[PATCH][WIP] Make vfs_acl_xattr use hash of the posix ACL

Andrew Bartlett abartlet at samba.org
Thu Oct 18 14:43:42 MDT 2012

On Thu, 2012-10-18 at 21:52 +0200, Christian Ambach wrote:
> Hi Andrew,
> On 10/17/2012 11:57 AM, Andrew Bartlett wrote:
> >> So vfs_acl_xattr would work like this:
> >> 1. let VFS store the ACL
> >> 2. ask for the native blob in the file system
> >> 3. store native blob + Windows SD in EA
> >
> > I think you mean the hash of the native blob, but this looks correct to
> > me.
> Right, I realized that directly after hitting the send button.
> >> This way we wouldn't have to render EAs invalid if we change the mapping
> >> algorithms from native -> Windows SD and we still will be able to detect
> >> any changes that were performed on the file system directly.
> >>
> >> So for POSIX ACLs, we would store whatever acl_get_file(3) returns, for
> >> other platforms like GPFS, we would store the blob that the filesystem
> >> returns. They all are able to return a blob of some sort or another and
> >> it would be up to the filesystem module maintainers to choose the most
> >> appropriate one.
> >>
> >> This would eliminate various conversions and should still address your
> >> needs. What do you think?
> >
> > This is exactly what we do, and exactly why we do it (in my proposal).
> > acl_get_file() returns a structure, but smb_acl.idl encodes essentially
> > the same structure, with only one-to-one translation from the per-vendor
> > acl_t on all our posix ACL implementations.
> It took a while, but now I have understood what you were after :)
> Thanks for not stopping giving answers (that were most probably 
> repetitions of explanations found somewhere else in this monster thread).

No worries.  It is nice to make some progress on at least one technical
issue this week :-)

> > The the only reason we have any 'intermediate
> > representation' (smb_acl_wrapper) is to capture the extra things that
> > are part of the acl, but not actually in the ACL (user/group/mode) and
> > to have something we can linearise trivially into NDR.
> Some other file systems (e.g. NFSv4 file systems, I checked GPFS and
> JFS2) would also need to store the owner/group information as the ACL
> does not contain that information but the mode is redundant and derived
> from the ACL.
> OpenAFS seems to need to store the complete owner/group/mask combination.
> To avoid code duplication across the modules to make up their own
> structures (which are then hashed), would it make sense to make
> smb_acl_wrapper more generic so it can be used by all modules?

I think so.  We would change smb_acl_t to DATA_BLOB, and then do that
particular part in vfs_acl_common.


Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list