NFSv4 ACL support in star
Edward Tomasz Napierała
trasz at FreeBSD.org
Sun Nov 10 12:19:00 UTC 2013
Wiadomość napisana przez Joerg Schilling w dniu 7 lis 2013, o godz. 12:10:
> Edward Tomasz Napiera?a <trasz at FreeBSD.org> wrote:
>
>>> I like to see an implementation that (if implemented as an enhancement of the
>>> withdrawn POSIX.1e ACL interfaces) gives similar features as libsec does:
>>
>> In order to make FreeBSD support NFSv4, I did exactly that: I've added
>> a number of functions, such as acl_get_entry_type_np(3) (basically, this
>> is for "allow/deny" part of ACL), and extended existing ones, e.g. to add
>> new permissions.
>
> This looks like a missunderstanding:
>
> I am not interested in single entries but in the currnt state of the acl_t
> object.
>
> acl_type(aclp) returns:
>
> ACLENT_T = 0, UFS ACLs (compatible with POSIX draft)
> ACE_T = 1 NFSv4 ACLs
>
> I need to know whether to create
>
> SCHILX.acl.access
> and
> SCHILY.acl.default
>
> keywords or
>
> SCHILY.acl.ace
>
> before I convert things and I don't like to parse the text...
Okay, so this is what acl_get_brand_np() is for. The acl_get_entry_type_np()
returns NFSv4 entry type, i.e. whether it's "allow", or "deny".
>>> - libsec e.g. calls pathconf(name, _PC_ACL_ENABLED) in order to find
>>> the ACL type that is used for a file and controls which ACL flavor to
>>> retrieve.
>>
>> Use the usual pathconf(3), with _PC_ACL_NFS4.
>
> This looks like an interface that is not optimized for performance.
>
> pathconf(name, _PC_ACL_ENABLED)
>
> returns
>
> _ACL_ACLENT_ENABLED (1) if the filesystem supports UFS ACLs
> _ACL_ACE_ENABLED (2) if the filesystem supportfs NFSv4 ACLs
>
> or a bitwise or of both.
>
> But if you implement another performant method I am OK.
As Tim said, you probably already need to call stat on every file
added; just reuse the value returned by pathconf if st_dev for the
file is the same as st_dev for the previous file. That's what all
the utilities such as ls(1) do
>>> - libsec includes code to deal with ephemeral IDs used with CIFS clients.
>>
>> Hm, isn't this independent from ACL implementation?
>
> It may look so but there are related ACE entries and these ACEs carry ephemeral
> UID/GID values.
Ah, the appended ID. So, acl_to_text_np(3) takes ACL_TEXT_APPEND_ID flag,
which makes it output textual form with appended IDs; the acl_from_text(3)
handles appended ID automatically.
>>> - libsec offers acl_type(aclp) to find the ACl type without a need to
>>> call acl_totext(), so I could use:
>>
>> See acl_get_brand_np().
>
> OK, this is what I am interested in.
Ok.
>>> I am in hope that we could get a final library interface that still stays
>>> compatible between FreeBSD and Linux as this was the base for being able to
>>> support more platforms with POSIX.1e draft ACLs.
>>
>> I think porting what I did would be a good choice - it's fully backwards
>> compatible, API-wise, and not actually hacky.
>
> Well, it would be nice to see feedback from Linux people.
Definitely.
--
If you cut off my head, what would I say? Me and my head, or me and my body?
More information about the posix1e
mailing list