[PATCH v8 00/41] Richacls

classic Classic list List threaded Threaded
68 messages Options
1234
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH v8 00/41] Richacls

Andreas Grünbacher
2015-10-06 11:49 GMT+02:00 James Morris <[hidden email]>:
> Where is the rationale for them?
>
> This url doesn't work: http://acl.bestbits.at/richacl/

That URL also properly redirects to http://www.bestbits.at/richacl/
now. There is some information on that website, in the manual pages in
the richacl user-space package, an in the patch descriptions and
comments.

Thanks,
Andreas
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH v8 00/41] Richacls

Andreas Gruenbacher-6
In reply to this post by Christoph Hellwig
On Tue, Oct 6, 2015 at 11:49 AM, Christoph Hellwig <[hidden email]> wrote:

> On Mon, Oct 05, 2015 at 02:58:36PM -0400, Austin S Hemmelgarn wrote:
>> I think the point is that a new VFS feature that is easy to integrate in
>> multiple filesystems should have support for those filesystems.  A decade
>> ago, just having ext* support would probably have been fine, but these days,
>> XFS, BTRFS, and F2FS are used just as much (if not more) on production
>> systems as ext4, and having support for them right from the start would
>> significantly help with adoption of richacls.
>
> That's one reason.  The other is that actually wiring it up for more
> than a single consumer shows its actually reasonable generic.

The filesystem interface now is the same as for POSIX ACLs, used by a
dozen or so filesystems already.

>  I don't want to end up with a situration like Posix ACLs again where
> different file systems using different on disk formats again.

Any file system could choose a different on-disk format than the one
that ext4 currently uses, but I don't see a reason why any should.
Apart from uid / gid mappings that is the same as the user-space xattr
format. Network file systems like NFSv4 and CIFS with their predefined
over-the-wire formats obviously are another story.

Thanks,
Andreas
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH v8 00/41] Richacls

Andreas Dilger-7
On Oct 6, 2015, at 7:12 AM, Andreas Gruenbacher <[hidden email]> wrote:

>
> On Tue, Oct 6, 2015 at 11:49 AM, Christoph Hellwig <[hidden email]> wrote:
>> On Mon, Oct 05, 2015 at 02:58:36PM -0400, Austin S Hemmelgarn wrote:
>>> I think the point is that a new VFS feature that is easy to integrate in
>>> multiple filesystems should have support for those filesystems.  A decade
>>> ago, just having ext* support would probably have been fine, but these days,
>>> XFS, BTRFS, and F2FS are used just as much (if not more) on production
>>> systems as ext4, and having support for them right from the start would
>>> significantly help with adoption of richacls.
>>
>> That's one reason.  The other is that actually wiring it up for more
>> than a single consumer shows its actually reasonable generic.
>
> The filesystem interface now is the same as for POSIX ACLs, used by a
> dozen or so filesystems already.
>
>> I don't want to end up with a situration like Posix ACLs again where
>> different file systems using different on disk formats again.
>
> Any file system could choose a different on-disk format than the one
> that ext4 currently uses, but I don't see a reason why any should.
> Apart from uid / gid mappings that is the same as the user-space xattr
> format. Network file systems like NFSv4 and CIFS with their predefined
> over-the-wire formats obviously are another story.
And any disk filesystems that have their own non-POSIX ACLs, such as HFS, NTFS, ZFS would presumably also need to map the in-kernel Richacl format to their on-disk format.

Cheers, Andreas






signature.asc (850 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH v8 00/41] Richacls

Steve French-2
On Tue, Oct 6, 2015 at 3:26 PM, Andreas Dilger <[hidden email]> wrote:

