From 0a84ad1bcfc035ddcc69f218002ea4acd900e52e Mon Sep 17 00:00:00 2001 From: Andrew Walker Date: Mon, 5 Aug 2024 10:39:48 -0700 Subject: [PATCH] Fix get inherited ACL when top-level ds has ACL It's technically possible that a user creates a zpool with the top level dataset configured with NFSv4 acltype and then modifies it via shell-based utilities outside of our API. In this case we need to allow skipping ACL path validation that prevents using the top-level dataset of a pool while calculating what our inherited ACL should be for a newly-created dataset. (cherry picked from commit f2f8e2a05ec6c02416cb875596fc5d98d5fa0431) --- .../middlewared/plugins/filesystem_/acl_linux.py | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/middlewared/middlewared/plugins/filesystem_/acl_linux.py b/src/middlewared/middlewared/plugins/filesystem_/acl_linux.py index 62dc7b4d35e25..a9723dd804dcf 100644 --- a/src/middlewared/middlewared/plugins/filesystem_/acl_linux.py +++ b/src/middlewared/middlewared/plugins/filesystem_/acl_linux.py @@ -32,7 +32,7 @@ def acltool(self, path, action, uid, gid, options): if acltool.returncode != 0: raise CallError(f"acltool [{action}] on path {path} failed with error: [{acltool.stderr.decode().strip()}]") - def _common_perm_path_validate(self, schema, data, verrors): + def _common_perm_path_validate(self, schema, data, verrors, pool_mp_ok=False): loc = path_location(data['path']) if loc is FSLocation.EXTERNAL: verrors.add(f'{schema}.path', 'ACL operations on remote server paths are not possible') @@ -69,10 +69,11 @@ def _common_perm_path_validate(self, schema, data, verrors): ) elif len(Path(st['realpath']).resolve().parents) == 2: - verrors.add( - f'{schema}.path', - f'The specified path is a ZFS pool mountpoint "({path})" ' - ) + if not pool_mp_ok: + verrors.add( + f'{schema}.path', + f'The specified path is a ZFS pool mountpoint "({path})" ' + ) elif self.middleware.call_sync('pool.dataset.path_in_locked_datasets', st['realpath']): verrors.add( @@ -859,7 +860,7 @@ def add_to_acl(self, job, data): def get_inherited_acl(self, data): init_path = data['path'] verrors = ValidationErrors() - self._common_perm_path_validate('filesystem.add_to_acl', data, verrors) + self._common_perm_path_validate('filesystem.get_inherited_acl', data, verrors, True) verrors.check() current_acl = self.getacl(data['path'], False)