From: Brad Boyer <flar@allandria.com>
To: James Morris <jmorris@namei.org>
Cc: linux-nfs@vger.kernel.org, linux-security-module@vger.kernel.org,
Trond Myklebust <Trond.Myklebust@netapp.com>,
"J. Bruce Fields" <bfields@fieldses.org>,
Neil Brown <neilb@suse.de>,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH 0/6][v4][RFC] NFSv3: implement extended attribute protocol (XATTR)
Date: Fri, 12 Mar 2010 23:28:59 -0800 [thread overview]
Message-ID: <20100313072859.GA2779@cynthia.pants.nu> (raw)
In-Reply-To: <alpine.LRH.2.00.1003091834450.12164@tundra.namei.org>
On Tue, Mar 09, 2010 at 07:13:45PM +1100, James Morris wrote:
> The core issue is that we don't want system-level xattrs being stored on
> the server.
I can understand that, but it does seem like only system xattrs should
be treated that way to me.
> As you suggest, perhaps we always leave 'user' xattrs untranslated on the
> server, with an expectation that they're always opaque to the server and
> managed entirely by user applications.
This seems reasonable.
> I don't think we can meaningfully do this for 'trusted' xattrs, as we
> don't know how to extend CAP_SYS_ADMIN over NFS. So, this, and all other
> non-user namespaces (e.g. 'system', 'security') are mapped on the server
> to the 'nfsd' namespace, on the basis that they would otherwise require
> interpretation by the server, which we want to avoid. (Note that there's
> an exception here for POSIX ACLs, which already use a well-defined
> protocol over NFS).
>
> Here's a summary of the mappings:
>
> Client Server
>
> user.a user.a
> trusted.a nfsd.trusted.a
> system.a nfsd.system.a
> security.a nfsd.security.a
>
> Special cases:
>
> if ACL protocol enabled on server:
>
> system.posix_acl_access system.posix_acl_access
> system.posix_acl_default system.posix_acl_default
>
> if ACL protocol not enabled on server:
>
> system.posix_acl_access [error]
> system.posix_acl_default [error]
>
> This also ensures that nothing about the existing NFS ACL support changes.
>
> 'user' xattrs simply work as expected, whether accessed locally or
> remotely.
>
> How does this sound?
This mapping sounds great to me. It would be interesting to hear some
opinions from other people on the lists.
Brad Boyer
flar@allandria.com
prev parent reply other threads:[~2010-03-13 7:28 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <alpine.LRH.2.00.1002261457420.25193@tundra.namei.org>
2010-03-08 10:42 ` [PATCH 0/6][v4][RFC] NFSv3: implement extended attribute protocol (XATTR) James Morris
2010-03-08 10:43 ` [PATCH 1/6] NFSv3: convert client to generic xattr API James Morris
2010-03-08 10:44 ` [PATCH 3/6] NFSv3: add client implementation of XATTR protocol James Morris
2010-03-08 10:45 ` [PATCH 4/6] NFSv3: add server " James Morris
2010-03-08 10:46 ` [PATCH 5/6] xattr: add new top level nfsd namespace and implement ext3 support James Morris
[not found] ` <alpine.LRH.2.00.1003082122340.6314-CK9fWmtY32x9JUWOpEiw7w@public.gmane.org>
2010-03-08 10:43 ` [PATCH 2/6] NFSv3: add xattr API config option for client James Morris
2010-03-08 10:47 ` [PATCH 6/6] NFSv3: Add server namespace support for XATTR protocol implementation James Morris
2010-03-09 3:59 ` [PATCH 0/6][v4][RFC] NFSv3: implement extended attribute protocol (XATTR) Brad Boyer
2010-03-09 5:49 ` Casey Schaufler
[not found] ` <4B95E167.40306-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2010-03-09 7:04 ` Brad Boyer
2010-03-09 19:35 ` Jamie Lokier
[not found] ` <20100309193545.GE11042-yetKDKU6eevNLxjTenLetw@public.gmane.org>
2010-03-10 3:46 ` Casey Schaufler
2010-03-15 3:19 ` Jamie Lokier
2010-03-15 4:42 ` Casey Schaufler
[not found] ` <4B9DBAB0.5060500-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2010-03-15 14:28 ` Jamie Lokier
[not found] ` <20100315142803.GC15133-yetKDKU6eevNLxjTenLetw@public.gmane.org>
2010-03-15 23:28 ` Casey Schaufler
2010-03-15 23:49 ` Trond Myklebust
2010-03-16 2:31 ` Casey Schaufler
2010-03-17 20:13 ` Eric Paris
2010-03-17 21:23 ` Casey Schaufler
2010-03-09 8:13 ` James Morris
2010-03-13 7:28 ` Brad Boyer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100313072859.GA2779@cynthia.pants.nu \
--to=flar@allandria.com \
--cc=Trond.Myklebust@netapp.com \
--cc=bfields@fieldses.org \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=neilb@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).