[PATCH][WIP] Make vfs_acl_xattr use hash of the posix ACL

Andrew Bartlett abartlet at samba.org
Tue Oct 16 03:19:03 MDT 2012 

On Tue, 2012-10-16 at 09:54 +0200, Christian Ambach wrote:
> On 10/12/2012 10:09 PM, Andrew Bartlett wrote:
> 
> >>> By defining this interface, vfs_acl_common does not need to know what
> >>> the system ACL is, be it posix or nfsv4 or AFS.  It can (if returned)
> >>> just hash the contents of the data_blob and store it.
> >>>
> >>> At a later time, if the contents matches, then the exact NT ACL that
> >>> the windows client set is returned.  If the hash does not match, the
> >>> the posix, NFSv4 or AFS ACL must have been changed outside Samba,
> >>> and an imperfect mapping to an NT ACL is returned instead. [...] I
> >>> would welcome patches to linearise NFSv4 into NDR in the same way I
> >>> did for posix ACLs in smb_acl.idl
> >>
> >> Shouldn't we better have one datatype that fits all variants instead of
> >> having datatypes for each style of ACL? And the common denominator here
> >> would be the general Windows SD format (as it has all fidelity).
> >
> > Yes, that data type is DATA_BLOB.  The hash code needs no more than that
> > (I initially proposed it to be the sha256, but was requested to pass up
> > the data_blob).
> 
> GPFS supports to retrieve the filesystem ACL as an opaque blob (for 
> backup applications), so I guess this would be an ideal candidate for 
> hashing, correct?

Great, that's perfect!

We might then be able to skip the call to the posix helpers in that
case, which would make things more uniform. 

> If so, where would this information now be stored?

It would be hashed into the xattr stored by vfs_acl_common.c as the
system acl.  See smb_acl.idl and xattr.idl.

If there is additional metadata that essentially forms part of the ACL
(owner/group/mode is stored for the posix ACL), then see 
smb_acl_wrapper for an example of what wrapper around a DATA_BLOB to
create. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list