[PATCH] Add tests for our NFSv4 ACL code

Andrew Bartlett abartlet at samba.org
Sun Apr 21 18:32:22 MDT 2013 

On Wed, 2013-04-17 at 21:13 +0200, Alexander Werth wrote:
> On Sun, 2013-04-14 at 22:00 +1000, Andrew Bartlett wrote:
> > From here, I want to learn more about the failures, work out at what
> > layer we should be doing various inheritance operations (adding
> > emulation if required), and possibly patch raw.acls to optionally skip
> > SACLs in the comparisons. 
> 
> I've merged the inheritance emulation into your nfs4acl_xattr module.
> Please find the code in the attached patch.
> The idea is that if no xattr with nfs4 acls is found the parent
> folders are inspected recursively.
> This way any vfs operation reading the acl of a file that just got
> created with an open call will return the right security descriptor.
> 
> With this the test nfs4acl_xattr.dynamic passes.
> The nfs4acl_xattr.inheritance passes as well but there are
> warnings since the SDs don't match bit for bit and the torture
> test returns a failed even though there was no hard error.
> So I guess we have to adjust the torture test before committing
> this patch.

Thanks for all your hard work here.  These changes seen entirely
sensible to me.  Could you perhaps merge them into a set that could be
committed to master?  (Probably squash some of them together)

In terms of the handling of the special SIDs, we really need winbind to
give a valid result for those.  If we moved the test from the s3dc to
the plugin_s4_dc environment, they probably would resolve (due to the
different winbindd), and we might make more progress here, until we can
fix up the source3/winbindd idmap code. 

We also need to fix up the key idmap code in nfs4_acls.c:630 to be more
like what I put in the posix_acls.c code at line 1973.  That will cope
with IDMAP_BOTH better as well. 

Finally, in terms of your question about 'denymissingspecial', I copied
the zfsacl code as my template, which is why this came across.  I don't
know the history or reasoning behind this at this time. 

Thanks!

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list