From: Neil Brown <neilb@suse.de>
To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: Trond Myklebust <trond.myklebust@fys.uio.no>,
Jim Rees <rees@umich.edu>,
Daniel.Muntz@emc.com, linux-nfs@vger.kernel.org
Subject: Re: numeric UIDs
Date: Thu, 12 Aug 2010 09:22:32 +1000 [thread overview]
Message-ID: <20100812092232.344314b2@notabene> (raw)
In-Reply-To: <20100805153421.GD27141@fieldses.org>
On Thu, 5 Aug 2010 11:34:21 -0400
"J. Bruce Fields" <bfields@fieldses.org> wrote:
> On Tue, Aug 03, 2010 at 10:02:16PM -0400, Trond Myklebust wrote:
> > On Tue, 2010-08-03 at 18:42 -0400, J. Bruce Fields wrote:
> > > On Tue, Aug 03, 2010 at 06:31:15PM -0400, Trond Myklebust wrote:
> > > > We know it has a bunch of problems,
> > > > not least the one that limits ngroups <= 16, and the fact that it relies
> > > > on uids (as opposed to login names) being the same on client and server
> > > > so why not try to fix those limitations?
> > >
> > > Sure, that would be great.
> > >
> > > Again, that doesn't address the complaints above.
> >
> > Yes it does.
>
> See the stated scenario:
>
> http://marc.info/?l=linux-nfs&m=128080127215350&w=2
>
> It's a dumb client making a copy of a filesystem over NFS for backup.
>
> It's not true that this case could be dealt with by an auth_sys
> replacement that uses names instead of id's.
>
> (You could argue that it's a hypothetical case, crazy, not important, or
> whatever--just not that it has much to do with the authentication
> flavor.
>
> Personally I think it *is* of at least some importance, since anyone
> depending on that sort of behavior will see their systems stop working
> if they switch from v2/v3 to v4. The v2/v3 install base being massive
> compared to v4's, the success of v4+ depends in part on reducing the
> chances of that kind of thing happening.)
I agree. And surely it can all be solved in idmapd.
On the server, tell idmapd to map all users to "NUMERIC_USER:%d" and all
groups to "NUMERIC_GROUP:%d" (or whatever) for some given clients (i.e. stop
ignoring the 'authentication name'. And of course map those names back to
numbers.
I don't know if the client can easily differentiate based on which server it
is talking to, but there is probably less need there (and maybe it can
anyway).
It shouldn't take more that half an hour to hack something into
idmapd.c:nfsdcb() for the server side and nfscb for the client side - or
for a quicker hack, just go directly to imconv and ignore the client name on
the server. (all this in nfs-utils of course).
NeilBrown
next prev parent reply other threads:[~2010-08-11 23:22 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-03 2:01 numeric UIDs Victor Mataré
2010-08-03 16:43 ` Jim Rees
2010-08-03 19:22 ` J. Bruce Fields
2010-08-03 21:49 ` Daniel.Muntz
2010-08-03 21:57 ` Jim Rees
2010-08-03 22:15 ` Trond Myklebust
2010-08-03 22:23 ` J. Bruce Fields
2010-08-03 22:31 ` Trond Myklebust
2010-08-03 22:42 ` J. Bruce Fields
2010-08-04 2:02 ` Trond Myklebust
2010-08-04 17:06 ` David Brodbeck
2010-08-04 18:30 ` Andy Adamson
2010-08-04 21:32 ` David Brodbeck
2010-08-11 23:06 ` Neil Brown
2010-08-12 13:20 ` Andy Adamson
2010-08-11 23:10 ` Neil Brown
2010-08-05 15:34 ` J. Bruce Fields
2010-08-11 23:22 ` Neil Brown [this message]
2010-08-13 14:43 ` Steve Dickson
2010-08-13 16:31 ` J. Bruce Fields
2010-08-13 17:30 ` Steve Dickson
[not found] ` <4C658146.90207-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2010-08-13 17:37 ` J. Bruce Fields
2010-08-13 18:43 ` Chuck Lever
2010-08-17 17:46 ` Tom Haynes
2010-08-17 18:18 ` J. Bruce Fields
2010-08-17 18:43 ` Tom Haynes
2010-08-17 18:49 ` J. Bruce Fields
2010-08-17 19:21 ` J. Bruce Fields
[not found] ` <4C6559FA.5070809-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2010-08-16 8:30 ` Neil Brown
2010-08-13 14:40 ` Steve Dickson
2010-08-03 19:22 ` J. Bruce Fields
2010-08-17 17:48 ` Tom Haynes
2010-08-17 18:24 ` J. Bruce Fields
2010-08-17 19:00 ` Tom Haynes
2010-08-17 20:08 ` David Brodbeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100812092232.344314b2@notabene \
--to=neilb@suse.de \
--cc=Daniel.Muntz@emc.com \
--cc=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
--cc=rees@umich.edu \
--cc=trond.myklebust@fys.uio.no \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).