Fix get inherited ACL when top-level ds has ACL (#14141)

It's technically possible that a user creates a zpool with the top level dataset configured with NFSv4 acltype and then modifies it via shell-based utilities outside of our API. In this case we need to allow skipping ACL path validation that prevents using the top-level dataset of a pool while calculating what our inherited ACL should be for a newly-created dataset. (cherry picked from commit f2f8e2a) Co-authored-by: Andrew Walker <[email protected]>
truenas · Aug 6, 2024 · 3e90795 · 3e90795
1 parent ca32f89
commit 3e90795
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/src/middlewared/middlewared/plugins/filesystem_/acl_linux.py b/src/middlewared/middlewared/plugins/filesystem_/acl_linux.py
@@ -32,7 +32,7 @@ def acltool(self, path, action, uid, gid, options):
         if acltool.returncode != 0:
             raise CallError(f"acltool [{action}] on path {path} failed with error: [{acltool.stderr.decode().strip()}]")
 
-    def _common_perm_path_validate(self, schema, data, verrors):
+    def _common_perm_path_validate(self, schema, data, verrors, pool_mp_ok=False):
         loc = path_location(data['path'])
         if loc is FSLocation.EXTERNAL:
             verrors.add(f'{schema}.path', 'ACL operations on remote server paths are not possible')
@@ -69,10 +69,11 @@ def _common_perm_path_validate(self, schema, data, verrors):
             )
 
         elif len(Path(st['realpath']).resolve().parents) == 2:
-            verrors.add(
-                f'{schema}.path',
-                f'The specified path is a ZFS pool mountpoint "({path})" '
-            )
+            if not pool_mp_ok:
+                verrors.add(
+                    f'{schema}.path',
+                    f'The specified path is a ZFS pool mountpoint "({path})" '
+                )
 
         elif self.middleware.call_sync('pool.dataset.path_in_locked_datasets', st['realpath']):
             verrors.add(
@@ -859,7 +860,7 @@ def add_to_acl(self, job, data):
     def get_inherited_acl(self, data):
         init_path = data['path']
         verrors = ValidationErrors()
-        self._common_perm_path_validate('filesystem.add_to_acl', data, verrors)
+        self._common_perm_path_validate('filesystem.get_inherited_acl', data, verrors, True)
         verrors.check()
 
         current_acl = self.getacl(data['path'], False)