[lustre-discuss] Disable identity_upcall and ACL

Daniel Kobras kobras at puzzle-itc.de
Wed Jan 9 06:52:52 PST 2019

Hi Aurélien!

Am 09.01.19 um 14:30 schrieb Degremont, Aurelien:
> The secondary group thing was ok to me. I got this idea even if there is some weird results during my tests. Looks like you can overwrite MDT checks if user and group is properly defined on client node. Cache effects?

In a talk I gave a decade ago, I described a problem with authorization
due to inconsistencies between client and MDT, depending on whether
metadata was in the client cache or not (see p. 23 of
http://wiki.lustre.org/images/b/ba/Tuesday_lustre_automotive.pdf -- you
really managed to challenge my memory ;-) I faintly remember Andreas
commenting that the MDT was always supposed to be authoritative, even
for cached content, and the experienced behaviour was a bug. Indeed,
other than those prehistoric versions, I'm not aware of any
inconsistencies in authorization due to cache effects.

> ACL is really the thing I was interested in. Who is validating the ACLs? MDT, client or both? Do you think ACL could be properly applied if user/groups are only defined on client side and identity_upcall is disabled on MDT side?
Posix ACLs use numeric uids and gids, just like ordinary permission
bits. Evaluation is supposed to happens on the MDT for both. If you can
do without secondary groups, there's no need for user and group
databases on the MDT--numeric id will work fine. (Unless you use
Kerberos, which will typically require user names for proper id mapping.)

Kind regards,

Daniel Kobras
Principal Architect
Puzzle ITC Deutschland
+49 7071 14316 0

Puzzle ITC Deutschland GmbH
Sitz der Gesellschaft:  Jurastr. 27/1, 72072 
Eingetragen am Amtsgericht Stuttgart HRB 765802
Lukas Kallies, Daniel Kobras, Mark Pröhl

More information about the lustre-discuss mailing list