[Gluster-devel] [PATCH v9] vfs_glusterfs: Samba VFS module for glusterfs
Anand Avati
avati at redhat.com
Wed May 29 22:27:27 UTC 2013
>> On 05/29/2013 07:21 AM, Anand Avati wrote:
>> Implement a Samba VFS plugin for glusterfs based on gluster's gfapi.
>> This is a "bottom" vfs plugin (not something to be stacked on top of
>> another module), and translates (most) calls into closest actions
>> on gfapi.
> Anand before we push this in samba I would like to have an answer about
> access control.
>
> I have tried to find out exactly how access control is handled but the
> code is complex.
>
> However what I found so far is not encouraging.
>
> I see things like:
>
> #define GF_MAX_AUX_GROUPS 200
>
> and then in syncop_create_frame() that value is used to cap the max
> number of auxiliary groups.
>
> In Linux the max number of auxiliary groups is 65536 and we have seen
> easily 2k auxiliary groups attached to a user in Windows domains.
Currently it is artificially limited to a number. I will work on making
this dynamic. However this will be a completely internal change to
glusterfs with no changes in either API or vfs_glusterfs. Thanks for the
feedback.
> It also seem to me that this 'frame' is stored in thread local storage
> and reused is found, but I do not see any code to check that the current
> identity still matches the process identity. It may be that I haven't
> found it yet but so far it looks to me that you have one shot to set the
> identity of the caller and then it is assumed the same for all operations ?
> That won't work with samba.
>
> Can you shed some light here please ?
The thread local storage is within the context of a synctask (an
internal glusterfs concept, which expires with the completion of a GFAPI
call). However each Samba VFS/GFAPI call will get a new frame created
and euid/egid/groups freshly recalculated. Call frames are never re-used
across two GFAPI calls.
Are there any further concerns?
Avati
More information about the Gluster-devel
mailing list