ACL - NFSv4 - NFSv4xdr

[fw_crocodile]

Hello,
I'm trying to understand what I should do to correctly and consistently use ACL, for both local and NFS permissions management.

So these are my conclusions:
- ZFS support NFSv4 ACL
- getfacl/setfacl manipulate the POSIX ACL (fine for local management, non a good choice for network share)

Now a couple of questions:
Which are the differences between nfs4_### and nfs4xdr_### commands and which one should I use?
Could I use consistently just one type of ACL for local/nfs/SMB shares or not?


Can anyone point me to the right direction to understand NFS4 user mapping? I've not been able to found good documentation.

 

[usaleem-ix]

Hi, while setfacl/getfacl manipulate posix ACLs, nfs4_getfacl and nfs4_setfacl manipulate NFSv4 ACLs. These are generic Linux provided utilities, with later operating on ACLs stored in xattr.

For TrueNAS SCALE, nfs4xdr_setfacl and nfs4xdr_setfacl should be used. In ZFS and NFS on SCALE, xdr encoding scheme is used to store ACLs, that is exposed to the user space so samba or other cli tools can manipulate it.

 

[fw_crocodile]

Ok perfect, so the xdr encoded ACLs did work also for local access?
I mean, as an example, I could use those also for granting "apps" user, access to a dataset or local path.
Is that right?

 

[Davvo]

I never used SCALE so feel free to correct me if I am wrong, but you should set your shares' ACL by the GUI and not from the terminal.

 

[usaleem-ix]

I never used SCALE so feel free to correct me if I am wrong, but you should set your shares' ACL by the GUI and not from the terminal.

Yes, I agree. ACL for shares and datasets should be set from GUI.

 

[fw_crocodile]

Yes and no.

You could modify the ACLs of the path shared but only for SMB shares. This is not provided for a NFS share.
You could modify the ACLs for an entire dataset from the dataset management GUI

In both cases, You could recursively apply some ACLs. But if you want to modify an more in-depth path, or anyway do some more fine-grained adjustment you need to do it manually.

At least for my TrueNAS SCALE comprehension.

 

[anodos]

Hi, while setfacl/getfacl manipulate posix ACLs, nfs4_getfacl and nfs4_setfacl manipulate NFSv4 ACLs. These are generic Linux provided utilities, with later operating on ACLs stored in xattr.

For TrueNAS SCALE, nfs4xdr_setfacl and nfs4xdr_setfacl should be used. In ZFS and NFS on SCALE, xdr encoding scheme is used to store ACLs, that is exposed to the user space so samba or other cli tools can manipulate it.

It's important to realize that nfs4_getfacl and nfs4_setfacl are for NFS clients over the NFS protocol (e.g. mounted NFS shares). These are standard linux sysadmin tools and are not suitable for use on local ZFS filesystems.

 

[anodos]

In both cases, You could recursively apply some ACLs. But if you want to modify an more in-depth path, or anyway do some more fine-grained adjustment you need to do it manually.

Our filesystem.setacl API is path-based and can be used through either shell or python middleware client, an external REST API call, or websocket API call. This is all documented in the API documentation.

Alternatively, you can edit the local NFSv4 ACL via the command nfs4xdr_setfacl -e <path> which opens a vi editor that you can use to fine-tune the ACL as needed. This applies only to the particular directory. Once you have the ACL set the way you want it, you can run a separate tool nfs4xdr_winacl -a clone -rv -p <path> which will recursively perform inheritance operations on the given path.

 

[anodos]

There is a separate tool for handling NFSv4 ACL inheritance because the semantics are complex and a simple -R switch is generally undesired (but often performed by those unfamiliar with ACLs). C.F. RFC 5661.

 

[fw_crocodile]

@anodos Many thanks for your explanation. Just to be sure that my understanding was right:

For a local resource we should use only nfs4xdr_ commands.
We should use nfs4_setfacl/nfs4_getfacl on a remote NFS share mounted locally. Even if this come from another TrueNAS server?

What about the POSIX version getfacl/setfacl? We should just avoid them?

 

[anodos]

We should use nfs4_setfacl/nfs4_getfacl on a remote NFS share mounted locally. Even if this come from another TrueNAS server?

This is a feature of the Linux NFS client. The mounted NFS filesystem (client mount) has a special xattr handler for NFSv4 ACLs that is manipulated via nfs4_getfacl/nfs4_setfacl. This is true regardless of Linux client and NFSv4 server.

What about the POSIX version getfacl/setfacl? We should just avoid them?

You use POSIX version if local FS acltype is POSIX1E. This is a ZFS dataset property.

When you export the dataset via the NFSv4 protocol, the kernel NFS server will read both ACL types and convert into an RFC3530 NFSv4.0 ACL, and do the relevant NFS v4.0 protocol stuff that the client will be able to interact with the native local ZFS ACL in an appropriate way.

 

[anodos]

Do note that I wrote manpages for nfs4xdr_getfacl and nfs4xdr_setfacl.

 

[fw_crocodile]

@anodos
To be honest, I do read the man pages, but I miss some precious hint:

is on a mounted NFSv4 filesystem which supports ACLs.
VS
is on a filesystem exposing NFSv4 ACLs as a system.nfs4_acl_xdr xattr.

And

nfs4xdr_getfacl expands on this work by providing userspace management features for local filesystems that support NFSv4 ACLs.

Thank's for you patience and help, I was not trying to avoid reading TFM!

 

[anodos]

It's possible I need to review those manpages and clean them up. Most of this (manpage stuff) was written in one-go. Funnily enough, I brought in the text parser from FreeBSD libc for acl_to_text() / acl_from_text() and found a memory leak in the FreeBSD code while running these tools under valgrind :)

 

[fw_crocodile]

The man page are clear, just too obscure for someone like me approaching ACLs and TrueNAS for the first time as you should notice "small" differences.