Legacy BlueArc

Titan3200 - NFS4 ACLs - unable to inherit rx for "others" with ACLs

Discussion created by Legacy BlueArc on May 22, 2012
Branched to a new discussion

Originally posted by: aperez

 

 

 

Hi,
We have two BlueArc Titan 3200 (Hitachi  HNAS3200) NAS heads (SMU v.8.1.2351.06) which are sharing the users homes both through CIFS and NFS.

 

On our NFS4 mounted filesystems we can set the "unix" permissions without problems using chmod i.e chmod 777 TEST

 

But we cannot get the the permissions inherited for the OTHERS: We have some folders where we need READ permission inherited for OTHERS (we had this working on our previous NAS) and here is where the problems appeared...

 

I will show you several examples of how it behaves:


server:/storage/home/username # nfs4_getfacl .A::OWNER@:rwaDxtTnNcyA:g:Everyone:tcy


server:/storage/home/username # mkdir TEST


server:/storage/home/username # ls -lad TEST/drwxr-xr-x 2 root root 2048 21 mai 18:19 TEST/


server:/storage/home/username # nfs4_getfacl TEST/A::OWNER@:rwaDxtTnNcyA:g:Everyone:rxtncy

 


Till here all normal... But if we try to set "Everyone" to inherit it READ ACL (adding the "fd")
server:/storage/home/username # nfs4_editfacl TESTA::OWNER@:rwaDxtTnNcyA:fdg:Everyone:rxtncy

 

We see the OTHER permissions disappear...
server:/storage/home/username # ls -ald TEST2drwx------ 3 root root 2048 21 mai 18:28 TEST2       ^^^

 

We can make other changes to OWNER or GROUPS ACLs and they are reflected (i.e. we remove the "w" to the owner)
server:/storage/home/username # nfs4_editfacl TESTA::OWNER@:raDxtTnNcyA:fdg:Everyone:rxtncy

 

server:/storage/home/username # ls -ald TESTdr-x------ 3 root root 2048 21 mai 18:28 TEST  ^

 

...but OTHER is always empty even if you modify it (let's add "w" to OTHERS)
server:/storage/home/username # nfs4_editfacl TESTA::OWNER@:raDxtTnNcyA:fdg:Everyone:rwxtncy

 

... NO CHANGE TO OTHER:
server:/storage/home/username # ls -ald TESTdr-x------ 3 root root 2048 21 mai 18:28 TEST

 

 

In fact it can get worse: If you remove the "w" from Everyone (which is the configuration we wish to have working) the whole linux permissions disappear:

 

 

 

server:/storage/home/username # nfs4_editfacl TESTA:fdg:Everyone:rxtncy


server:/storage/home/username # ls -ald TEST

A::OWNER@:raDxtTnNcy

*d----


*3 root root 2048 21 mai 18:28 TEST

 

 

 


Our folders have several groups and users' ACLs, so things get worse. This is just a simplified example.

 

We have a "workaround" to have rwx inherited (although we only wanted "rx"): to give rwx to OTHER using chmod:


chmod 777 TEST

 

The file/folders created inside then inherit the OTHER rwx... But any change made to the ACLs can break the permissions (as seen before)

 

We have set the mask options to these values:
ClusterNode-1:$ fs-dacl-mode mask-on-chmod-passthrough-on-createFile system DACL mode: mask-on-chmod-passthrough-on-create (masking-deny-aces enabled)

 

 

Thanks for your help

Regards


Toni

Outcomes