NFSv4 ACL support in star
Joerg Schilling
Joerg.Schilling at fokus.fraunhofer.de
Thu Nov 7 11:12:07 UTC 2013
Edward Tomasz Napiera?a <trasz at FreeBSD.org> wrote:
> > I like to see an implementation that (if implemented as an enhancement of the
> > withdrawn POSIX.1e ACL interfaces) gives similar features as libsec does:
>
> In order to make FreeBSD support NFSv4, I did exactly that: I've added
> a number of functions, such as acl_get_entry_type_np(3) (basically, this
> is for "allow/deny" part of ACL), and extended existing ones, e.g. to add
> new permissions.
This looks like a missunderstanding:
I am not interested in single entries but in the currnt state of the acl_t
object.
acl_type(aclp) returns:
ACLENT_T = 0, UFS ACLs (compatible with POSIX draft)
ACE_T = 1 NFSv4 ACLs
I need to know whether to create
SCHILX.acl.access
and
SCHILY.acl.default
keywords or
SCHILY.acl.ace
before I convert things and I don't like to parse the text...
> > - libsec e.g. calls pathconf(name, _PC_ACL_ENABLED) in order to find
> > the ACL type that is used for a file and controls which ACL flavor to
> > retrieve.
>
> Use the usual pathconf(3), with _PC_ACL_NFS4.
This looks like an interface that is not optimized for performance.
pathconf(name, _PC_ACL_ENABLED)
returns
_ACL_ACLENT_ENABLED (1) if the filesystem supports UFS ACLs
_ACL_ACE_ENABLED (2) if the filesystem supportfs NFSv4 ACLs
or a bitwise or of both.
But if you implement another performant method I am OK.
> > - libsec includes code to deal with ephemeral IDs used with CIFS clients.
>
> Hm, isn't this independent from ACL implementation?
It may look so but there are related ACE entries and these ACEs carry ephemeral
UID/GID values.
> > - libsec offers acl_type(aclp) to find the ACl type without a need to
> > call acl_totext(), so I could use:
>
> See acl_get_brand_np().
OK, this is what I am interested in.
> > I am in hope that we could get a final library interface that still stays
> > compatible between FreeBSD and Linux as this was the base for being able to
> > support more platforms with POSIX.1e draft ACLs.
>
> I think porting what I did would be a good choice - it's fully backwards
> compatible, API-wise, and not actually hacky.
Well, it would be nice to see feedback from Linux people.
Jörg
--
EMail:joerg at schily.isdn.cs.tu-berlin.de (home) Jörg Schilling D-13353 Berlin
js at cs.tu-berlin.de (uni)
joerg.schilling at fokus.fraunhofer.de (work) Blog: http://schily.blogspot.com/
URL: http://cdrecord.berlios.de/private/ ftp://ftp.berlios.de/pub/schily
More information about the posix1e
mailing list