What is correct way to sync ACLs across two servers?
Example: I want user1 to have access to user2 mailbox. I do this on server1: doveadm acl set shared/user2 user=user1 admin create delete expunge insert lookup read write write-deleted write-see
Now user1 can see shared/user2 when logged to server1. (Looks good!) He still has no access when logged to server2. (Seems correct.) So I do synchronization: doveadm sync -u user2 remote:server2
...and nothing changes. He still have access only when logged to server1. So I force full synchronization: doveadm sync -u -f user2 remote:server2
...and success! User1 has access to shared/user2 on both servers now.
But now I want to remove access. So I do this on server1: doveadm acl delete shared/user2 user=user1
Of course the above affects only server1, so user1 still have access when logged to server2. So now I do synchronization: doveadm sync -u user2 remote:server2
Nothing happens. :-( So I try do do full synchro: doveadm sync -u user2 -f remote:server2
...disaster! The ACL is COPIED BACK from server2 to server1 and effectively restoring access to shared/user2 on on both servers again. (WTH?)
So big question is: Who to do it properly? It would be enough for me if ACL's were copied only one way (server1->server2), but bidirectional replication would of course also be nice. :-)
Configs: namespace { disabled = no hidden = no ignore_on_failure = no inbox = no list = children location = maildir:%%h/.maildir:LAYOUT=fs:INDEX=~/.shared/%%u order = 0 prefix = shared/%%u/ separator = / subscriptions = no type = shared } plugin { acl = vfile:/etc/dovecot/mailconfig/global-acls acl_defaults_from_inbox = yes acl_shared_dict = file:/etc/dovecot/mailconfig/shared/shared-mailboxes }
On 14/05/2023 20:14 EEST micha--- via dovecot <dovecot@dovecot.org> wrote:
What is correct way to sync ACLs across two servers?
Example: I want user1 to have access to user2 mailbox. I do this on server1: doveadm acl set shared/user2 user=user1 admin create delete expunge insert lookup read write write-deleted write-see
Now user1 can see shared/user2 when logged to server1. (Looks good!) He still has no access when logged to server2. (Seems correct.) So I do synchronization: doveadm sync -u user2 remote:server2
...and nothing changes. He still have access only when logged to server1. So I force full synchronization: doveadm sync -u -f user2 remote:server2
...and success! User1 has access to shared/user2 on both servers now.
But now I want to remove access. So I do this on server1: doveadm acl delete shared/user2 user=user1
Of course the above affects only server1, so user1 still have access when logged to server2. So now I do synchronization: doveadm sync -u user2 remote:server2
Nothing happens. :-( So I try do do full synchro: doveadm sync -u user2 -f remote:server2
...disaster! The ACL is COPIED BACK from server2 to server1 and effectively restoring access to shared/user2 on on both servers again. (WTH?)
So big question is: Who to do it properly? It would be enough for me if ACL's were copied only one way (server1->server2), but bidirectional replication would of course also be nice. :-)
Configs: namespace { disabled = no hidden = no ignore_on_failure = no inbox = no list = children location = maildir:%%h/.maildir:LAYOUT=fs:INDEX=~/.shared/%%u order = 0 prefix = shared/%%u/ separator = / subscriptions = no type = shared } plugin { acl = vfile:/etc/dovecot/mailconfig/global-acls acl_defaults_from_inbox = yes acl_shared_dict = file:/etc/dovecot/mailconfig/shared/shared-mailboxes }
doveadm sync should sync all your local ACLs just fine. Global ACL you need to sync yourself.
Aki
On 14/05/2023 20:38 EEST Przemysław Kwiatkowski via dovecot <dovecot@dovecot.org> wrote:
W dniu 14.05.2023 o 19:33, Aki Tuomi pisze:
doveadm sync should sync all your local ACLs just fine.
So... Why it does not?
--
MiCHA
I forgot to write,
try doveadm -D to find out what's happening. You are loading acl plugin globally right? On both ends?
Aki
W dniu 14.05.2023 o 19:45, Aki Tuomi pisze:
doveadm sync should sync all your local ACLs just fine. So... Why it does not?
I forgot to write,
try doveadm -D to find out what's happening. You are loading acl plugin globally right? On both ends?
Yes, acl is on.
