[lustre-discuss] Disable identity_upcall and ACL

Degremont, Aurelien degremoa at amazon.com
Wed Jan 9 05:30:35 PST 2019

Hi Daniel!

The secondary group thing was ok to me. I got this idea even if there is some weird results during my tests. Looks like you can overwrite MDT checks if user and group is properly defined on client node. Cache effects?

ACL is really the thing I was interested in. Who is validating the ACLs? MDT, client or both? Do you think ACL could be properly applied if user/groups are only defined on client side and identity_upcall is disabled on MDT side?



Le 09/01/2019 12:22, « lustre-discuss au nom de Daniel Kobras » <lustre-discuss-bounces at lists.lustre.org au nom de kobras at puzzle-itc.de> a écrit :

    Hi Aurélien!
    Am 09.01.19 um 11:48 schrieb Degremont, Aurelien:
    > When disabling identity_upcall on a MDT, you get this message in system
    > logs:
    >   lustre-MDT0000: disable "identity_upcall" with ACL enabled maybe cause
    > unexpected "EACCESS"
    > I’m trying to understand what could be a scenario that shows this problem?
    > What is the implication, or rather, how identity_upcall works?
    Without an identity_upcall, all Lustre users effectively lose their
    secondary group memberships. These are not passed in the RPCs, but
    evaluated on the MDS instead. The default l_getidentity receives a
    numeric uid, queries NSS to obtain the corresponding account's list of
    gids, and passes the list back to the kernel. As a test scenario, just
    try to access a file or directory from an account that only has access
    permissions via one of its secondardy groups. (The log message is a bit
    misleading--you don't actually need to use ACLs, ordinary group
    permissions are sufficient.)
    Kind regards,
    Daniel Kobras
    Principal Architect
    Puzzle ITC Deutschland
    +49 7071 14316 0
    Puzzle ITC Deutschland GmbH
    Sitz der Gesellschaft:  Jurastr. 27/1, 72072 
    Eingetragen am Amtsgericht Stuttgart HRB 765802
    Lukas Kallies, Daniel Kobras, Mark Pröhl
    lustre-discuss mailing list
    lustre-discuss at lists.lustre.org

More information about the lustre-discuss mailing list