> On Oct 6, 2015, at 7:12 AM, Andreas Gruenbacher <[hidden email]> wrote:
>>
>> On Tue, Oct 6, 2015 at 11:49 AM, Christoph Hellwig <[hidden email]> wrote:
>>> On Mon, Oct 05, 2015 at 02:58:36PM -0400, Austin S Hemmelgarn wrote:
>>>> I think the point is that a new VFS feature that is easy to integrate in
>>>> multiple filesystems should have support for those filesystems.  A decade
>>>> ago, just having ext* support would probably have been fine, but these days,
>>>> XFS, BTRFS, and F2FS are used just as much (if not more) on production
>>>> systems as ext4, and having support for them right from the start would
>>>> significantly help with adoption of richacls.
>>>
>>> That's one reason.  The other is that actually wiring it up for more
>>> than a single consumer shows its actually reasonable generic.
>>
>> The filesystem interface now is the same as for POSIX ACLs, used by a
>> dozen or so filesystems already.
>>
>>> I don't want to end up with a situration like Posix ACLs again where
>>> different file systems using different on disk formats again.
>>
>> Any file system could choose a different on-disk format than the one
>> that ext4 currently uses, but I don't see a reason why any should.
>> Apart from uid / gid mappings that is the same as the user-space xattr
>> format. Network file systems like NFSv4 and CIFS with their predefined
>> over-the-wire formats obviously are another story.
>
> And any disk filesystems that have their own non-POSIX ACLs, such as HFS, NTFS, ZFS would presumably also need to map the in-kernel Richacl format to their on-disk format.

Will be interesting to see whether in the long run can have some
common code in NTFS, CIFS/SMB3 (and even NFSv4.x) ACL parsing since
their formats are quite closely related



--
Thanks,

Steve
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH v8 00/41] Richacls

Christoph Hellwig
In reply to this post by Andreas Dilger-7
On Tue, Oct 06, 2015 at 02:26:09PM -0600, Andreas Dilger wrote:
> And any disk filesystems that have their own non-POSIX ACLs, such as HFS, NTFS, ZFS would presumably also need to map the in-kernel Richacl format to their on-disk format.

No, we did this mistake with Posix ACLs, and we're not going to repeat
it here.  Filesystems with their own slightly different ACLs must not
reuse the interface.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH v8 00/41] Richacls

Andreas Gruenbacher-6
On Wed, Oct 7, 2015 at 9:50 AM, Christoph Hellwig <[hidden email]> wrote:
> On Tue, Oct 06, 2015 at 02:26:09PM -0600, Andreas Dilger wrote:
>> And any disk filesystems that have their own non-POSIX ACLs, such as HFS, NTFS, ZFS would presumably also need to map the in-kernel Richacl format to their on-disk format.
>
> No, we did this mistake with Posix ACLs, and we're not going to repeat
> it here.  Filesystems with their own slightly different ACLs must not
> reuse the interface.

Well, things may not be quite as clearly delineated. We currently have
code in nfsd for mapping between NFSv4 ACLs on the wire and POSIX ACLs
on local file systems. This mapping is problematic because of the
semantic differences between NFSv4 ACLs and POSIX ACLs (different sets
of permissions, access and default acl vs. inheritance flags,
different permission check algorithm). I wish we could have avoided
that.

Richacls are designed to support NFSv4 ACLs on top of POSIX systems.
This means that they should obviously be supported by the NFSv4 server
and client (see the patches) and by the common local filesystems.

ACLs on NTFS and ZFS mostly fit into the same model. The big remaining
difference there is how users and groups are identified: NTFS used
SIDs (https://en.wikipedia.org/wiki/Security_Identifier); ZFS could be
said to use a hybrid UID / GID / SID model. Exposing those ACLs as
richacls would make sense if we can find a clean way of handling this
aspect.

HFS ACLs have sufficiently different semantics (the user.group tuples)
that representing them as richacls wouldn't make sense.

Thanks,
Andreas
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH v8 00/41] Richacls

Steve French-2
On Wed, Oct 7, 2015 at 8:38 AM, Andreas Gruenbacher <[hidden email]> wrote:

> On Wed, Oct 7, 2015 at 9:50 AM, Christoph Hellwig <[hidden email]> wrote:
>> On Tue, Oct 06, 2015 at 02:26:09PM -0600, Andreas Dilger wrote:
>>> And any disk filesystems that have their own non-POSIX ACLs, such as HFS, NTFS, ZFS would presumably also need to map the in-kernel Richacl format to their on-disk format.
>>
>> No, we did this mistake with Posix ACLs, and we're not going to repeat
>> it here.  Filesystems with their own slightly different ACLs must not
>> reuse the interface.
>
> Well, things may not be quite as clearly delineated. We currently have
> code in nfsd for mapping between NFSv4 ACLs on the wire and POSIX ACLs
> on local file systems. This mapping is problematic because of the
> semantic differences between NFSv4 ACLs and POSIX ACLs (different sets
> of permissions, access and default acl vs. inheritance flags,
> different permission check algorithm). I wish we could have avoided
> that.
>
> Richacls are designed to support NFSv4 ACLs on top of POSIX systems.
> This means that they should obviously be supported by the NFSv4 server
> and client (see the patches) and by the common local filesystems.
>
> ACLs on NTFS and ZFS mostly fit into the same model. The big remaining
> difference there is how users and groups are identified: NTFS used
> SIDs (https://en.wikipedia.org/wiki/Security_Identifier); ZFS could be
> said to use a hybrid UID / GID / SID model. Exposing those ACLs as
> richacls would make sense if we can find a clean way of handling this
> aspect.

