9:08 a.m.
I need to be able to check permissions against ntfs acls within our fsal
plugin in certain scenarios when the underlying filesystem is in a mode
where both nfs and smb will be using it concurrently. I will be able to
return the raw data from the xattr containing the acl as well as getting
the SID from the uid/gid, but am curious if there are any examples of fsals
that have checked permissions against ntfs acls within ganesha? I have seen
some things in the codebase checking against nfsv4 acls, but have not seen
anything related to ntfs acls.
9:55 a.m.
On 10/1/19 10:08 AM, Jerrad Bieno wrote:
I need to be able to check permissions against ntfs acls within our
fsal
plugin in certain scenarios when the underlying filesystem is in a mode
where both nfs and smb will be using it concurrently. I will be able to
return the raw data from the xattr containing the acl as well as getting
the SID from the uid/gid, but am curious if there are any examples of
fsals that have checked permissions against ntfs acls within ganesha? I
have seen some things in the codebase checking against nfsv4 acls, but
have not seen anything related to ntfs acls.
No, no one has done anything with NTFS ACLs as far as I know. You
should be able to implement this in your FSAL's test_access op, however.
Daniel
11:46 a.m.
On 10/1/19 10:08 AM, Jerrad Bieno wrote:
> I need to be able to check permissions against ntfs acls within our
> fsal plugin in certain scenarios when the underlying filesystem is in
> a mode where both nfs and smb will be using it concurrently. I will be
> able to return the raw data from the xattr containing the acl as well
> as getting the SID from the uid/gid, but am curious if there are any
> examples of fsals that have checked permissions against ntfs acls
> within ganesha? I have seen some things in the codebase checking
> against nfsv4 acls, but have not seen anything related to ntfs acls.
>
No, no one has done anything with NTFS ACLs as far as I know. You should be
able to implement this in your FSAL's test_access op, however.
You should look at how FSAL_GPFS does NFSv4 ACLs. NTFS ACLs will be pretty similar.
Note that in the case of any operation that changes a directory (file create, rename,
unlink), particularly rename, has unsolvable race conditions if Ganesha is relied on to do
all the permission checking. Normally we defer permission checking of these operations to
the underlying filesystem that can lock the parent directory and the directory entries
being checked. This can be particularly problematical with the introduction of ACLs where
a user might be allowed to delete /export/somedir/somefile so we pass the permission check
but by the time we call the filesystem to do a rename that will delete somefile, the admin
has deleted somefile and replaced it with another file. If that all transpires within the
filesystem, the directory would be locked for the whole of the rename permission checks
and actually performing all the steps for the rename, making the whole thing atomic. In
that case, either the admin or the user go first and complete their operation.
Frank
1907
days inactive
1907
days old
2 comments
3 participants
participants (3)
-
Daniel Gryniewicz -
Frank Filz -
Jerrad Bieno