[OpenAFS-devel] Per-file ACLs

Derrick Brashear shadow@gmail.com
Wed, 3 Jun 2009 11:08:51 -0400


On Wed, Jun 3, 2009 at 10:27 AM, Marc Dionne <marc.c.dionne@gmail.com> wrot=
e:
> On Tue, Jun 2, 2009 at 10:55 PM, Derrick Brashear <shadow@gmail.com> wrot=
e:
>>
>>> Were any useful documents or code produced with last year's GSOC per-fi=
le
>>> ACL project? =A0I looked around the web site but didn't see much other =
than a
>>> comment that some server-side work was "substantially completed" - whic=
h
>>> sounds like at least some amount of code came out of it.
>>
>> For per-file ACLs? I wonder where you found that; Nothing of consequence=
 was
>> completed, alas.
>
> Found that comment here: http://www.openafs.org/pages/gsoc/2008final.html
>
>> Have you looked at the CForeign (DFS translator) code in the client?
>>
>> Derrick
>
> I had a quick look now, but it's not clear exactly what the
> assumptions of this option are. =A0In particular, should CForeign work
> correctly with an AFS server at the other end or does it make DFS
> assumptions that won't work with AFS? =A0Any downside?

There are existing AFS-protocol servers which make use of it, notably,
Jeff Hutzelman's hostafs uses it.

> It does look like it could be a way (maybe the only way) to make old
> clients behave sanely. =A0The issue I've seen so far with an unmodified
> client is that some parts of the code (through AcessOK) think a file
> is accessible, but attempts to actually access it (FetchData, etc.)
> fail at the server. =A0This has the interesting effect that a file can
> be read if it was cached by another user, but can't (permission
> denied) if it has to be fetched from the server.

I wonder if CForeign will behave better.

> To make newer clients work I've only changed a few lines so far in
> AccessOK - I don't see too many other assumptions in the client code
> about permissions being at the directory level. =A0Of course testing
> might reveal more.

Indeed.


--=20
Derrick