From: "Frank Filz" <ffilzlnx-mn4gwa5WIIQysxA8WJXlww@public.gmane.org>
To: "'Trond Myklebust'"
<trond.myklebust-7I+n7zu2hftEKMMhf/gKZA@public.gmane.org>,
"'Andreas Grünbacher'"
<andreas.gruenbacher-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: 'Linux Kernel Mailing List'
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
'Linux FS-devel Mailing List'
<linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
'Linux NFS Mailing List'
<linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
'Linux API Mailing List'
<linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: RE: [RFC v3 42/45] nfs: Add richacl support
Date: Fri, 29 May 2015 08:54:48 -0700 [thread overview]
Message-ID: <045601d09a27$cb8caaa0$62a5ffe0$@mindspring.com> (raw)
In-Reply-To: <CAHQdGtR-Gjp11U9JHCe6XuNiXQjYa-H7DQNycyt2H6GeQ1txSg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
> On Fri, May 29, 2015 at 11:00 AM, Andreas Grünbacher
> <andreas.gruenbacher-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > 2015-05-29 15:15 GMT+02:00 Trond Myklebust
> <trond.myklebust-7I+n7zu2hftEKMMhf/gKZA@public.gmane.org>:
> >> [reply reordered]
> >> So having revisited the reasons why I chose the system.nfs4_acl
> >> interface when we did NFSv4 ACLs, I'm not sure we should implement
> >> system.richacl for the NFS client at all.
> >>
> >> Your assertion that "when symbolic user@domain and group@domain
> names
> >> are used in the acl, user-space needs to perform ID mapping in the
> >> same way as the kernel" is WRONG. User space needs do no such thing,
> >> and that was the whole point of the interface; to allow the user to
> >> specify ACLs in a format that is checked only on the _server_, and
> >> not on the client.
> >
> > That's only half true. Right now, user-space applications trying to
> > copy permissions between an nfs mount and another file system will
> > fail unless the application has explicitly been made nfs aware and
> > supports the "system.nfs4_acl"
> > attribute (as well as some other acl mechanism if the permissions go
> > beyond the file mode).
> >
> > The same problem exists when trying to make sense of acls.
> >
> > It seems unreasonable to me to expect applications other than special
> > file system maintenance tools to cater to such file system
> > differences; there are just too many file systems out there for that
> > to work. Instead, it would be better to use an interface that can be
> > generalized across file systems.
>
> My point is that system.richacl is not such an interface. It can only ever work
> for local filesystems that understand and store local uids and gids. It has no
> support for the remote users/groups that are stored on your NFS/SMB
> server unless they happen to have a local mapping into uids and gids, and so
> the API is inappropriate to replace the existing NFSv4 acl API on the client.
Could we have both xattrs? Or a mount option that specifies which xattr to have?
That way folks who don't have local idmapping for every remote identity can use system.nfs4_acl while those who have local mapping for all remote identies and need to use a wide variety of tools can use system.richacl? system.richacl would obviously need to be documented that this issue can arise. But that will forever be an issue, unless we store the ACL with symbolic names, copying from a remote server to a local filesystem will always be lossy if the idmapping is incomplete.
Maybe that's too messy...
Frank
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
prev parent reply other threads:[~2015-05-29 15:54 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-24 11:03 [RFC v3 00/45] Richacls Andreas Gruenbacher
2015-05-23 15:50 ` Jeremy Allison
2015-05-23 15:56 ` Andreas Grünbacher
2015-06-25 20:03 ` Stefan (metze) Metzmacher
[not found] ` <39cf890265e2a906a1cf41d6949b5be69903a064.1429868795.git.agruenba@redhat.com>
[not found] ` <CAHQdGtQyEH9V_XJaQQgPkKGJLy__D0J6cmAHASeEXCZkCCrBjg@mail.gmail.com>
[not found] ` <CAHQdGtQCPqC=L1bxVzEQgwE16P6SX79c02Ex4=D02EQ5BgdGRA@mail.gmail.com>
[not found] ` <CAHpGcML5eG2bQZW1j6mkHLxvAJU=ZBK+cuYEK6dTkoEsT-MVyA@mail.gmail.com>
2015-05-29 15:24 ` [RFC v3 42/45] nfs: Add richacl support Trond Myklebust
2015-05-29 15:45 ` Andreas Grünbacher
2015-05-29 15:54 ` Trond Myklebust
[not found] ` <CAHQdGtR-Gjp11U9JHCe6XuNiXQjYa-H7DQNycyt2H6GeQ1txSg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-05-29 15:54 ` Frank Filz [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='045601d09a27$cb8caaa0$62a5ffe0$@mindspring.com' \
--to=ffilzlnx-mn4gwa5wiiqysxa8wjxlww@public.gmane.org \
--cc=andreas.gruenbacher-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=trond.myklebust-7I+n7zu2hftEKMMhf/gKZA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).