Look here. Identical access is given on both ends:
$ doveadm acl debug -u micha shared/aga doveadm(micha): Info: Mailbox 'INBOX' is in namespace 'shared/aga/' doveadm(micha): Info: Mailbox path: /srv/vmail/spinaczbiurowy/aga/.maildir doveadm(micha): Info: All message flags are shared across users in mailbox doveadm(micha): Info: User micha has rights: lookup read write write-seen write-deleted insert expunge create delete admin doveadm(micha): Info: Mailbox found from dovecot-acl-list doveadm(micha): Info: User aga found from ACL shared dict doveadm(micha): Info: Mailbox shared/aga is visible in LIST
Now, I remove permission on one server:
$ doveadm acl delete shared/aga user=micha $ doveadm acl debug -u micha shared/aga doveadm(micha): Info: Mailbox 'INBOX' is in namespace 'shared/aga/' doveadm(micha): Info: Mailbox path: /srv/vmail/spinaczbiurowy/aga/.maildir doveadm(micha): Info: All message flags are shared across users in mailbox doveadm(micha): Info: User micha has no rights for mailbox doveadm(micha): Error: User micha is missing 'lookup' right doveadm(micha): Info: Mailbox shared/aga is NOT visible in LIST
I perform sync:
$ doveadm -D sync -u aga remote:vmail@lennier [...] May 14 20:59:14 doveadm(aga)<34202><>: Debug: auth-master: userdb lookup(aga): Finished userdb lookup (username=aga uid=5000 gid=5000 system_groups_user=vmail home=/srv/vmail/spinaczbiurowy/aga) May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: Effective uid=5000, gid=5000, home=/srv/vmail/spinaczbiurowy/aga May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: Namespace inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/.maildir:LAYOUT=fs May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: fs: root=/srv/vmail/spinaczbiurowy/aga/.maildir, index=, indexpvt=, control=, inbox=/srv/vmail/spinaczbiurowy/aga/.maildir, alt= May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl: initializing backend with data: vfile:/etc/dovecot/mailconfig/shared/global-acls May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl: acl username = aga May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl: owner = 1 May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl vfile: Global ACL file: /etc/dovecot/mailconfig/shared/global-acls May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: Namespace : type=shared, prefix=shared/%u/, sep=/, inbox=no, hidden=no, list=children, subscriptions=no location=maildir:%h/.maildir:LAYOUT=fs:INDEX=~/.shared/%u May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: shared: root=/run/dovecot, index=, indexpvt=, control=, inbox=, alt= May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl: initializing backend with data: vfile:/etc/dovecot/mailconfig/shared/global-acls May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl: acl username = aga May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl: owner = 0 May 14 20:59:14 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl vfile: Global ACL file: /etc/dovecot/mailconfig/shared/global-acls May 14 20:59:14 doveadm(aga): Debug: brain M: Namespace has location maildir:~/.maildir:LAYOUT=fs May 14 20:59:14 doveadm(aga): Debug: acl vfile: reading file /srv/vmail/spinaczbiurowy/aga/.maildir/dovecot-acl May 14 20:59:14 doveadm(aga): Debug: acl vfile: file /srv/vmail/spinaczbiurowy/aga/.maildir/Junk/dovecot-acl not found May 14 20:59:14 doveadm(aga): Debug: Namespace : Using permissions from /srv/vmail/spinaczbiurowy/aga/.maildir: mode=0700 gid=default May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: brain M: Local mailbox tree: INBOX guid=d04ec020dbd2606448930000d55fb758 uid_validity=1684067035 uid_next=2 subs=no last_change=0 last_subs=0 May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: brain M: Local mailbox tree: Junk guid=3847f021dbd2606448930000d55fb758 uid_validity=1684067036 uid_next=1 subs=no last_change=0 last_subs=0 May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: brain M: Remote mailbox tree: INBOX guid=d04ec020dbd2606448930000d55fb758 uid_validity=1684067035 uid_next=2 subs=no last_change=0 last_subs=0 May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: brain M: Remote mailbox tree: Junk guid=3847f021dbd2606448930000d55fb758 uid_validity=1684067036 uid_next=1 subs=no last_change=0 last_subs=0 May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: brain M: Mailbox INBOX: local=d04ec020dbd2606448930000d55fb758/0/1, remote=d04ec020dbd2606448930000d55fb758/0/1: Mailboxes are equal May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: brain M: Mailbox Junk: local=3847f021dbd2606448930000d55fb758/0/1, remote=3847f021dbd2606448930000d55fb758/0/1: Mailboxes are equal May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: doveadm-sieve: Iterating Sieve mailbox attributes May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: sieve: Pigeonhole version 0.5.16 (09c29328) initializing May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: sieve: include: sieve_global is not set; it is currently not possible to include `:global' scripts. May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: sieve: Sieve Extprograms plugin for Pigeonhole version 0.5.16 (09c29328) loaded May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: sieve: file storage: Using active Sieve script path: /srv/vmail/spinaczbiurowy/aga/.dovecot.sieve May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: sieve: file storage: Using script storage path: /srv/vmail/spinaczbiurowy/aga/.sieve May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: sieve: file storage: Using permissions from /srv/vmail/spinaczbiurowy/aga/.sieve: mode=0700 gid=-1 May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: sieve: file storage: Relative path to sieve storage in active link: .sieve/ May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: sieve: file storage: sync: Synchronization active May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl vfile: reading file /srv/vmail/spinaczbiurowy/aga/.maildir/dovecot-acl May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl vfile: reading file /srv/vmail/spinaczbiurowy/aga/.maildir/dovecot-acl May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl vfile: file /srv/vmail/spinaczbiurowy/aga/.maildir/Junk/dovecot-acl not found May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl vfile: reading file /srv/vmail/spinaczbiurowy/aga/.maildir/dovecot-acl May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl vfile: file /srv/vmail/spinaczbiurowy/aga/.maildir/Archive/dovecot-acl not found May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl vfile: file /srv/vmail/spinaczbiurowy/aga/.maildir/Drafts/dovecot-acl not found May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl vfile: file /srv/vmail/spinaczbiurowy/aga/.maildir/Trash/dovecot-acl not found May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl vfile: file /srv/vmail/spinaczbiurowy/aga/.maildir/Sent/dovecot-acl not found May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: acl vfile: reading file /srv/vmail/spinaczbiurowy/aga/.maildir/dovecot-acl May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: dict(file)<>: Iterating prefix shared/shared-boxes/ May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: dict(file)<>: Iteration finished, got 1 rows May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: dict(file)<>: Starting transaction May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: dict(file)<>: Unsetting 'shared/shared-boxes/user/micha/aga' May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: dict(file)<>: Dict transaction finished May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: dict(file)<>: Starting transaction May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: dict(file)<>: Setting 'shared/shared-boxes/user/micha/aga' to '1'* *May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: dict(file)<>: Dict transaction finished *May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: brain M: Import INBOX: Import attribute vendor/vendor.dovecot/pvt/acl/user=micha: Nonexistent locally* May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: brain M: Import INBOX: Import change type=save GUID=1684067035.M549474P37704.lennier,S=667,W=686 UID=1 hdr_hash= result=GUIDs match May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: brain M: Import INBOX: Last common UID=1. Delayed expunges= May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: brain M: Import INBOX: Saved UIDs: May 14 20:59:16 doveadm(aga)<34202><J6fkHKJLYWSahQAADIFX8A>: Debug: brain M: Import INBOX: Finish update: min_next_uid=2 min_first_recent_uid=1 min_highest_modseq=10 min_highest_pvt_modseq=0 May 14 20:59:16 doveadm(34202): Debug: auth-master: conn unix:/run/dovecot/auth-userdb (pid=34051,uid=0): Disconnected: Connection closed (fd=8
Failure! The access right appeared again:
$ doveadm acl debug -u micha shared/aga doveadm(micha): Info: Mailbox 'INBOX' is in namespace 'shared/aga/' doveadm(micha): Info: Mailbox path: /srv/vmail/spinaczbiurowy/aga/.maildir doveadm(micha): Info: All message flags are shared across users in mailbox doveadm(micha): Info: User micha has rights: lookup read write write-seen write-deleted insert expunge create delete admin doveadm(micha): Info: Mailbox found from dovecot-acl-list doveadm(micha): Info: User aga found from ACL shared dict doveadm(micha): Info: Mailbox shared/aga is visible in LIST
What is going on?
-- MiCHA
participants (3)
-
Aki Tuomi
-
micha@micha.waw.pl
-
Przemysław Kwiatkowski