Mounting Using fstab. Mounted Directory Permissions (V2)

[carcioni]

blobfuse2 version 2.0.4

We are attempting to use blobfuse to mount a directory, with a specific user and set of permissions using /etc/fstab as opposed to a systemd service. The systemd service works fine with respect to permissions, but things behave a bit different using /etc/fstab.

The scenario we would like to see is:

Mount the Azure storage using the uid/gid of a specific user: uid=26,gid=26 (my postgres user and group)
allow the postges user to read/write the mounted directory based on the 'default-permission' settings.

What we are seeing is:

The uid/gid settings of the mount request do not appear to be honored, and unless we enable 'allow-other' the postgres user cannot access the mount. (permission denied)

Details:

With 'allow-other' set to true. the file permissions are wide open (rwx-rwx-rwx), the file owner and group are 'postgres'.

Without 'allow-other' set to true, the file permissions are as configured by 'default-permission' (rwx--------), but the postgres user cannot access the mount, only the 'root' user can, so the uid/gid is being ignored

From the code, it appears that when 'allow-other' is set to true, a set of 'default' permissions are are applied, and the requested permissions set by 'default-permission' get completely ignored. Is there away to either NOT require 'allow-other' and have the uid/gid values honored along with the permissions, or can we get the 'allow-other' to use the 'default-permission' settings if they exist, otherwise fall back to the defaults?

Any help would be appreciated.

Cheers
David

============================================================

/etc/fstab entry:
blobfuse /data/pgsql/9.6/backups/recovery fuse delay_connect,_netdev,--config-file=/data/pgsql/scripts/fuse_connection.yaml 0 0

yaml file

allow-other: true

logging:
type: syslog
level: log_info
max-file-size-mb: 40
file-count: 10

components:
- libfuse
- file_cache
- azstorage

libfuse:
attribute-expiration-sec: 120
entry-expiration-sec: 120
negative-entry-expiration-sec: 240
default-permission: 0700
uid: 26
gid: 26

file_cache:
path: /data/temp/blobfuse.dbrecovery.tmp
timeout-sec: 30
max-size-mb: 0
cleanup-on-start: true

azstorage:
account-name: *********
account-key: ***************************************************************************==
container: dbrecovery
use-adls: true (set to true if you are using a hierarchical namespace in the storage, to allow for directories and permissions to be handled)

[vibhansa-msft]

Your understanding is correct here. In case of non-HNS accounts if 'allow-other' is configured then permissions will appear as '777'. As user has asked to share the mount path with everyone this is necessary. UID/GID only helps you show a different owner of the file after the mount but we have observed that it does not grant you access and the mounted path still remain under the permissions of the mounting user (in case of fstab its root) and hence allow_other is required. If you have an HNS account these can be controlled at finer level but for non-HNS account this is the design choice we have and nothing much can be given here as workaround for now.

[carcioni]

Thanks for you response and insights.
We will try using the Hierarchical Namespace and see if it allows us to accomplish what we are trying to do.

[vibhansa-msft]

with HNS if you have set the ACLs correctly for the user/group/others after the mount you will see the same permissions reflected back in your mounted path. With fstab now you can mount with allow_other and it will not override it with 777 instead the ACLs set in blob will be respected.

[carcioni]

Assuming we converted the storage to use HNS, and created a directory structure within the storage, would it show up using an fstab mount? At this point, we are not seeing the directory structure after converting the storage, and creating a couple of directories (dir-1 and dir-2). I am guessing this is a limitation of Azure storage as opposed to blobfuse.

Eg:

mystorage container:

test-file1.txt
test-file2.txt
dir-1/file1.txt
dir-1/file2.txt
dir-2/file3.txt
dir-2/file4.txt

mounted 'mystorage' on /data/storage and we only see 'test-file1.txt' and 'test-file2.txt'

ls -l /data/mystrorage
.rwxrwxrwx test-file1.txt
.rwxrwxrwx test-file2.txt

[vibhansa-msft]

did you create directories in HNS account or non HNS. If you are mounting HNS account using blobfuse you need to provide a special input through cli or config file stating the same. Kindly follow our README to have the correct options.

[carcioni]

Thanks again.
We missed the part about setting the storage attribute 'use-adls' to true in the configuration.
This allowed us to see the directories.
I'm not sure it solves the permissions problems yet, but we are still working on it.

[carcioni]

It does seem to solve the permission issues too.
Thanks for all your help.
I will update the post to reflect the correct configuration for other peoples reference.