I found this inconsistent behaviour on an empty directory I created:
Attributes before anything:
EOS Console [root://eulake.cern.ch] |/eulake/lcg/test/hammercloud/atlas/> attr ls ivan_test/
sys.acl="egroup:eulake-devops:rwx,u:8619:rwx,u:10761:rwx,u:57357:rwx,u:32117:rwx,u:33378:rwx,u:12527:rwx"
sys.forced.checksum="adler"
Forbid writing for myself:
EOS Console [root://eulake.cern.ch] |/eulake/lcg/test/hammercloud/atlas/> chmod 444 ivan_test/
success: mode of file/directory /eulake/lcg/test/hammercloud/atlas/ivan_test is now '2444'
Still able to set the attribute (is it because I’m the dir owner or because I’m in sys.acl?)
EOS Console [root://eulake.cern.ch] |/eulake/lcg/test/hammercloud/atlas/> attr set user.forced.placementpolicy=gathered:CERN ivan_test/
Check that the attribute is actually set:
EOS Console [root://eulake.cern.ch] |/eulake/lcg/test/hammercloud/atlas/> attr ls ivan_test/
sys.acl="egroup:eulake-devops:rwx,u:8619:rwx,u:10761:rwx,u:57357:rwx,u:32117:rwx,u:33378:rwx,u:12527:rwx"
sys.forced.checksum="adler"
user.forced.placementpolicy="gathered:CERN"
Try removing the attribute and I can’t:
EOS Console [root://eulake.cern.ch] |/eulake/lcg/test/hammercloud/atlas/> attr rm user.forced.placementpolicy ivan_test/
error: unable to remove attribute 'user.forced.placementpolicy' in file/directory /eulake/lcg/test/hammercloud/atlas/ivan_test
(errc=1) (Operation not permitted)
But I can when I allow writing to the directory:
EOS Console [root://eulake.cern.ch] |/eulake/lcg/test/hammercloud/atlas/> chmod 744 ivan_test/
success: mode of file/directory /eulake/lcg/test/hammercloud/atlas/ivan_test is now '2744'
EOS Console [root://eulake.cern.ch] |/eulake/lcg/test/hammercloud/atlas/> attr rm user.forced.placementpolicy ivan_test/
success: removed attribute 'user.forced.placementpolicy' from file/directory /eulake/lcg/test/hammercloud/atlas/ivan_test
I’m user 12527:
EOS Console [root://eulake.cern.ch] |/eulake/lcg/test/hammercloud/atlas/> whoami
Virtual Identity: uid=12527 (12527,99) gid=1307 (1307,99) [authz:krb5] host=lxplus083.cern.ch
What is the expected behaviour here? Is attribute creation not affected by unix permissions, but attribute deletion is? Or is attribute creation covered by sys.acl, but attribute deletion is not?