TrueNas Scale Permission

[rocketstone]

Hello Community,

I am new to TrueNas Scale but I don't understand or can't seem to get the permissions to work between my applications and datasets. For example I cannot get Radarr access to Dataset where my files are. I have given apps(Internal user under the 568ID) permission, I have changed the ID of the app to a user created ID and given that permissions and I have completely opened the folder to everyone and I just keep getting this error:

2022-01-27 05:14:06.780784+00:00-- Path: Folder is not writable by user kah

I do not know what to do. In TrueNas Core setting permission for jails is so easy, just find the user id inside the jail and give it permissions.

Thank you for your time.

 

[Kris Moore]

Can you show output of "ls -al" of your directory? Curious to see how its set there.

 

[rocketstone]

Here is the output of that command

 

[rocketstone]

Can't edit my previous post. I did 777 from Shell and now the app has access, so it seems the GUI doesn't work completely or idk. But on reboot these settings would be erased according to the warning you get when entering shell which is not good.

 

[truecharts]

It looks like you might be using TrueCharts, please be aware that we have our own support channels and do not offer active support on this forum.
You can file a support ticket with our Support Staff on Discord to look into what is going wrong here.

Also please be aware of the youtube video guides on our youtube by HeavyBullets, which do go into things like permissions.

 

[Kris Moore]

This is because you are using ACL's (SMB style) on the dataset, which isn't necessarily how the local apps will see the dataset. The UI is setting those flags, which will work for your SMB share.

 

[rocketstone]

Hmmm, In that case I guess Scale is not for me. Thanks for the help!

 

[vn_mnm]

Hmmm, In that case I guess Scale is not for me. Thanks for the help!

So is it a bug in TrueNAS SCALE or in Truecharts buddy ?

 

[anodos]

Hmmm, In that case I guess Scale is not for me. Thanks for the help!

What are the permissions for the full path? You might be missing execute on some path component. I believe there was a change to more carefully validate that apps have access to paths that are added to them. Basically setresuid() to user that is supposed to have access and then perform check. If you still have SCALE installed, please send me a debug.

 

[ClassicGOD]

Can't edit my previous post. I did 777 from Shell and now the app has access, so it seems the GUI doesn't work completely or idk. But on reboot these settings would be erased according to the warning you get when entering shell which is not good.

Gui works it looks to me that you just did not apply permissions recursively so they only applied to the top folder. So while app user had access to the dataset the subdirectories were not writable for that user.

 

[anodos]

Gui works it looks to me that you just did not apply permissions recursively so they only applied to the top folder. So while app user had access to the dataset the subdirectories were not writable for that user.

Oh, sorry, glossed over that. Good catch.

 

[rocketstone]

It looks like you might be using TrueCharts, please be aware that we have our own support channels and do not offer active support on this forum.
You can file a support ticket with our Support Staff on Discord to look into what is going wrong here.

Also please be aware of the youtube video guides on our youtube by HeavyBullets, which do go into things like permissions.

I'm but I must inform you a lot if not all the links in the guides provided by TrueCharts or it's videos on youtube all point to a 404 error page like this one for linking apps internally doesn't work: Link from youtube video to Link your apps internally.

What are the permissions for the full path? You might be missing execute on some path component. I believe there was a change to more carefully validate that apps have access to paths that are added to them. Basically setresuid() to user that is supposed to have access and then perform check. If you still have SCALE installed, please send me a debug.

I did have everything selected I always have recursive selected for any change I make. But I cannot show you a debug unfortunately because I got frustrated and deleted scale off and went to unraid, but the amount of drives and their size is too massive for UnRaid and it would take 5 days for the parity to work, so unfortunately I need scale to work, So I have returned and I'm taking a whole different approach to my issues.

Gui works it looks to me that you just did not apply permissions recursively so they only applied to the top folder. So while app user had access to the dataset the subdirectories were not writable for that user.

I always apply every change recursively. But I have re-installed scale so I'm trying again fresh and taking a different route.

 

[anodos]

If paths are being added to apps as a "host path", perhaps try using NFSv4 ACL type with "aclmode" set to passthrough (just make sure to set some explicit group entries (not just group@) and set them to inherit). This will make it so that even if the app decides to perform chmod internally in the app, it won't break access for other apps or filesharing users.


If you have an entry for "BUILTIN_USERS" group granting MODIFY or FULL_CONTROL, that will ensure all SMB users have access. Then you need to understand what services may be relevant in the apps and add ACL entries for their ids as well, e.g. uid 1000 for plex.

 

[rocketstone]

If paths are being added to apps as a "host path", perhaps try using NFSv4 ACL type with "aclmode" set to passthrough (just make sure to set some explicit group entries (not just group@) and set them to inherit). This will make it so that even if the app decides to perform chmod internally in the app, it won't break access for other apps or filesharing users.


If you have an entry for "BUILTIN_USERS" group granting MODIFY or FULL_CONTROL, that will ensure all SMB users have access. Then you need to understand what services may be relevant in the apps and add ACL entries for their ids as well, e.g. uid 1000 for plex.

I have solved my permissions issue by dedicating datasets to each app then having files I need to view in those apps files sync to another dataset that has a share enabled so I can view it from my computer. I would try NFS but in my experience it's only been hell and never plays well with any of my other services so I have to stick with SMB.

This fix is only needed for TrueCharts apps though, so maybe something is wrong with those apps themselves because everything produced and maintained by TrueNas themselves just works perfectly without having to go this route.

Thanks everyone!

 

[fw_crocodile]

I don't know if this is still your situation, but my first understanding is that you should take care of the differences between the various ACLs available.

The GUI ACLs management use nfs4xdr_getfacl/nfs4xdr_editfacl commands to manipuate ACLs in xdr format.
But on the system you also have nfs4_getfacl and nfs4_editfacl (I don't know which format they use)
Then you have the "normal" linux POSIX ACLs tools getfacl/setfacl (not a good ACLs format for shares)

I'm sure that the normal linux tool work for "local" access, like Kubernetes apps! (I use it to grant Photoprism access to my files keeping the original ownership)

anselmo@truenas:/mnt/nathan/backup/archivi$ getfacl Photo
# file: Photo
# owner: anselmo
# group: anselmo
user::rwx
user:apps:rwx
user:anselmo:rwx
group::rwx
group:apps:rwx
mask::rwx
other::---

I know the GUI is using xdr format for the ACLs

So my first try would be to use nfs4xdr commands to see if their applied rights would work also for local access, easiest case. If this is not the case, I suppose you would have to mix various types of ACLs on your paths.