[OpenAFS-devel] Per-file ACLs

Marc Dionne marc.c.dionne@gmail.com
Wed, 3 Jun 2009 10:27:04 -0400


On Tue, Jun 2, 2009 at 10:55 PM, Derrick Brashear <shadow@gmail.com> wrote:
>
>> Were any useful documents or code produced with last year's GSOC per-fil=
e
>> ACL project? =A0I looked around the web site but didn't see much other t=
han a
>> comment that some server-side work was "substantially completed" - which
>> sounds like at least some amount of code came out of it.
>
> For per-file ACLs? I wonder where you found that; Nothing of consequence =
was
> completed, alas.

Found that comment here: http://www.openafs.org/pages/gsoc/2008final.html

> Have you looked at the CForeign (DFS translator) code in the client?
>
> Derrick

I had a quick look now, but it's not clear exactly what the
assumptions of this option are.  In particular, should CForeign work
correctly with an AFS server at the other end or does it make DFS
assumptions that won't work with AFS?  Any downside?

It does look like it could be a way (maybe the only way) to make old
clients behave sanely.  The issue I've seen so far with an unmodified
client is that some parts of the code (through AcessOK) think a file
is accessible, but attempts to actually access it (FetchData, etc.)
fail at the server.  This has the interesting effect that a file can
be read if it was cached by another user, but can't (permission
denied) if it has to be fetched from the server.

To make newer clients work I've only changed a few lines so far in
AccessOK - I don't see too many other assumptions in the client code
about permissions being at the directory level.  Of course testing
might reveal more.

Marc