[PATCH] Add tests for our NFSv4 ACL code
Andrew Bartlett
abartlet at samba.org
Sun Apr 21 18:32:22 MDT 2013
On Wed, 2013-04-17 at 21:13 +0200, Alexander Werth wrote:
> On Sun, 2013-04-14 at 22:00 +1000, Andrew Bartlett wrote:
> > From here, I want to learn more about the failures, work out at what
> > layer we should be doing various inheritance operations (adding
> > emulation if required), and possibly patch raw.acls to optionally skip
> > SACLs in the comparisons.
>
> I've merged the inheritance emulation into your nfs4acl_xattr module.
> Please find the code in the attached patch.
> The idea is that if no xattr with nfs4 acls is found the parent
> folders are inspected recursively.
> This way any vfs operation reading the acl of a file that just got
> created with an open call will return the right security descriptor.
>
> With this the test nfs4acl_xattr.dynamic passes.
> The nfs4acl_xattr.inheritance passes as well but there are
> warnings since the SDs don't match bit for bit and the torture
> test returns a failed even though there was no hard error.
> So I guess we have to adjust the torture test before committing
> this patch.
Thanks for all your hard work here. These changes seen entirely
sensible to me. Could you perhaps merge them into a set that could be
committed to master? (Probably squash some of them together)
In terms of the handling of the special SIDs, we really need winbind to
give a valid result for those. If we moved the test from the s3dc to
the plugin_s4_dc environment, they probably would resolve (due to the
different winbindd), and we might make more progress here, until we can
fix up the source3/winbindd idmap code.
We also need to fix up the key idmap code in nfs4_acls.c:630 to be more
like what I put in the posix_acls.c code at line 1973. That will cope
with IDMAP_BOTH better as well.
Finally, in terms of your question about 'denymissingspecial', I copied
the zfsacl code as my template, which is why this came across. I don't
know the history or reasoning behind this at this time.
Thanks!
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list