NFSv4 ACL support in star

Joerg Schilling Joerg.Schilling at fokus.fraunhofer.de
Thu Nov 7 11:12:07 UTC 2013 

Edward Tomasz Napiera?a <trasz at FreeBSD.org> wrote:

> > I like to see an implementation that (if implemented as an enhancement of the
> > withdrawn POSIX.1e ACL interfaces) gives similar features as libsec does:
>
> In order to make FreeBSD support NFSv4, I did exactly that: I've added
> a number of functions, such as acl_get_entry_type_np(3) (basically, this
> is for "allow/deny" part of ACL), and extended existing ones, e.g. to add
> new permissions.

This looks like a missunderstanding:

I am not interested in single entries but in the currnt state of the acl_t 
object.

acl_type(aclp) returns:

 ACLENT_T = 0,	UFS ACLs (compatible with POSIX draft)
 ACE_T = 1	NFSv4 ACLs

I need to know whether to create

SCHILX.acl.access
and
SCHILY.acl.default

keywords or 

SCHILY.acl.ace

before I convert things and I don't like to parse the text...


> > -	libsec e.g. calls pathconf(name, _PC_ACL_ENABLED) in order to find
> > 	the ACL type that is used for a file and controls which ACL flavor to 
> > 	retrieve.
>
> Use the usual pathconf(3), with _PC_ACL_NFS4.

This looks like an interface that is not optimized for performance.

pathconf(name, _PC_ACL_ENABLED)

returns

_ACL_ACLENT_ENABLED	(1)	if the filesystem supports UFS ACLs
_ACL_ACE_ENABLED	(2)	if the filesystem supportfs NFSv4 ACLs

or a bitwise or of both.

But if you implement another performant method I am OK. 

> > -	libsec includes code to deal with ephemeral IDs used with CIFS clients.
>
> Hm, isn't this independent from ACL implementation?

It may look so but there are related ACE entries and these ACEs carry ephemeral 
UID/GID values.

> > -	libsec offers acl_type(aclp) to find the ACl type without a need to
> > 	call acl_totext(), so I could use:
>
> See acl_get_brand_np().

OK, this is what I am interested in.

> > I am in hope that we could get a final library interface that still stays 
> > compatible between FreeBSD and Linux as this was the base for being able to 
> > support more platforms with POSIX.1e draft ACLs.
>
> I think porting what I did would be a good choice - it's fully backwards
> compatible, API-wise, and not actually hacky.

Well, it would be nice to see feedback from Linux people.


Jörg

-- 
 EMail:joerg at schily.isdn.cs.tu-berlin.de (home) Jörg Schilling D-13353 Berlin
       js at cs.tu-berlin.de                (uni)  
       joerg.schilling at fokus.fraunhofer.de (work) Blog: http://schily.blogspot.com/
 URL:  http://cdrecord.berlios.de/private/ ftp://ftp.berlios.de/pub/schily

More information about the posix1e mailing list