Sun Microsystems, Inc.  Sun System Handbook - ISO 4.1 October 2012 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-72-1426454.1
Update Date:2012-07-09
Keywords:
Solution Type  Problem Resolution Sure

Solution  1426454.1 :   Sun Storage 7000 Unified Storage System: Shadow Migration/NFS copy of data from source system results in ACLs that contain Deny entries  

Related Items 
    

  • Sun Storage 7310 Unified Storage System
    •  
  • Sun Storage 7410 Unified Storage System
    •  
  • Sun ZFS Storage 7120
    •  
  • Sun ZFS Storage 7320
    •  
  • Sun ZFS Storage 7420
    •  
  • Sun Storage 7110 Unified Storage System
    •  
  • Sun Storage 7210 Unified Storage System
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>DISK>NAS>SN-DK: 7xxx NAS
    •  
  • .Old GCS Categories>Sun Microsystems>Storage - Disk>Unified Storage
    •  






In this Document


Symptoms


Cause


Solution



 Created from <SR 3-4857983481>


Applies to: 

Sun ZFS Storage 7320 - Version Not Applicable to Not Applicable [Release N/A]
Sun ZFS Storage 7420 - Version Not Applicable to Not Applicable [Release N/A]
Sun ZFS Storage 7120 - Version Not Applicable to Not Applicable [Release N/A]
Sun Storage 7110 Unified Storage System - Version Not Applicable to Not Applicable [Release N/A]
Sun Storage 7210 Unified Storage System - Version Not Applicable to Not Applicable [Release N/A]
7000 Appliance OS (Fishworks)



Symptoms


Source data has POSIX-draft style ACLs, when they're copied over via NFSv4 shadow migration, ACLs are converted to ZFS ACLs, but two deny entries are created for each POSIX ACL in addition to the expected allow entry.



Example of POSIX ACL data:



# file: Data

# owner: luke

# group: it

user::rwx

user:luke:rwx #effective:rwx

user:mark:rwx #effective:rwx

user:matt:rwx #effective:rwx

user:john:rwx #effective:rwx



Example of resultant ZFS ACLs after shadow migration or NFS copy:



[root@system1] /mnt/data1 # ls -Vd



drwxrwx---+ 3 luke it 6 Nov 14 09:38 .



group:it:rwxpdDaARWcCos:fd----:allow

owner@:rwxp-DaA--cC-s:------:allow

owner@:--------------:------:deny

user:mark:-------A---C--:------:deny

user:mark:rwxp-Da---c--s:------:allow

user:mark:-------A---C--:------:deny

user:matt:-------A---C--:------:deny

user:matt:rwxp-Da---c--s:------:allow

user:matt:-------A---C--:------:deny

user:john:-------A---C--:------:deny

user:john:rwxp-Da---c--s:------:allow

user:john:-------A---C--:------:deny


Cause


After researching this issue, we found that the deny access control entries (ACEs) are not being created by the appliance. The conversion from POSIX-draft ACLs is taking place, but they are first converted to NFSv4 ACLs rather than ZFS ACLs. The deny ACEs are correctly applied in this case according to the best available specification, an internet draft on how POSIX ACLs should map to NFSv4 ACLs which can be found here: http://tools.ietf.org/id/draft-ietf-nfsv4-acl-mapping-03.txt.


Solution


There are no current plans to change this in the software, as it would be a very difficult task to change the NFSv4 specification at this point.



To workaround the issue, use NFSv3 to migrate or copy, or use NFSv4 as above, and edit the ACLs with a root-mounted NFSv4 client.



Attachments

This solution has no attachment


















       

Copyright © 2012 Sun Microsystems, Inc.  All rights reserved.

 Feedback