[Gluster-devel] Portable filesystem ACLs?

Niels de Vos ndevos at redhat.com
Fri Dec 12 17:36:50 UTC 2014 

Hi,

I started to look into getting some form of support for ACLs in gfapi.

After a short discussion with Shyam, some investigation showed that our
current implementation of ACLs is not very portable. There definitely
seem to be issues with ACLs when a FUSE mount is used on FreeBSD, and
the bricks are on a Linux system.

Our current implementations of (POSIX) ACLs is very much focussed on the
Linux behaviour. For example, there is the assumption that ACLs are
stored in the system.posix_acl_access extended attribute. FreeBSD uses a
system.posix1e.acl_access xattr. Other platforms likely use an other
variation. Also the (binary) encoding of the contens most definitely
differs per platform.

In order to provide a good experience with ACLs on different platforms,
we could introduce a solution like this:

    setfacl ...
      |
      v
    glusterfs client (like fuse)
      |
      v
    some API, possibly transparent in the posix-acl xlator
      |       converts the client-platform specific ACL into
      |       a Gluster ACL format
      v
    Outgoing RPC procedure, a new SET_ACL, or as SETXATTR(gluster.acl)
      |
      v
    [network]
      |
      v
    Incoming RPC procedure on the brick (can be different platform)
      |
      v
    Conversion from Gluster/ACL format to platform specific, possibly in
      |       the storage/posix xlator
      v
    setfacl() syscall/library call to store the ACL on the filesystem


Reading the ACL would be the same, just in reverse.

It would be most welcome to have some kind of API that can get exposed
in gfapi, so that NFS-Ganesha and other gfapi applications can get/set
ACLs in a standardized way. One option is to use the (possibly platform
dependent) structures defined by libacl or librichacl.

What do others think about this? Any suggestions, alternative solutions
or comments in general?

Thanks,
Niels
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://supercolony.gluster.org/pipermail/gluster-devel/attachments/20141212/87336ea1/attachment.sig>

More information about the Gluster-devel mailing list