[Gluster-devel] Richacls

Niels de Vos ndevos at redhat.com
Thu Feb 26 17:14:45 UTC 2015


On Thu, Feb 26, 2015 at 04:54:42PM +0100, Andreas Gruenbacher wrote:
> Hi everyone,
> 
> I've posted an updated version of the richacl kernel patches and
> user-space bits earlier today [1].  This should give anyone interested
> in the topic a chance to get richacls up and running locally, on ext4,
> to get a feeling of how they work.  See the richacl homepage [2] for
> instructions on getting started, some examples, and some bits of
> background information.
> 
> Some of you are interested in supporting richacls in glusterfs and ceph.
>  This will require richacl permission checking in user space; I would
> suggest to use librichacl for doing that.  There's a new
> richacl_permission() function there for that currently declared as follows:
> 
>   /**
>    * richacl_permission  -  check if a user has the requested access
>    * @acl:        ACL of the file to check
>    * @owner:      Owner of the file
>    * @owning_group: Owning group of the file
>    * @user:       User ID of the accessing process
>    * @groups:     Group IDs the accessing process is a member in
>    * @n_groups:   Number of entries in @groups
>    * @mask:       Requested permissions (ACE4_* mask flags)
>    */
>  bool richacl_permission(struct richacl *acl, uid_t owner,
>                          gid_t  owning_group, uid_t user,
>                          const gid_t *groups, int n_groups,
>                          unsigned int mask)
> 
> Is this interface suitable?

Yes, that looks very usable to me.

> Note that full permission checking often requires more than just a
> single richacl_permission() check: for example, deleting files is
> restricted to the owner in sticky directories; other mechanisms like
> capabilities may play a role as well.
> 
> Some documentation on how the various richacl permission bits are
> supposed to work can be found in the kernel patches.  In addition, the
> test cases in the richacl package are supposed to also document and test
> all the corner cases; they are not perfect yet though.
> 
> Librichacl exports functions for converting from richacl extended
> attributes to librichacl's internal representation and back now.  This
> should allow to pass around the richacl xattr blobs and feed them to
> librichacl for permission checking and other richacl manipulations.

Great, that makes it much easier to implement support in the FUSE daemon
side of things.

Thanks for the update!
Niels


> 
>   [1] http://lwn.net/Articles/634870/
>   [2] http://www.bestbits.at/richacl/
> 
> Thanks,
> Andreas
> _______________________________________________
> Gluster-devel mailing list
> Gluster-devel at gluster.org
> http://www.gluster.org/mailman/listinfo/gluster-devel


More information about the Gluster-devel mailing list