[PATCH][WIP] Make vfs_acl_xattr use hash of the posix ACL

Andrew Bartlett abartlet at samba.org
Fri Oct 26 16:36:48 MDT 2012

On Sat, 2012-10-27 at 00:10 +0200, Christian Ambach wrote:
> Hi Andrew,
> On 10/24/2012 01:45 PM, Andrew Bartlett wrote:
> > I've made some small changes, which are in fix-acls2.  What I need to do
> > with you is hook up gpfs to the new non_posix_acls helper functions I've
> > written.  (I decided against the change we discussed, to avoid needing
> > to call stat at both layers).
> >
> > The blob you get from gpfs is the acl_as_blob argument.
> >
> > Anyway, we should probably do some of this interactively, let me know
> > when you have time.
> I was on vacation for the last two weeks. I'll try to catch you on IRC
> early next week, until then I will already look at the code and see how
> to fit the GPFS module (and others) to it.
> One piece that might be worth revisting is the amount of ACL functions
> we will then have in the VFS, e.g. the ones for getting an ACL:
> NTSTATUS (*fget_nt_acl_fn)(struct vfs_handle_struct *handle,
> NTSTATUS (*get_nt_acl_fn)(struct vfs_handle_struct *handle,
> SMB_ACL_T (*sys_acl_get_file_fn)(struct vfs_handle_struct *handle,
> SMB_ACL_T (*sys_acl_get_fd_fn)(struct vfs_handle_struct *handle,
> int (*sys_acl_blob_get_file_fn)(struct vfs_handle_struct *handle,
> int (*sys_acl_blob_get_fd_fn)(struct vfs_handle_struct *handle, struct
> files_struct *fsp,
> So anybody who wants to create a new module for ACL support for a
> special platform will have to deal with having to implement lots of
> functions, and some of them do really similar things and others just do
> a subset of what another one does (e.g. sys_acl_get_file_fn might be a
> subset of sys_acl_blob_get_file_fn).
> Would it make sense to reduce the interface here (instead of growing it ?)

I certainly understand where you are coming from (particularly given the
trouble I had extending this interfaces of something like a dozen real,
default and skeleton VFS modules). 

We can't reduce it without reducing the generality, which we need to
support what we want to do for GPFS. 

When I started on this, I imagined just defining the SMB_ACL_T in IDL,
and creating the blob in the vfs_acl_common code.  However, once we need
to support NFSv4 ACLs in the same scheme, we have to have a way to get
the blob/hash of an NFSv4 ACL.  That's why we have the blob functions.

As to the other functions, we still need a way to get the real system
ACL, and if the module is able to directly provide the NT ACL, then we
need a way to do that as well.  

It's frustrating, but while we could perhaps collapse these into less
functions, they would just multiplex the same range of features, and it
would not make it any less complex. 


Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list