Site Specific ACL Bits/chown: Was: [OpenAFS-devel] posix chown again

Simon Wilkinson sxw@inf.ed.ac.uk
Tue, 9 Dec 2008 18:13:16 +0000


On 9 Dec 2008, at 16:32, Matt Benjamin wrote:
> In general, I am of the belief that prescriptive rules, here
> specifically, the proscription sites _should not have_ site local ACL
> bits,

I'm certainly not saying that sites _should not have_ site local ACL  
bits. Sites are free to do whatever they like with the site local  
bits. What I'm arguing is that OpenAFS should not ship with a  
mechanism to allow sites to assign a meaning to an arbitrarily chosen  
one of the site local bits by flipping a configuration flag, without  
reconciling the security and usability issues that this presents.

> Rather obviously, it should take more than a simple majority of folks
> not seeing the purpose of some feature, when one of the largest and  
> most
> significant OpenAFS deployments historically and today, worldwide,  
> sees
> its merit enough to code and maintain it.

Is there merit in adding a new feature to OpenAFS simply because a  
single site requires it, when that feature is implemented in such a  
way as to impede the usability of OpenAFS as a whole? Surely the way  
forwards here is to explore ways in which this feature can be  
implemented so that it doesn't impact upon others. I suspect many  
would find the feature itself useful, but would not be prepared to  
accept the maintainance and usability burden it brings with it.

> * The argument for "uniformity" and against site-local flexibility  
> seems
> to be a proxy for a much larger argument against diversity in the code
> base, against OpenAFS being more things to more people, where no one  
> is
> harmed--the shifting of the argument to be against "too many
> configuration options" is the evidence for this

There's pretty strong evidence that as the number of configuration  
knobs increases, the usability of a product decreases. The balance is  
finding the _right_ number of configuration knobs such that it is  
usable by all classes of users, from novice to experienced. You only  
need to read IRC, or the openafs-info list, to realise that the  
process of configuring OpenAFS is daunting for a novice user. If we  
want to expand our userbase, we need to tackle this complexity. This  
isn't to argue against OpenAFS being more things to more people, but I  
would like to see the number of incompatible choices reduced, and more  
code included by default in the stable builds (for example - why  
should a new user have to decide whether or not they need this  
'supergroups' thing? If it's stable it should be on by default, if  
it's unstable, it shouldn't be in the stable tree). I realise that  
we're not going to solve this problem in a day, but I think we have to  
start thinking more about how simplify adoption for new sites.

> Turning to that, the argument against "too many configuration  
> switches"
> is rather like the argument that Mozart used "too many notes."  Too  
> many
> for what?

Your analogy is flawed. No matter how many notes Mozart used, it was  
still possible to determine the quality of the resulting work.

> Clearly, we should keep all the switches activating the features that
> the product and its developers need--all the rest are superfluous.   
> Just
> as clearly, "too many configuration switches" is a proxy for blanket
> attacks on all the features _you_ don't see the need for, but others
> (who created them) did.

To be clear, I'm not attacking the addition of new features - I'm all  
in favour of them! What I'm against is the addition of code  
_particularly on the stable branch_ which is hidden behind arcane  
combinations of build time configuration switches. (Run time  
configuration switches are a slightly different matter). But the  
configuration switch issue is really just a symptom of why this patch  
is flawed, rather than the cause.

> OpenAFS gatekeepers don't need to test all the features the product  
> can
> theoretically perform, they only need to test the ones that are
> _officially supported_.  To argue otherwise is, respectfully, some  
> type
> of overreaching.

Ok. So there's a major philosophical argument here. Why would OpenAFS  
ship code that it doesn't support? If the code isn't supported at all,  
doesn't it belong in some kind of 'contrib' area, rather than in the  
main build. I think there's an assumption that everything in the  
OpenAFS tarball is supported, as much as any of OpenAFS is supported.  
As far as I'm aware, we're not currently listing a set of options that  
gives you a supported build, and declaring 'here be dragons' for  
everything else. However this is really beside the point - the patch  
isn't flawed because it adds yet-another-configuration switch, but  
because it does so without regards for the consequences of making this  
option configurable.

> But respectfully, we
> have, collectively, a right to expect the solutions to be the best
> available, to be sensible, flexible, and well reasoned.

My argument, as I've made before, is that the solution presented by  
the patch we're currently discussing is neither sensible, flexible nor  
the best available.

Let's consider the issues. The patch creates a compile time option  
which allocates a user determined site-local ACL bit to have a  
particular meaning. There is currently no way of guaranteeing that the  
bit that's been selected is consistent between sites, or even between  
file servers. This creates, as far as I can see, the following problems:

*) A user with a presence in multiple sites has to remember what each  
site local bit means in each site. Forgetting this meaning may lead to  
them setting permissions on their files which they didn't intend.
*) Systems staff building OpenAFS across a large environment must  
ensure that every fileserver build has the same set of configuration  
options. A failure to do so means that ACLs will silently change  
meaning when a volume is moved between servers
*) Systems staff upgrading OpenAFS must ensure that the new build is  
done with the same options as the last one. Failing to do so will  
cause ACLs to silently change meaning upon upgrade.

In my opinion, an acceptable patch would have to address these 3  
issues. I think it could do so by adding a mapping RPC, similar to  
what Derrick has already discussed to solve the first issue, and by  
having the ability to detect, and warn of, the latter 2 cases.

> I have always assumed the fair bargain for the right to add new  
> concepts
> and implementations to the system, was that I not act to _prevent
> others_ from adding features for which they see the need and benefit,
> but which I, in my ignorance, do not.

I think any successful large project has to have a group of people who  
take the broader view, and consider the impact across the entire  
system of new features. Some features may be of use to a single user,  
but damaging to the system as a whole. Part of the process is  
balancing the needs of the one with the needs of the many, which  
requires that, upon occasion, some modification of proposed new  
features is required.

> It is the responsibility of site
> administrators (or their contractors, or whatever) to establish and
> maintain a uniform deployment of OpenAFS servers--or indeed, to be  
> quite
> frank, their prerogative to establish and maintain whatever
> configuration of OpenAFS servers they darned well like.

I don't agree. You're suggesting a utopian scenario which doesn't  
compare with many of the site realities I've seen. How many times do  
we get messages from admins whose predecessors have installed an  
ancient OpenAFS, and they're looking to upgrade, but don't know where  
to begin? Building a successful product is about making it easier, not  
harder, for the users who are least able to help themselves.

> The premise that sites cannot be trusted to coordinate uniform build  
> and
> release cycles, such that uniform build configurations, and indeed, a
> uniform set of OpenAFS program binaries are in use at each release  
> they
> roll out, is simply not credible.

I think your experience of the world has been a little more cosy than  
mine. I can think of many sites that don't coordinate releases in this  
way. They probably should, but they don't, and that's the world in  
which we have to operate.

S.