<div dir="ltr"><div><div>Gluster devs,<br><br></div>I'm running gluster v3.6.3 (both
server and client side). Since my application requires more than 32
groups, I don't mount with ACLs on the client. If I mount with ACLs
between the bricks and set a default ACL on the server, I think I'm
right in stating that the server should respect that ACL whenever a new
file or folder is made. Maybe an example is in order:<br><br>We first set up a test directory with setgid bit so that our new subdirectories inherit the group.<br><font size="1"><span style="font-family:monospace,monospace">[root@gfs01a hpc_shared]# mkdir test; cd test; chown pglomski.users .; chmod 2770 .; getfacl .<br># file: .<br># owner: pglomski<br># group: users<br># flags: -s-<br>user::rwx<br>group::rwx<br>other::---</span></font><br><br>New subdirectories share the group, but the umask leads to them being group read-only.<br><font size="1"><span style="font-family:monospace,monospace">[root@gfs01a test]# mkdir a; getfacl a<br># file: a<br># owner: root<br># group: users<br># flags: -s-<br>user::rwx<br>group::r-x<br>other::r-x</span></font><br><br></div><div>Setting default ACLs on the server allows group write to new directories made on the server.<br><font size="1"><span style="font-family:monospace,monospace">[root@gfs01a test]# setfacl -m d:g::rwX ./; mkdir b; getfacl b<br># file: b<br># owner: root<br># group: users<br># flags: -s-<br>user::rwx<br>group::rwx<br>other::---<br>default:user::rwx<br>default:group::rwx<br>default:other::---</span></font><br><br></div><div>The respect for ACLs is (correctly) shared across bricks.<br><span style="font-family:monospace,monospace"><font size="1">[root@gfs02a test]# getfacl b<br># file: b<br># owner: root<br># group: users<br># flags: -s-<br>user::rwx<br>group::rwx<br>other::---<br>default:user::rwx<br>default:group::rwx<br>default:other::---<br><br>[root@gfs02a test]# mkdir c; getfacl c<br># file: c<br># owner: root<br># group: users<br># flags: -s-<br>user::rwx<br>group::rwx<br>other::---<br>default:user::rwx<br>default:group::rwx<br>default:other::---</font></span><br><br></div><div>However, when folders are created client-side, the default ACLs appear on the server, but don't seem to be correctly applied.<br><font size="1"><span style="font-family:monospace,monospace">[root@client test]# mkdir d; getfacl d<br># file: d<br># owner: root<br># group: users<br># flags: -s-<br>user::rwx<br>group::r-x<br>other::---</span><span style="font-family:monospace,monospace"><br><br>[root@gfs01a test]# getfacl d<br># file: d<br># owner: root<br># group: users<br># flags: -s-<br>user::rwx<br>group::r-x<br>other::---<br>default:user::rwx<br>default:group::rwx<br>default:other::---</span></font><br><br></div><div>As
no groups or users were specified, I shouldn't need to specify a mask
for the ACL and, indeed, specifying a mask doesn't help.<br><br></div><div>If it helps diagnose the problem, the volume options are as follows:<font size="1"><span style="font-family:monospace,monospace"><br>Options Reconfigured:<br>performance.io-thread-count: 32<br>performance.cache-size: 128MB<br>performance.write-behind-window-size: 128MB<br>server.allow-insecure: on<br>network.ping-timeout: 10<br>storage.owner-gid: 100<br>geo-replication.indexing: off<br>geo-replication.ignore-pid-check: on<br>changelog.changelog: on<br>changelog.fsync-interval: 3<br>changelog.rollover-time: 15<br>server.manage-gids: on</span></font><br><div><br></div>This approach to server-side ACLs
worked properly with previous versions of gluster. Can anyone assess the
situation for me, confirm/deny that something changed, and possibly suggest how I
can achieve inherited groups with write permission for new
subdirectories in a >32-group environment?<br><br></div><div>Thanks for your time,<br><br></div>Patrick</div>