Niels de Vos
ndevos at redhat.com
Thu Feb 26 17:14:45 UTC 2015
On Thu, Feb 26, 2015 at 04:54:42PM +0100, Andreas Gruenbacher wrote:
> Hi everyone,
> I've posted an updated version of the richacl kernel patches and
> user-space bits earlier today . This should give anyone interested
> in the topic a chance to get richacls up and running locally, on ext4,
> to get a feeling of how they work. See the richacl homepage  for
> instructions on getting started, some examples, and some bits of
> background information.
> Some of you are interested in supporting richacls in glusterfs and ceph.
> This will require richacl permission checking in user space; I would
> suggest to use librichacl for doing that. There's a new
> richacl_permission() function there for that currently declared as follows:
> * richacl_permission - check if a user has the requested access
> * @acl: ACL of the file to check
> * @owner: Owner of the file
> * @owning_group: Owning group of the file
> * @user: User ID of the accessing process
> * @groups: Group IDs the accessing process is a member in
> * @n_groups: Number of entries in @groups
> * @mask: Requested permissions (ACE4_* mask flags)
> bool richacl_permission(struct richacl *acl, uid_t owner,
> gid_t owning_group, uid_t user,
> const gid_t *groups, int n_groups,
> unsigned int mask)
> Is this interface suitable?
Yes, that looks very usable to me.
> Note that full permission checking often requires more than just a
> single richacl_permission() check: for example, deleting files is
> restricted to the owner in sticky directories; other mechanisms like
> capabilities may play a role as well.
> Some documentation on how the various richacl permission bits are
> supposed to work can be found in the kernel patches. In addition, the
> test cases in the richacl package are supposed to also document and test
> all the corner cases; they are not perfect yet though.
> Librichacl exports functions for converting from richacl extended
> attributes to librichacl's internal representation and back now. This
> should allow to pass around the richacl xattr blobs and feed them to
> librichacl for permission checking and other richacl manipulations.
Great, that makes it much easier to implement support in the FUSE daemon
side of things.
Thanks for the update!
>  http://lwn.net/Articles/634870/
>  http://www.bestbits.at/richacl/
> Gluster-devel mailing list
> Gluster-devel at gluster.org
More information about the Gluster-devel