[PATCH] Add tests for our NFSv4 ACL code
Abhidnya S Joshi
achirmul at in.ibm.com
Mon Apr 22 03:55:46 MDT 2013
Hi Andrew, Alexander,
To test this NFS4 ACL work, I have added 2 tests to check inheritance of
creator owner and creator group. Primary aim is to test Samba bug 9467.
These two tests basically check if the creator owner/group SID gets
interpreted and applied correctly upon inheritance. Please review the
Thanks and Regards
From: Andrew Bartlett <abartlet at samba.org>
To: Alexander Werth <werth at linux.vnet.ibm.com>,
Cc: samba-technical at lists.samba.org, jra at samba.org
Date: 04/22/2013 06:01 AM
Subject: Re: [PATCH] Add tests for our NFSv4 ACL code
Sent by: samba-technical-bounces at lists.samba.org
On Wed, 2013-04-17 at 21:13 +0200, Alexander Werth wrote:
> On Sun, 2013-04-14 at 22:00 +1000, Andrew Bartlett wrote:
> > From here, I want to learn more about the failures, work out at what
> > layer we should be doing various inheritance operations (adding
> > emulation if required), and possibly patch raw.acls to optionally skip
> > SACLs in the comparisons.
> I've merged the inheritance emulation into your nfs4acl_xattr module.
> Please find the code in the attached patch.
> The idea is that if no xattr with nfs4 acls is found the parent
> folders are inspected recursively.
> This way any vfs operation reading the acl of a file that just got
> created with an open call will return the right security descriptor.
> With this the test nfs4acl_xattr.dynamic passes.
> The nfs4acl_xattr.inheritance passes as well but there are
> warnings since the SDs don't match bit for bit and the torture
> test returns a failed even though there was no hard error.
> So I guess we have to adjust the torture test before committing
> this patch.
Thanks for all your hard work here. These changes seen entirely
sensible to me. Could you perhaps merge them into a set that could be
committed to master? (Probably squash some of them together)
In terms of the handling of the special SIDs, we really need winbind to
give a valid result for those. If we moved the test from the s3dc to
the plugin_s4_dc environment, they probably would resolve (due to the
different winbindd), and we might make more progress here, until we can
fix up the source3/winbindd idmap code.
We also need to fix up the key idmap code in nfs4_acls.c:630 to be more
like what I put in the posix_acls.c code at line 1973. That will cope
with IDMAP_BOTH better as well.
Finally, in terms of your question about 'denymissingspecial', I copied
the zfsacl code as my template, which is why this came across. I don't
know the history or reasoning behind this at this time.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 14934 bytes
Desc: not available
More information about the samba-technical