[Gluster-devel] Change in glusterfs[master]: Transparent data encryption and metadata authentication in t...
edward at redhat.com
Fri Oct 25 18:46:15 UTC 2013
On Thu, 24 Oct 2013 13:59:43 -0700
Anand Avati <avati at gluster.org> wrote:
> On Thu, Oct 24, 2013 at 1:18 PM, Edward Shishkin <edward at redhat.com>
> > Hi all,
> > So, here is the "all-in-one-translator" version represented by the
> > Patch Set #2 at review.gluster.org/4667
> > Everything has been addressed except encryption in NFS mounts (see
> > next mail for details). That is:
> > . New design of EOF (end-of-file) handling;
> > . No oplock translator on the server side;
> > . All locks are acquired/released by the crypt translator;
> > . Now we can encrypt srtiped and(or) replicated volumes.
> > Common comments.
> > In the new design all files on the server are "padded", whereas the
> > real file size is stored as xattr. So we introduce a special layer
> > in the crypt translator, which performs file size translations:
> > every time when any callback returns struct iatt, we update its
> > ia_size with the real (non-padded) value.
> > The most unpleasant thing in this new design is FOP->readdirp_cbk():
> > in this case we need N translations, i.e. N calls to the server (N
> > is number of directory entries).
> > To perform translations we spawn N children. We need a valid list of
> > dirents after returning from FOP->readdirp_cbk() of previous
> > translator, but we don't want to create a copy of this list (which
> > can be large enough). For this reason we introduce a reference
> > counter in struct gf_dirent_t and allocate dynamic structures
> > gf_dirent_t (instead of on-stack ones), see respective changes in
> > ./libglusterfs/src/gf-dirent.c
> > ./libglusterfs/src/gf-dirent.h
> > ./xlators/cluster/dht/src/dht-common.c
> > ./xlators/protocol/client/src/client-rpc-fops.c
> [pasting from internal email reply]
> I had a look at the way you are handling readdirplus. I think it is
> overly complex. FOP->readdirplus() already has a parameter @xdata in
> which you can request per-entry xattr replies.
> So in crypt_readdirp() you need to: dict_set(xdata,
> FSIZE_XATTR_PREFIX, 0);
> Once you do that, in crypt_readdirp_cbk, you can expect each
> gf_dirent_t to have its dirent->dict set with FSIZE_XATTR_PREFIX.
> So you just need to iterate over replies in crypt_readdirp_cbk,
> update each dirent->d_stat.ia_size with value from
> dict_get_uint64(dirent->xdata, FSIZE_XATTR_PREFIX)
> Please look at how posix-acl does something very similar (loading
> per-entry ACLs into respective inodes via xattrs returned in
I didn't know about such possibility.
More information about the Gluster-devel