[lustre-discuss] Disable identity_upcall and ACL
Daniel Kobras
kobras at puzzle-itc.de
Wed Jan 9 03:21:54 PST 2019
Hi Aurélien!
Am 09.01.19 um 11:48 schrieb Degremont, Aurelien:
> When disabling identity_upcall on a MDT, you get this message in system
> logs:
>
> lustre-MDT0000: disable "identity_upcall" with ACL enabled maybe cause
> unexpected "EACCESS"
>
> I’m trying to understand what could be a scenario that shows this problem?
> What is the implication, or rather, how identity_upcall works?
Without an identity_upcall, all Lustre users effectively lose their
secondary group memberships. These are not passed in the RPCs, but
evaluated on the MDS instead. The default l_getidentity receives a
numeric uid, queries NSS to obtain the corresponding account's list of
gids, and passes the list back to the kernel. As a test scenario, just
try to access a file or directory from an account that only has access
permissions via one of its secondardy groups. (The log message is a bit
misleading--you don't actually need to use ACLs, ordinary group
permissions are sufficient.)
Kind regards,
Daniel
--
Daniel Kobras
Principal Architect
Puzzle ITC Deutschland
+49 7071 14316 0
www.puzzle-itc.de
--
Puzzle ITC Deutschland GmbH
Sitz der Gesellschaft: Jurastr. 27/1, 72072
Tübingen
Eingetragen am Amtsgericht Stuttgart HRB 765802
Geschäftsführer:
Lukas Kallies, Daniel Kobras, Mark Pröhl
More information about the lustre-discuss
mailing list