mgr/smb: Add acl_xattr configuration to share definition

Samba allows to store full Windows(NT) ACLs and bypass any lossy mapping
attempts to and from POSIX ACLs. Therefore we stack an additional module
in front of ceph to store NTACLs in a special extended attribute. Due to
certain limitations within containers the default xattr from security
namespace can't be used. Instead we configure a similar xattr from more
flexible 'user' namespace with the help of an option to the module.

ref: https://www.samba.org/samba/docs/current/man-html/vfs_acl_xattr.8.html
Signed-off-by: Anoop C S <anoopcs@cryptolab.net>

diff --git a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_basic.yaml b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_basic.yaml
index 3648f39483d393db801c266cf3075be16174263c..5982bd82057386c93c189007227497b40e0abbde 100644 (file)
--- a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_basic.yaml
+++ b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_basic.yaml
@@ -43,8 +43,9 @@ tasks:
             globals = ["default", "domain"]
             instance_name = "SAMBA"
             [shares.share1.options]
-            "vfs objects" = "ceph"
+            "vfs objects" = "acl_xattr ceph"
             path = "/"
+            "acl_xattr:security_acl_name" = "user.NTACL"
             "ceph:config_file" = "/etc/ceph/ceph.conf"
             "ceph:user_id" = "smbdata"
             "kernel share modes" = "no"

diff --git a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_domain.yaml b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_domain.yaml
index 541d5ac1fa7ddb9a869ff8e26284ae1b5a2cc5be..05fc1d459ef9036d6ff11d9fcc3b2aed35eb599f 100644 (file)
--- a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_domain.yaml
+++ b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_domain.yaml
@@ -42,8 +42,9 @@ tasks:
           globals = ["default", "domain"]
           instance_name = "SAMBA"
           [shares.share1.options]
-          "vfs objects" = "ceph"
+          "vfs objects" = "acl_xattr ceph"
           path = "/"
+          "acl_xattr:security_acl_name" = "user.NTACL"
           "ceph:config_file" = "/etc/ceph/ceph.conf"
           "ceph:user_id" = "smbdata"
           "kernel share modes" = "no"

diff --git a/src/pybind/mgr/smb/handler.py b/src/pybind/mgr/smb/handler.py
index 84702e72f7885a5d99ee517ddae01e7671d049b4..bbd39f6e8660017947f364e01b5acc60dc399266 100644 (file)
--- a/src/pybind/mgr/smb/handler.py
+++ b/src/pybind/mgr/smb/handler.py
@@ -977,7 +977,8 @@ def _generate_share(
         # smb.conf options
         'options': {
             'path': path,
-            "vfs objects": "ceph",
+            "vfs objects": "acl_xattr ceph",
+            'acl_xattr:security_acl_name': 'user.NTACL',
             'ceph:config_file': '/etc/ceph/ceph.conf',
             'ceph:filesystem': share.cephfs.volume,
             'ceph:user_id': cephx_entity,

diff --git a/src/pybind/mgr/smb/tests/test_smb.py b/src/pybind/mgr/smb/tests/test_smb.py
index 4ee55e0aa90d1dbd46aa3caace53b65d9b370877..74d2b8d3f82b8b69d65b099e4eeaa3bd6f90ddc6 100644 (file)
--- a/src/pybind/mgr/smb/tests/test_smb.py
+++ b/src/pybind/mgr/smb/tests/test_smb.py
@@ -421,7 +421,8 @@ def test_share_dump_config(tmodule):
                     'browseable': 'Yes',
                     'kernel share modes': 'no',
                     'x:ceph:id': 'foo.s1',
-                    'vfs objects': 'ceph',
+                    'vfs objects': 'acl_xattr ceph',
+                    'acl_xattr:security_acl_name': 'user.NTACL',
                     'ceph:config_file': '/etc/ceph/ceph.conf',
                     'ceph:filesystem': 'cephfs',
                     'ceph:user_id': 'smb.fs.cluster.foo',
@@ -434,7 +435,8 @@ def test_share_dump_config(tmodule):
                     'browseable': 'Yes',
                     'kernel share modes': 'no',
                     'x:ceph:id': 'foo.stwo',
-                    'vfs objects': 'ceph',
+                    'vfs objects': 'acl_xattr ceph',
+                    'acl_xattr:security_acl_name': 'user.NTACL',
                     'ceph:config_file': '/etc/ceph/ceph.conf',
                     'ceph:filesystem': 'cephfs',
                     'ceph:user_id': 'smb.fs.cluster.foo',