[PATCH] Fix for XDR Backend of NFS4ACL_XATTR module to get it working with NFS4.0 ACL Spec

Thu Aug 23 23:35:47 UTC 2018

On Thu, 2018-08-23 at 16:09 -0700, Jeremy Allison via samba-technical
wrote:
> On Thu, Aug 16, 2018 at 11:43:48AM +0000, Sandeep Nashikkar wrote:
> > On Wed, Aug 15, 2018 03:01 AM IST Jeremy Allison wrote 
> > 
> > On a side note, the nfs4acl_* functions do not comply with NFS 4.1 Spec. 
> 
> Oh, that's a pain. Can you tell me how they differ ?
> 
> > Thanks a lot Jeremy for your time and inputs. I have attached the updated patch. 
> > Please review and let me know if you have any more questions. 
> 
> So I'm OK with this code now. RB+ Jeremy Allison
> in terms of how it encodes and changes the nfs4acls.
> 
> What I still need to understand is the effect of
> this on existing setups with nfs4 ACLs stored in
> xattrs.
> 
> The issue I have is with this element of the patch:
> 
> @@ -524,6 +532,7 @@ static int nfs4acl_connect(struct vfs_handle_struct *handle,
>  
>         switch (config->encoding) {
>         case NFS4ACL_ENCODING_XDR:
> +       case NFS40ACL_ENCODING_XDR:
>                 default_xattr_name = NFS4ACL_XDR_XATTR_NAME;
>                 break;
>         case NFS4ACL_ENCODING_NDR:
> 
> which means that selecting both NFS4ACL_ENCODING_XDR *and*
> NFS40ACL_ENCODING_XDR will use the same xattr name of
> 
> -#define NFS4ACL_XDR_XATTR_NAME "security.nfs4acl_xdr"
> +#define NFS4ACL_XDR_XATTR_NAME "system.nfs4_acl"
> 
> system.nfs4_acl
> 
> The existing code using NFS4ACL_ENCODING_XDR stores
> in security.nfs4acl_xdr. I think you need to change
> the xattr name to system.nfs4_acl, so that existing
> setups don't conflict. You can't re-use the same
> xattr name for two different encodings, that way
> lies madness and corrupted user ACL data.
> 
> I'm CC:ing Ralph on this one as he wrote the
> original encoding for nfsv4 ACLs. Once he
> RB+'s it we can push.
> 
> Ralph, can you take a look at this ?

Stepping back a moment, is there really any real-world users that are
not going via different APIs for things like GPFS?

I added this in the first place for testing in commits around
fe8a1fcda792ee38faaadf1da2905b62302ce3e1 including importing the NDR
format from source4 in d87b81fa303ee297685f4eb5599010901ed68145

The purpose was to try and test the NFSv4 ACL changes that were being
proposed by Alexander Werth at that time, I think for GPFS.

The original nfsv4 ACL IDL came in with:

ommit 515c92a759ad30059f65d3e65dc9f642dc03852a
Author: Andrew Tridgell <tridge at samba.org>
Date:   Sat Oct 21 09:46:12 2006 +0000

    r19441: work in progress support for NFS4 ACLs in Samba4 on Linux.
Still work
    to do, particularly with getting the detailed bit mappings right,
and
    on sid mapping. Does not pass RAW-ACLS yet
    (This used to be commit b92553481b534d0ef5277dbfe8c0d64a03f819eb)

I realise that something added for testing can become production of
course, but I figured I would give the background. 

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba