<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jul 20, 2017 at 9:21 PM, Niels de Vos <span dir="ltr"><<a href="mailto:ndevos@redhat.com" target="_blank">ndevos@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="gmail-HOEnZb"><div class="gmail-h5">On Thu, Jul 20, 2017 at 08:25:23PM +0530, Amar Tumballi wrote:<br>
> On Thu, Jul 20, 2017 at 7:36 PM, Niels de Vos <<a href="mailto:ndevos@redhat.com">ndevos@redhat.com</a>> wrote:<br>
><br>
> > On Thu, Jul 20, 2017 at 07:11:29PM +0530, Amar Tumballi wrote:<br>
> > > Hi,<br>
> > ><br>
> > > I was working on subdir mount for fuse clients [1], and was able to<br>
> > handle<br>
> > > pieces just fine in filesystem part of gluster. [2]<br>
> > ><br>
> > > What is pending is, how will we handle the authentication options for<br>
> > this<br>
> > > at each subdir level?<br>
> > ><br>
> > > I propose to keep the current option and extending it to handle new<br>
> > feature<br>
> > > with proper backward compatibility.<br>
> > ><br>
> > > Currently, the option auth.allow (and auth.reject) are of the type<br>
> > > GF_OPTION_TYPE_INTERNET_<wbr>ADDRESS_LIST. Which expects valid internet<br>
> > > addresses with comma separation.<br>
> > ><br>
> > > For example the current option looks likes this:<br>
> > ><br>
> > > 'option auth.addr.brick-name.allow *' OR 'option<br>
> > > auth.addr.brick-name.allow "192.168.*.* ,10.10.*.*"'.<br>
> > ><br>
> > > In future, it may look like:<br>
> > ><br>
> > > `option auth.addr.brick-name.allow "10.0.1.13;192.168.1.*<br>
> > > =/subdir1;192.168.10.* ,192.168.11.104 =/subdir2"`<br>
> > ><br>
> > > so each entries will be separated by ';'. And in each entry, first part<br>
> > ("<br>
> > > =") is address list and second part is directory. If directory is empty,<br>
> > > its assumed as '/'. (Handles the backward compatibility). And if there is<br>
> > > no entry for a $subdir here, that $subdir won't be mountable.<br>
> ><br>
> > IIRC Gluster/NFS allows you to set permissions for subdir mounting with<br>
> > a format like this:<br>
> ><br>
> > /subdir/next/dir(IP,IP-range,.<wbr>..) /subdir2(IP)<br>
> ><br>
> > This is good, but would currently break the compatibility with existing<br>
> auth.allow of gluster.<br>
><br>
> Backward compatibility was the main reason for me to consider the above<br>
> approach.<br>
><br>
> It would be best to use the existing format if we can to prevent<br>
> > confusion among our users.<br>
> ><br>
> > Currently existing gluster's option is not same as NFS in my opinion. How<br>
> do you want to handle it?<br>
<br>
</div></div>I'm wondering if the current format that us used for NFS is not<br>
sufficient? Some defaults and quircks that would apply:<br>
<br></blockquote><div><br></div><div>Should be sufficient. Earlier I was not sure of which option you were talking.<br><br></div><div>For everyone's clarity, I assume Niels is talking about 'nfs3.*.export-dir' option in xlators/nfs/server/src/nfs.c.<br><br></div><div>It is of the form: /foo(<a href="http://192.168.1.0/24|host1|10.1.1.8">192.168.1.0/24|host1|10.1.1.8</a>),/host2.<br><br><dir>[(hostspec[|hostspec|...])][,...]<br><br></div><div>But point to note here, it is of form GF_OPTION_STR, which means there won't be any validation for this key, unline current gluster's server-protocol auth.allow, which check for valid_hostname during gluster volume set itself.<br><br></div><div>I am fine to support this format for auth-allow too, by handling current format as special case for backward compatibility. I will give others time till Monday before confirming this and going ahead with implementation. Suggest other valid options and reason if this is not enough.<br><br></div><div>Regards,<br></div><div>Amar<br></div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
- if an entry does not start with "/", assume it is an IP/host/... and<br>
apply the restriction to the whole volume<br>
- separator between entries can be either " " or "," or a combination<br>
<br>
It would be good not to break any of the current accepted formats, and<br>
make them equal if we can.<br>
<br>
Do you see a problem with this that I might have missed?<br>
<span class="gmail-HOEnZb"><font color="#888888">Niels<br>
</font></span><div class="gmail-HOEnZb"><div class="gmail-h5"><br>
<br>
><br>
> -Amar<br>
><br>
><br>
> > Thanks,<br>
> > Niels<br>
> ><br>
> ><br>
> > ><br>
> > > (The above format is handled properly already at [2] in addr.c, the<br>
> > pending<br>
> > > thing is to handle the option properly in options.c's validate).<br>
> > ><br>
> > > [1] - <a href="https://github.com/gluster/glusterfs/issues/175" rel="noreferrer" target="_blank">https://github.com/gluster/<wbr>glusterfs/issues/175</a><br>
> > > [2] - <a href="https://review.gluster.org/17141" rel="noreferrer" target="_blank">https://review.gluster.org/<wbr>17141</a><br>
> > ><br>
> > > If everyone agrees to this, I guess we can pull it off before absolute<br>
> > > feature freeze date for 3.12 branch.<br>
> > ><br>
> > > Let me know the feedback. (I am updating the same content in github, so<br>
> > > feel free to comment there too).<br>
> > ><br>
> > > NOTE: I thought of using ':' (colon) as field separator between addr_list<br>
> > > and subdir entry, but with IPv6 ':' is valid character in string. Hence<br>
> > > using ' ='.<br>
> > > --<br>
> > > Amar Tumballi (amarts)<br>
> ><br>
> > > ______________________________<wbr>_________________<br>
> > > Gluster-devel mailing list<br>
> > > <a href="mailto:Gluster-devel@gluster.org">Gluster-devel@gluster.org</a><br>
> > > <a href="http://lists.gluster.org/mailman/listinfo/gluster-devel" rel="noreferrer" target="_blank">http://lists.gluster.org/<wbr>mailman/listinfo/gluster-devel</a><br>
> ><br>
> ><br>
><br>
><br>
> --<br>
> Amar Tumballi (amarts)<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>Amar Tumballi (amarts)<br></div></div></div></div></div>
</div></div>