Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

POSIX ACL #4409

Closed
jiefenghuang opened this issue Feb 18, 2024 · 2 comments · Fixed by #4526
Closed

POSIX ACL #4409

jiefenghuang opened this issue Feb 18, 2024 · 2 comments · Fixed by #4526
Assignees
@jiefenghuang
Labels
kind/feature New feature or request

Comments

@jiefenghuang
Copy link
Contributor

jiefenghuang commented Feb 18, 2024
edited
Loading

Why is this needed:
support POSIX ACL

What would you like to be added:

basic ACL functionality

reference

what to be added

  • add enable-acl flag (also implies default_permissions) to check access acl
    • TODO: For SDK users, user-space ACL checking is required.
  • update acl: in setxattr
  • default acl: inheritance of default ACLs when new filesystem nodes are
    created
  • sync between file mode and acl: setattr and setxattr

compatibility

(irreversible) global meta format flag

why is this needed

  • Allowing client mount without ACL will disrupt the synchronization of file mode and ACL.
  • Disabling ACL requires a time-consuming conversion of the group class part of file modes for all files (from mask to owner group), so currently, disabling ACL is not supported.

what to be added

  • add enable-acl flag to meta format
  • set fuse.MountOptions
    • DisableXAttrs = !(enable-acl || enable-xattr)
    • EnableAcl = enable-acl
    • IgnoreSecurityLabels = !enable-acl

client and meta format version matching

why is this needed

If an older version client mounts a newer version of meta format, it will disrupt the synchronization of mode and ACL.

what to be added

Setting the matching versions for the client and meta.

cases

  1. old client <-> new fs without enable-acl, supported
  2. old client <-> new fs with enable-acl, not supported
  • logic of "setattr, getattr, mknod" is not compatible
  • we need to change format's MinClientVersion when config "enable-acl" to true.
  1. new client <-> old fs, supported.
  • two new fields will be added to attr. SQL will sync the table, and KV storage is in []byte format, will ensuring compatibility in encode and decode.
  • also support "enable-acl" for old fs.

storage

what to be added

  • Implement an ACL value sharing mechanism
  • We assume that the number of ACLs should be very limited. Having too many ACLs may indicate issues in the way they are being used, and it may be necessary to optimize them through group settings.
  1. limited acls (ex. 65536)
  • Adding two uint32 variables in the attr to store the index of access ACL and default ACL, enabling quick determination of whether a file/dir has ACL set.
  • ACL value is stored in meta with the key 'acl_[index]'.
    • index will keep increasing
    • unused index will not be removed.
  • Cache all ACL value in memory

test
@jiefenghuang jiefenghuang added the kind/feature New feature or request label Feb 18, 2024
@jiefenghuang jiefenghuang self-assigned this Feb 18, 2024
@jiefenghuang

This comment was marked as resolved.

Sign in to view
This was referenced Feb 23, 2024
Closed
Merged
@jiefenghuang jiefenghuang mentioned this issue Mar 1, 2024
Merged
@jiefenghuang
Copy link
Contributor Author

acl support #4443
acl dump #4490

This was referenced Mar 14, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiefenghuang jiefenghuang

Labels
kind/feature New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

doc: add acl user guide jiefenghuang/juicefs
1 participant
@jiefenghuang