Current approaches to ACL handling
Christopher R. Hertel
crh at ubiqx.mn.org
Mon Oct 1 13:26:04 MDT 2012
On 10/01/2012 02:22 PM, simo wrote:
> On Mon, 2012-10-01 at 12:19 -0700, ronnie sahlberg wrote:
>> On Mon, Oct 1, 2012 at 11:57 AM, Christopher R. Hertel <crh at ubiqx.mn.org> wrote:
>>> On 10/01/2012 01:52 PM, Jeremy Allison wrote:
>>>>
>>>> On Mon, Oct 01, 2012 at 02:42:51PM -0400, simo wrote:
>>>>>
>>>>> On Mon, 2012-10-01 at 13:28 -0500, Christopher R. Hertel wrote:
>>>>>>
>>>>>> What are the current best practices for ACL handling?
>>>>>>
>>>>>> To my knowledge, it's using EAs to store the ACLs. Is there any
>>>>>> in-depth
>>>>>> documentation on this implementation? Are there any other mechanisms in
>>>>>> use?
>>>>>
>>>>>
>>>>> We store the Windows ACL in an EA and a matching posix ACL translation
>>>>> on the file, plus a sha hash of the ACL so we can be sure they are in
>>>>> sync.
>>>>>
>>>>> I am not aware of any other doc beyond the code.
>>>>
>>>>
>>>> Well there are some SambaXP talks on it I did a while ago :-).
>>>>
>>>> Sorry.
>>>
>>>
>>> I'll look at the code and your talks. Those are the kinds of pointers I
>>> needed.
>>>
>>> Is there any reason to even consider the possibility of thinking about
>>> pondering the idea of toying with the concept of somehow using TDB (CTDB) to
>>> manage ACLs, or is that not a particularly rational approach?
>>
>> I think TDBs would be problematic since with one permanent record for
>> each file, and say
>> a few billion files, the TDB would become huge. As in >>TB size huge.
>>
>> You would also have the problem of single point of failure. That TDB
>> file goes bad, you now lost all ACLs for all your files.
>
> Backups would also be problematic, ACLs and actual files would end up
> being backed up at potentially very different times, allowing for
> incomplete or mismatching backups of ACLs.
All good reasons against.
...so now I just need to ensure the consistency of EA's across a cluster. :)
Thanks!
Chris -)-----
--
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the samba-technical
mailing list