Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1514363 - Glusterfs client file access permission control incorrect
Summary: Glusterfs client file access permission control incorrect
Keywords:
Status: CLOSED EOL
Alias: None
Product: GlusterFS
Classification: Community
Component: fuse
Version: 3.10
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Csaba Henk
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-17 08:44 UTC by coyang
Modified: 2018-06-20 18:25 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-20 18:25:25 UTC
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:


Attachments (Terms of Use)
step by step guide for this problem (deleted)
2017-11-17 08:44 UTC, coyang
no flags Details

Description coyang 2017-11-17 08:44:38 UTC
Created attachment 1354046 [details]
step by step guide for this problem

Description of problem:
glusterfs client point file 

Version-Release number of selected component (if applicable):


How reproducible:

Env description
3 nodes sn-0/1/2 take as glusterfs server node.
creaate a 2 way replicate volume export and mount the volume from another glusterfs client node mn-0.
[root@sn-0:/root]
# gluster pool list
UUID                    Hostname    State
55183779-2af2-4693-bf8b-f60aecc72bf2    sn-1.local  Connected 
9acb143b-cc90-4e06-9870-1187272a8dfc    sn-2.local  Connected 
1404829b-a823-4911-baa0-9768e534de90    localhost   Connected 
[root@sn-0:/root]
# gluster peer status 
Number of Peers: 2

Hostname: sn-1.local
Uuid: 55183779-2af2-4693-bf8b-f60aecc72bf2
State: Peer in Cluster (Connected)

Hostname: sn-2.local
Uuid: 9acb143b-cc90-4e06-9870-1187272a8dfc
State: Peer in Cluster (Connected)
[root@sn-0:/root]
# gluster v info export 

Volume Name: export
Type: Replicate
Volume ID: 4d6e0035-41b1-4989-939a-1f5e800f738f
Status: Started
Snapshot Count: 0
Number of Bricks: 1 x 2 = 2
Transport-type: tcp
Bricks:
Brick1: sn-0.local:/mnt/bricks/export/brick
Brick2: sn-1.local:/mnt/bricks/export/brick
Options Reconfigured:
network.ping-timeout: 42
server.allow-insecure: on
cluster.consistent-metadata: on
cluster.server-quorum-type: server
transport.address-family: inet
nfs.disable: on
cluster.server-quorum-ratio: 51%
[root@sn-0:/root]
# gluster v status export
Status of volume: export
Gluster process                             TCP Port  RDMA Port  Online  Pid
------------------------------------------------------------------------------
Brick sn-0.local:/mnt/bricks/export/brick   49156     0          Y       7493 
Brick sn-1.local:/mnt/bricks/export/brick   49156     0          Y       6574 
Self-heal Daemon on localhost               N/A       N/A        Y       10048
Self-heal Daemon on sn-1.local              N/A       N/A        Y       8682 
Self-heal Daemon on sn-2.local              N/A       N/A        Y       8540 

Task Status of Volume export
------------------------------------------------------------------------------
There are no active volume tasks
Step by step guide
Pre condition
user robot is a normal user

robot:x:10000:0:Robot user for test automation purposes:/home/robot:/bin/bash

/mnt/export is the mount point

[robot@mn-0:/home/robot]
$ findmnt |grep export |grep -v tmp
├─/mnt/export                    sn-0.local:/export                                         fuse.glusterfs rw,relatime,user_id=0,group_id=0,allow_other,max_read=131072
create directory in /mnt/export named test and robot user don't have permission to access it.
[robot@mn-0:/home/robot]
$ stat /mnt/export/test
stat: cannot stat '/mnt/export/test': Permission denied
[robot@mn-0:/home/robot]
$ sudo stat /mnt/export/test
  File: /mnt/export/test
  Size: 4096        Blocks: 8          IO Block: 131072 directory
Device: 25h/37d Inode: 10834584126020128969  Links: 2
Access: (2755/drwxr-sr-x)  Uid: (    0/    root)   Gid: (  615/_nokfsuifileshare)
Access: 2017-11-17 09:52:37.737000000 +0200
Modify: 2017-11-17 09:53:57.183000000 +0200
Change: 2017-11-17 09:53:57.183000000 +0200
 Birth: -

Steps to Reproduce:

1. use sudo "dd if=/dev/zero of=/mnt/export/test/testfile bs=4K count=1 ;" create a file
2. ls the file as root user, then use robot user to ls the file

sudo ls -l /mnt/export/test/testfile &&  ls -l /mnt/export/test/testfile 

Actual results:
the first and second ls are return success

[robot@mn-0:/home/robot]
$ sudo ls -l /mnt/export/test/testfile &&  ls -l /mnt/export/test/testfile 
-rw-r--r-- 1 root _nokfsuifileshare 4096 Nov 17 09:53 /mnt/export/test/testfile
-rw-r--r-- 1 root _nokfsuifileshare 4096 Nov 17 09:53 /mnt/export/test/testfile

Expected results:
the second ls should return Permission denied.

Additional info:
after sleep 1 seconds or drop cache, the second ls will return fail.

[robot@mn-0:/home/robot]
$ sudo ls -l /mnt/export/test/testfile && sleep 1 && ls -l /mnt/export/test/testfile
-rw-r--r-- 1 root _nokfsuifileshare 4096 Nov 17 09:53 /mnt/export/test/testfile
ls: cannot access '/mnt/export/test/testfile': Permission denied
[robot@mn-0:/home/robot]
$ sudo ls -l /mnt/export/test/testfile && sleep 1 && ls -l /mnt/export/test/testfile
-rw-r--r-- 1 root _nokfsuifileshare 4096 Nov 17 09:53 /mnt/export/test/testfile
ls: cannot access '/mnt/export/test/testfile': Permission denied
[robot@mn-0:/home/robot]
$ sudo ls -l /mnt/export/test/testfile && sudo bash -c " echo 3 > /proc/sys/vm/drop_caches " && ls -l /mnt/export/test/testfile
-rw-r--r-- 1 root _nokfsuifileshare 4096 Nov 17 09:53 /mnt/export/test/testfile
ls: cannot access '/mnt/export/test/testfile': Permission denied

Comment 1 coyang 2017-11-20 05:58:32 UTC
This problem seems in fuse entry cache, I changed the ZR_ENTRY_TIMEOUT_OPT timeout value from 1.0 to 0.01, seems this problem has solved.
fuse-bridge.c line 5381 (glusterfs 3.10.6)
struct volume_options options[] = {
...
        { .key  = {ZR_ENTRY_TIMEOUT_OPT},
          .type = GF_OPTION_TYPE_DOUBLE,
          .default_value = "1.0"
        },

Comment 2 coyang 2017-11-24 03:23:43 UTC
function call list:
fuse_lookup 
    |
    \-->fuse_lookup_resume
        |
        \--> fuse_lookup_cbk
                |
                \-->fuse_entry_cbk
                    |
                    \--> calc_timeout_sec

Comment 3 Shyamsundar 2018-06-20 18:25:25 UTC
This bug reported is against a version of Gluster that is no longer maintained (or has been EOL'd). See https://www.gluster.org/release-schedule/ for the versions currently maintained.

As a result this bug is being closed.

If the bug persists on a maintained version of gluster or against the mainline gluster repository, request that it be reopened and the Version field be marked appropriately.


Note You need to log in before you can comment on or make changes to this bug.