Isilon Perrmission for no_root_squash

[sumi rai]

Hello all

If someone can please help me out. I have trying to enable no_root_squash on the isilon nfs export so the unix root account can add the acl. 

I have tried following things but for some reason i am getting  setfacl: demo: Operation not supported

Directory Transfer Size: 128.0K

               Encoding: DEFAULT

               Link Max: 32767

         Map Lookup UID: No

              Map Retry: No

               Map Root

                    Enabled: True

                       User: root

              Primary Group: -

           Secondary Groups: -

           Map Non Root

                    Enabled: False

                       User: nobody

              Primary Group: -

           Secondary Groups: -

            Map Failure

                    Enabled: True

                       User: nobody

              Primary Group: -

[erik.j...@gmail.com]

You might try setting map root to 0 instead of root. It's the same thing in the end but the name has to resolve and the UID number is just used. 

I don't recall setfacl being useful for anything on the cluster. Posix ACLs are not used nor are they supported. 

--

Erik Weiman

Sent from my iPhone 6s

--
You received this message because you are subscribed to the Google Groups "Isilon Technical User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isilon-user-gr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[sumi rai]

Thank you for quick response. I am using setfacl on unix side not on the cluster.

[Peter Serocka]

You can try mounting with NFS4 and using
the nfs4_setfacl/nfs4_getfacl commands on the client,
and see wether this matches your needs.

— Peter

[Dan Pritts]

I have used the NFS4 acl commands with success from an RHEL6 client.   POSIX acls are not used on the cluster nor on NFS clients. 

If you want to set acls on the cluster, use the chmod command.   The man page is pretty good. 

My recommendation is to either use the cluster, or a windows client, to do any significant acl changes.  Or possibly mount the filesystem as smbfs and use the samba client side tools to set the acls - i've never done it but it can't be worse than the nfs4 tools.

The user interface for the nfs4 client acl commands is terrible.  The syntax is obtuse, and IIRC they only operate on a single file or directory per command invocation.  So if you want to set the acl on every file in a directory you have to do something like

for fyle in * ; do
  nfs4_setfacl $fyle acl_goes_here
done

Peter Serocka

March 20, 2017 at 1:06 AM

You can try mounting with NFS4 and using
the nfs4_setfacl/nfs4_getfacl commands on the client,
and see wether this matches your needs.

— Peter

sumi rai

March 19, 2017 at 9:10 PM

Thank you for quick response. I am using setfacl on unix side not on the cluster.

On Sunday, March 19, 2017 at 5:58:26 PM UTC-7, Erik Weiman wrote:

--
You received this message because you are subscribed to the Google Groups "Isilon Technical User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isilon-user-gr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

erik.j...@gmail.com

March 19, 2017 at 8:58 PM

sumi rai

March 19, 2017 at 8:26 PM

--

Sent from Postbox

[sumi rai]

thank you all for your helpful comments. I was able to add the ACl via NFS4 but our requirement is to have nfs3 and client would to implement the custom ACL from client end. please let me know if this is possible. 

[Erik Weiman]

You can't add ACLs via NFSv3. There is no standard RFC for posix ACLs so support for it has never been a part of OneFS. Additionally, the client version of chmod doesn't have any of the Isilon customizations required to add NTFS/Windows ACLs to the files. Even if you had the ability to do it from the client I doubt the protocol would be able to do it. 

If you want to use ACLs to manage this data and access it via NFSv3 the best you'll be able to do is figure out how to do it using inheritable permissions and set those on the top level directory and forget about changing them from the NFSv3 clients. 

If you have to be able to control ACLs from the NFS client than your only choice is going to be to implement NFSv4 or perhaps you could use a version of SMB instead. However I'm not sure what tools are available to nix clients that could adjust windows ACLs over SMB. 

--

Erik Weiman 

Sent from my iPhone 7

[John Beranek - PA]

On Tuesday, 21 March 2017 02:10:31 UTC, Erik Weiman wrote:

You can't add ACLs via NFSv3. There is no standard RFC for posix ACLs so support for it has never been a part of OneFS. Additionally, the client version of chmod doesn't have any of the Isilon customizations required to add NTFS/Windows ACLs to the files. Even if you had the ability to do it from the client I doubt the protocol would be able to do it. 

If you want to use ACLs to manage this data and access it via NFSv3 the best you'll be able to do is figure out how to do it using inheritable permissions and set those on the top level directory and forget about changing them from the NFSv3 clients. 

If you have to be able to control ACLs from the NFS client than your only choice is going to be to implement NFSv4 or perhaps you could use a version of SMB instead. However I'm not sure what tools are available to nix clients that could adjust windows ACLs over SMB.

On another tack you could use the Isilon API to configure ACLs, but that's a whole other complication you'd have to add on top of the NFSv3 access...

For us, if we're relying on ACLs for NFS clients, we just set the ACLs on Windows, and then the NFS clients honour them.

John