDxtTnNcCoy
A:g:GROUP@:rxtncy
A::EVERYONE@:rxtncy
4) ACL "caching" - it appears that if from one client-host - a user alters the ACL and then from another client-host - a user also alters the ACL - then one of the alterations can be lost (if they are within a minute or some cache timeframe). For example:
>From a Linux host:
bash-4.1$ mkdir nfscache
bash-4.1$
bash-4.1$
bash-4.1$ nfs4_getfacl nfscache
A:fdig:GROUP@:rxtncy
A:fdi:EVERYONE@:rxtncy
A::OWNER@:rwaDxtTnNcCoy
A:g:GROUP@:rxtncy
A::EVERYONE@:rxtncy
bash-4.1$ nfs4_setfacl -a A::user1@xyz.com:rwaxtc nfscache
bash-4.1$ nfs4_getfacl nfscache
A::user1@xyz.com:rwaxtc
A:fdig:GROUP@:rxtncy
A:fdi:EVERYONE@:rxtncy
A::OWNER@:rwaDxtTnNcCoy
A:g:GROUP@:rxtncy
A::EVERYONE@:rxtncy
Then from Solaris host (we see "user1" was correctly added - but then we add another user: "user2"):
bash-4.1$ ls -aldV nfscache/
drwxr-xr-x+ 2 trafert pditdba 2 Oct 30 19:26 nfscache/
user:user1:rwxp--a---c---:-------:allow
group@:r-x---a-R-c--s:fdi----:allow
everyone@:r-x---a-R-c--s:fdi----:allow
owner@:rwxp-DaARWcCos:-------:allow
group@:r-x---a-R-c--s:-------:allow
everyone@:r-x---a-R-c--s:-------:allow
bash-4.1$ chmod A+user:user2:rwxp--a---c---::allow nfscache
bash-4.1$ ls -aldV nfscache/
drwxr-xr-x+ 2 trafert pditdba 2 Oct 30 19:26 nfscache/
user:user2:rwxp--a---c---:-------:allow
user:user1:rwxp--a---c---:-------:allow
group@:r-x---a-R-c--s:fdi----:allow
everyone@:r-x---a-R-c--s:fdi----:allow
owner@:rwxp-DaARWcCos:-------:allow
group@:r-x---a-R-c--s:-------:allow
everyone@:r-x---a-R-c--s:-------:allow
Then come back to the Linux host (we only see the original setting where "user1" was added - "user2" is missing). Then we add another user "user3". At which point the "user2" addition is completely lost on either hosts:
bash-4.1$ nfs4_getfacl nfscache
A::user1@xyz.com:rwaxtc
A:fdig:GROUP@:rxtncy
A:fdi:EVERYONE@:rxtncy
A::OWNER@:rwaDxtTnNcCoy
A:g:GROUP@:rxtncy
A::EVERYONE@:rxtncy
bash-4.1$ nfs4_setfacl -a A::user3@xyz.com:rwaxtc nfscache
bash-4.1$ nfs4_getfacl nfscache
A::user3@xyz.com:rwaxtc
A::user1@xyz.com:rwaxtc
A:fdig:GROUP@:rxtncy
A:fdi:EVERYONE@:rxtncy
A::OWNER@:rwaDxtTnNcCoy
A:g:GROUP@:rxtncy
A::EVERYONE@:rxtncy
Back on Solaris - "user2" is also lost:
bash-4.1$ ls -aldV nfscache/
drwxr-xr-x+ 2 trafert pditdba 2 Oct 30 19:28 nfscache/
user:user3:rwxp--a---c---:-------:allow
user:user1:rwxp--a---c---:-------:allow
group@:r-x---a-R-c--s:fdi----:allow
everyone@:r-x---a-R-c--s:fdi----:allow
owner@:rwxp-DaARWcCos:-------:allow
group@:r-x---a-R-c--s:-------:allow
everyone@:r-x---a-R-c--s:-------:allow
next reply other threads:[~2013-11-22 19:34 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-22 19:34 Tim Rafert [this message]
2013-11-22 22:13 ` ACL and NFSv4 expectations mdw
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=931f1e06-eca3-4f12-ad8a-99a93442409a@default \
--to=tim.rafert@oracle.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).