From: Andreas Dilger Date: Fri, 24 Jun 2022 16:38:06 +0000 (-0600) Subject: LUDOC-11 security: remove client 'acl' mount option X-Git-Url: https://git.whamcloud.com/?a=commitdiff_plain;h=2f5d29096899c816ce925f79eb5938dff32c32c8;p=doc%2Fmanual.git LUDOC-11 security: remove client 'acl' mount option The 'acl' mount option on the client has been deprecated since Lustre 1.8, and unsupported since Lustre 2.8. It should no longer be mentioned in the manual. Signed-off-by: Andreas Dilger Change-Id: Iceb02088931ed291695c2eac824c673f79647e70 Reviewed-on: https://review.whamcloud.com/47767 Tested-by: jenkins --- diff --git a/ManagingSecurity.xml b/ManagingSecurity.xml index 89bb2b6..6eeab96 100644 --- a/ManagingSecurity.xml +++ b/ManagingSecurity.xml @@ -87,31 +87,23 @@ Minimal ACLs have three entries. Extended ACLs have more than the three entries. Extended ACLs also contain a mask entry and may contain any number of named user and named group entries. - The MDS needs to be configured to enable ACLs. Use - --mountfsoptions to enable ACLs when creating your - configuration: - $ mkfs.lustre --fsname spfs --mountfsoptions=acl --mdt -mgs /dev/sda - Alternately, you can enable ACLs at run time by using the - --acl option with mkfs.lustre: + To check ACLs on the MDS, check that the acl + connect flag is listed (default since Lustre 1.8): + +# lctl get_param -n mdc.home-MDT0000-mdc-*.connect_flags | grep acl + + ACLs are enabled by default on a Lustre file system, and are + controlled on a system-wide basis; either all clients enable ACLs or + none do. Activating ACLs is controlled by MDS mount options + acl/noacl to enable or disable + ACLs, respectively. You do not need to change the client + configuration, and the acl string will not appear + in the client mount options in /etc/mtab. - $ mount -t lustre -o acl /dev/sda /mnt/mdt - To check ACLs on the MDS: - $ lctl get_param -n mdc.home-MDT0000-mdc-*.connect_flags | grep acl acl - To mount the client with no ACLs: - $ mount -t lustre -o noacl ibmds2@o2ib:/home /home - ACLs are enabled in a Lustre file system on a system-wide basis; - either all clients enable ACLs or none do. Activating ACLs is controlled - by MDS mount options acl / noacl - (enable/disable ACLs). Client-side mount options acl/noacl are ignored. - You do not need to change the client configuration, and the - 'acl' string will not appear in the client /etc/mtab. The - client acl mount option is no longer needed. If a client is mounted with - that option, then this message appears in the MDS syslog: - ...MDS requires ACL support but client does not - The message is harmless but indicates a configuration issue, which - should be corrected. If ACLs are not enabled on the MDS, then any attempts to reference - an ACL on a client return an Operation not supported error. + an ACL on a client return an Operation not supported + error. +
<indexterm> @@ -123,22 +115,22 @@ file system. They are manipulated with the standard tools in the standard manner. Below, we create a directory and allow a specific user access.</para> - <screen>[root@client lustre]# umask 027 -[root@client lustre]# mkdir rain -[root@client lustre]# ls -ld rain -drwxr-x--- 2 root root 4096 Feb 20 06:50 rain -[root@client lustre]# getfacl rain + <screen>[phil@client lustre]$ umask 027 +[phil@client lustre]$ mkdir rain +[phil@client lustre]$ ls -ld rain +drwxr-x--- 2 phil dev 4096 Feb 20 06:50 rain +[phil@client lustre]$ getfacl rain # file: rain -# owner: root -# group: root +# owner: phil +# group: dev user::rwx group::r-x other::--- -[root@client lustre]# setfacl -m user:chirag:rwx rain -[root@client lustre]# ls -ld rain -drwxrwx---+ 2 root root 4096 Feb 20 06:50 rain -[root@client lustre]# getfacl --omit-header rain +[phil@client lustre]$ setfacl -m user:chirag:rwx rain +[phil@client lustre]$ ls -ld rain +drwxrwx---+ 2 phil dev 4096 Feb 20 06:50 rain +[phil@client lustre]$ getfacl --omit-header rain user::rwx user:chirag:rwx group::r-x