Linux – GlusterFS permissions on different clients

glusterfslinuxpermissionssftp

I have an issue using GlusterFS to replace an existing, non HA, NFS setup to share data between machines. A bit about the configuration first:

The proof-of-concept glusterfs is a setup with 2 machines and a replicated volume. Then there are 2 clients that import this volume. One client is an SFTP server for customers to connect and send their files and the other is the server where our applications runs.

The issue I'm ecountering is about users and permissions.
The user that connects to the SFTP server will be jailed in a specific directory (chroot) and SFTP requires strict permissions (the directory to be owned by the root user and root to be the only user allowed write permission)
At the same time the application, running as a specific user, on the other server will need full access on the directory tree.

The setup I'm replacing uses NFS and the export is mounted with different ownership/permissions (using the uid and gid option while mounting) on the two clients; this way the users on the two servers have the permissions they need.

GlusterFS, on the other hand, AFAIK, doesn't allow a volume to be mounted with specific ownership on each machine. I'm aware GlusterFS is POSIX compliant and I can make use of the standard permissions systems and ACL

I've thought and/or tested few options, but none is satisfactory to me.

Using ACL: when adding the app server's user the read/write permission, it will consider that permission a "group" permission and SFTP will complain.
Creating a common user across the machines: not very flexible, relies on sysadmins to mantain the common user, and when moving to production the situation will complicate because more systems will have to interact.
Mount on a different place and bind to the correct directory. But then I discovered I can't change ownership…
Using NFS/Ganesha or SAMBA. This is overkilling, I can install the glusterfs client and I don't want to use additional layers that have to be configured and mantained.

The volume itself and all its content are owned by user root and group root.

Does any of you have a better idea? Or knows a feature of GlusterFS that allows me a simpler setup?

Thanks in advance.

Best Answer

I think I've found an acceptable solution. I forgot about a behaviour of the SFTP daemon. It's true that SFTP need the jail directory to be owned by user root and only root to have write permissions. But the subdirectories can have any permission.

Instead of configuring ACL to the root of the gluster volume, I change the ACL only for the content of a jail directory, in this way:

Client 1 - App Server

root@appsrv$ cd /path/to/gluster/volume
root@appsrv$ chown -R root:root *
root@appsrv$ chmod -R 2750 *
root@appsrv$ ls -la
total 6
drwxr-x--- 14 root    root      ./
drwxr-xr-x  4 appuser appgroup  ../
drwxr-xr-x  3 root    root      .trashcan/
drwxr-s---  5 root    root      User1/
drwxr-s---  5 root    root      User2/
drwxr-s---  5 root    root      User3/

root@appsrv$ setfacl -Rm u:appuser:rwx */*
root@appsrv$ setfacl -Rm g:appgroup:rx */*
root@appsrv$ setfacl -Rdm u:appuser:rwx */*
root@appsrv$ setfacl -Rdm g:appgroup:rx */*

root@appsrv$ ls -la
total 6
drwxr-x---  14 root    root      ./
drwxr-xr-x   4 appuser appgroup  ../
drwxr-xr-x   3 root    root      .trashcan/
drwxr-s---+  5 root    root      User1/
drwxr-s---+  5 root    root      User2/
drwxr-s---+  5 root    root      User3/

Client 2 - SFTP Server

root@sftpsrv$ cd /path/to/gluster/volume
root@sftpsrv$ setfacl -Rm g:sftpgroup:rx *
root@sftpsrv$ setfacl -Rm g:sftpgroup:rwx */input
root@sftpsrv$ setfacl -Rdm g:sftpgroup:rx *
root@sftpsrv$ setfacl -dRm g:sftpgroup:rwx */input

root@sftpsrv$ ls -la
total 6
drwxr-x---  14 root root ./
drwxr-xr-x   4 root root ../
drwxr-xr-x   3 root root .trashcan/
drwxr-x---+  5 root root User1/
drwxr-x---+  5 root root User2/
drwxr-x---+  5 root root User3/

Now the SFTP works correctly and doesn't complain about permissions and the application server has full access where it needs

Related Solutions

How do GlusterFS permissions work on Linux

From their FAQ GlusterFS is fully POSIX complaint

So you should be able to setup the permissions as you normally would. On linux permissions are based on user id (UID) and group id (GID), which you could check with something like ls -ln the '-n' will return the numerical vaules instead of the 'username'.

Linux – Managing Linux Directory Permissions & SFTP

The problem is that sftp runs as the user's id -- first, the sftp client ssh's into the target host as the given user, then runs sftp-server. Since sftp-server is running as a regular user, it has no way to "give away" a file (change owner of a file).

However, if you are able to use scp, and assign a key pair to each user, you can get around this. This involves adding a user's key to root's ~/.ssh/authorized_keys file, with a "command=" parameter to force it to run a script that sanitizes and alters the arguments of the server-side scp program. I've used this technique before to set up an anonymous scp dropbox that allowed anyone to submit a file, and ensure that no one could retrieve submitted files and also prevent overwrites.

If you are open to this technique, let me know and I'll update this post with a quick recipe.

Edit: Based on comments, here's my recipe that I originally used to set up an anonymous dropbox. But it should work for this purpose also.

If you want John to write to upload files to /var/www/webstuff, and have any files written to it owned by the user id apache, then:

1) Generate an ssh key pair:

ssh-keygen -t rsa -f john-scp-key

2) Edit the public key file "john-scp-key.pub", and insert a "command=" statement at the beginning as follows:

command="/usr/local/bin/strictscp ^/var/www/webstuff" ssh-rsa AAAA..... (reset
of key follows)

3) Add the contents of john-scp-key.pub to ~apache/.ssh/authorized_keys file (create the file if it doesn't exist, making sure that both the .ssh directory and authorized_keys are owned by apache, and not writable by either group or world)

4) Create the script /usr/local/bin/strictscp as follows:

#!/bin/sh
read cmd arg1 arg2 <<EOT
$SSH_ORIGINAL_COMMAND
EOT
if [ "$cmd" = scp -a "$arg1" = -t ] && echo "$arg2" |grep "$1" >/dev/null 2>&1
then
    eval $cmd $arg1 $arg2
fi

5) Now give the private key file john-scp-key to John, and have him copy files to your web server like this:

scp -i john-scp-key some_file.html apache@yourserver:/var/www/webstuff/

The way this works is when you use scp to copy a file to a server, the scp client uses ssh to execute "scp -t /path/name" on the server. When using a key pair, you can override the command that gets executed and force a specific command to run when that key is used. The original command that was requested, along with its arguments, is in the environment variable "$SSH_ORIGINAL_COMMAND". So we point COMMAND= to a script that checks for allowed arguments (in this case, it verifies that the third argument is the specific directory we want to write stuff to), so that this key is only good for its intended purpose and can't be used to run arbitrary commands on the server.

You can lock down the strictscp script a bit further by checking if the target file exists or not, and you can also add a chgrp command to the end to set the file's group ownership (assuming that apache is a member of that group).

Hope this helps -- if you have any problems with it, let me know and I'll see if I can improve this answer further.

Best Answer

Related Solutions

How do GlusterFS permissions work on Linux

Linux – Managing Linux Directory Permissions & SFTP

Related Topic