[lustre-discuss] Disable identity_upcall and ACL

Daniel Kobras kobras at puzzle-itc.de
Wed Jan 9 03:21:54 PST 2019

Hi Aurélien!

Am 09.01.19 um 11:48 schrieb Degremont, Aurelien:
> When disabling identity_upcall on a MDT, you get this message in system
> logs:
>   lustre-MDT0000: disable "identity_upcall" with ACL enabled maybe cause
> unexpected "EACCESS"
> I’m trying to understand what could be a scenario that shows this problem?
> What is the implication, or rather, how identity_upcall works?

Without an identity_upcall, all Lustre users effectively lose their
secondary group memberships. These are not passed in the RPCs, but
evaluated on the MDS instead. The default l_getidentity receives a
numeric uid, queries NSS to obtain the corresponding account's list of
gids, and passes the list back to the kernel. As a test scenario, just
try to access a file or directory from an account that only has access
permissions via one of its secondardy groups. (The log message is a bit
misleading--you don't actually need to use ACLs, ordinary group
permissions are sufficient.)

Kind regards,

Daniel Kobras
Principal Architect
Puzzle ITC Deutschland
+49 7071 14316 0

Puzzle ITC Deutschland GmbH
Sitz der Gesellschaft:  Jurastr. 27/1, 72072 
Eingetragen am Amtsgericht Stuttgart HRB 765802
Lukas Kallies, Daniel Kobras, Mark Pröhl

More information about the lustre-discuss mailing list