Samba (e.g. winbind service) has mapping libraries for mapping SIDs to
UIDs (CIFS ACLs already have the same issue of SID to UID mapping
which we handle with upcalls) and Samba has various pluggable ways to
handle UID mapping and is easily extensible.  Similarly NFSv4 ACLs,
although closely related to CIFS/NTFS ACLs have to be map usernames to
uids.

--
Thanks,

Steve
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH v8 00/41] Richacls

Andreas Gruenbacher-6
In reply to this post by Andreas Grünbacher
On Tue, Sep 29, 2015 at 4:54 PM, Andreas Grünbacher
<[hidden email]> wrote:

> 2015-09-28 19:46 GMT+02:00 J. Bruce Fields <[hidden email]>:
>> On Mon, Sep 28, 2015 at 07:10:06PM +0200, Andreas Grünbacher wrote:
>>> 2015-09-28 18:35 GMT+02:00 J. Bruce Fields <[hidden email]>:
>>> > On Mon, Sep 28, 2015 at 12:08:51AM +0200, Andreas Gruenbacher wrote:
>>> >> Open issues in nfs:
>>> >>
>>> >> * When a user or group name cannot be mapped, nfs's idmapper always maps it
>>> >>   to nobody. That's good enough for mapping the file owner and owning
>>> >>   group, but not for identifiers in acls. For now, to get the nfs richacl
>>> >>   support somewhat working, I'm explicitly checking if mapping has resulted
>>> >>   in uid/gid 99 in the kernel.
>>> >>
>>> >> * When the nfs server replies with NFS4ERR_BADNAME for any user or group
>>> >>   name lookup, the client will stop sending numeric uids and gids to the
>>> >>   server even when the lookup wasn't numeric.  From then on, the client
>>> >>   will translate uids and gids that have no mapping to the string "nobody",
>>> >>   and the server will reject them.  This problem is not specific to acls.
>>> >
>>> > Do you have fixes in mind for these two issues?
>>>
>>> I'm not sure how to best fix the idmapper problem, with backwards
>>> compatibility and all.
>>
>> I haven't looked at the current nfsidmap interface....  So it's
>> completely lacking any way to communicate failure?
>
> Yes, when a user doesn't exist, idmapper maps that to the nobody
> uid/gid. That's the failure mode of stat. In the acl case, we do want
> to map user and group names to their respective ids where possible (so
> that the acl makes sense in the local system context), but we do want
> to preserve the original user and group names when there is no such
> mapping instead of mapping to the nobody uid/gid.

So that's fixed now in nfs-utils and the latest richacl snapshot.

>>> The second problem shouldn't be too hard to fix.
>>
>> Is it enough to turn off the failover in the case there's no possibility
>> it could have been caused by a numeric id?
>
> Yes, I believe that would be enough.
>
>> If any user can set ACLs with arbitrary strings as names, then we'd be
>> giving any user unprivileged user the ability to turn off numeric
>> idmapping, so I think we need to fix that.
>
> The bug can be triggered by unprivileged users with nfs4_setfacl.

It turns out that when setting an ACL, the ACL can contain UID/GID
numbers as well as user@domain strings which the server cannot map.
The status code is NFS4ERR_BADNAME both when the server doesn't
support UID/GID numbers and when it cannot map a name, so in that
case, we cannot tell the difference.

Luckily, when a UID/GID cannot be mapped to a name, nfs falls back to
sending the server a UID/GID number instead even when
NFS_CAP_UIDGID_NOMAP has been cleared. So unprivileged users can turn
on the idmapper, but at least that doesn't break unmapped UIDs/GIDs.
(I got that wrong in my initial analysis.)

Thanks,
Andreas
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
1234