Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-72-1426454.1
Update Date:2016-02-08
Keywords:
Solution Type  Problem Resolution Sure

Solution  1426454.1 :   Sun Storage 7000 Unified Storage System: Shadow Migration/NFS copy of data from source system results in ACLs that contain Deny entries  

Related Items 
    

  • Sun ZFS Storage 7420
    •  
  • Sun Storage 7110 Unified Storage System
    •  
  • Oracle ZFS Storage ZS3-2
    •  
  • Sun Storage 7210 Unified Storage System
    •  
  • Oracle ZFS Storage ZS4-4
    •  
  • Sun Storage 7410 Unified Storage System
    •  
  • Sun ZFS Storage 7120
    •  
  • Sun Storage 7310 Unified Storage System
    •  
  • Oracle ZFS Storage ZS3-4
    •  
  • Sun ZFS Storage 7320
    •  
  • Oracle ZFS Storage Appliance Racked System ZS4-4
    •  
  • Oracle ZFS Storage ZS3-BA
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>DISK>ZFS Storage>SN-DK: 7xxx NAS
    •  
  • _Old GCS Categories>Sun Microsystems>Storage - Disk>Unified Storage
    •  






In this Document


Symptoms


Cause


Solution



Created from <SR 3-4857983481>


Applies to:  

Sun ZFS Storage 7320 - Version All Versions and later
Sun ZFS Storage 7420 - Version All Versions and later
Sun ZFS Storage 7120 - Version All Versions and later
Sun Storage 7110 Unified Storage System - Version All Versions and later
Sun Storage 7210 Unified Storage System - Version All Versions and later
7000 Appliance OS (Fishworks)



Symptoms


Source data has POSIX-draft style ACLs, when they're copied over via NFSv4 shadow migration, ACLs are converted to ZFS ACLs, but two deny entries are created for each POSIX ACL in addition to the expected allow entry.


 


Example of POSIX ACL data:


# file: Data
 # owner: luke
 # group: it
 user::rwx
 user:luke:rwx #effective:rwx
 user:mark:rwx #effective:rwx
 user:matt:rwx #effective:rwx
 user:john:rwx #effective:rwx


 


Example of resultant ZFS ACLs after shadow migration or NFS copy:


[root@system1] /mnt/data1 # ls -Vd
 
 drwxrwx---+ 3 luke it 6 Nov 14 09:38 .
 
 group:it:rwxpdDaARWcCos:fd----:allow
 owner@:rwxp-DaA--cC-s:------:allow
 owner@:--------------:------:deny
 user:mark:-------A---C--:------:deny
 user:mark:rwxp-Da---c--s:------:allow
 user:mark:-------A---C--:------:deny
 user:matt:-------A---C--:------:deny
 user:matt:rwxp-Da---c--s:------:allow
 user:matt:-------A---C--:------:deny
 user:john:-------A---C--:------:deny
 user:john:rwxp-Da---c--s:------:allow
 user:john:-------A---C--:------:deny


 


Cause


After researching this issue, we found that the deny access control entries (ACEs) are not being created by the appliance.


The conversion from POSIX-draft ACLs is taking place, but they are first converted to NFSv4 ACLs rather than ZFS ACLs.


The deny ACEs are correctly applied in this case according to the best available specification, an internet draft on how POSIX ACLs should map to NFSv4 ACLs which can be found here: http://tools.ietf.org/id/draft-ietf-nfsv4-acl-mapping-03.txt.


Solution


There are no current plans to change this in the software, as it would be a very difficult task to change the NFSv4 specification at this point.


To workaround the issue, use NFSv3 to migrate or copy, or use NFSv4 as above, and edit the ACLs with a root-mounted NFSv4 client.


 



Attachments

This solution has no attachment


















       

Copyright © 2018 Oracle, Inc.  All rights reserved.

 Feedback