POSIX ACL support for NFSV4 (using sideband protocol)

POSIX ACL support for NFSV4 (using sideband protocol)

[Aneesh Kumar K.V]

This patch series implement POSIX ACL support for NFSV4 clients
using sideband protocol. The ACL support can be disabled/enabled
using -o noacl/-o acl mount option. The feature enables to
view and  modify POSIX acls from NFSv4 client.

-aneesh

[RFC PATCH 1/8] nfs4: Posix acl server side side-band protocol support

[Aneesh Kumar K.V]

Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
---
 fs/nfsd/Kconfig           |    6 +
 fs/nfsd/Makefile          |    1 +
 fs/nfsd/nfs4pacl.c        |  322 +++++++++++++++++++++++++++++++++++++++++++++
 fs/nfsd/nfssvc.c          |   11 +-
 include/linux/nfsd/nfsd.h |    7 +-
 5 files changed, 341 insertions(+), 6 deletions(-)
 create mode 100644 fs/nfsd/nfs4pacl.c

diff --git a/fs/nfsd/Kconfig b/fs/nfsd/Kconfig
index 503b9da..1156ae8 100644
--- a/fs/nfsd/Kconfig
+++ b/fs/nfsd/Kconfig
@@ -79,3 +79,9 @@ config NFSD_V4
 	  available from http://linux-nfs.org/.
 
 	  If unsure, say N.
+
+config NFSD_V4_PACL
+	bool "NFS server support for the NFSv4 POSIX ACL protocol extension"
+	depends on NFSD_V4
+	help
+	  POSIX ACL sideband protocol extension
diff --git a/fs/nfsd/Makefile b/fs/nfsd/Makefile
index 9b118ee..05b37bb 100644
--- a/fs/nfsd/Makefile
+++ b/fs/nfsd/Makefile
@@ -11,3 +11,4 @@ nfsd-$(CONFIG_NFSD_V3)	+= nfs3proc.o nfs3xdr.o
 nfsd-$(CONFIG_NFSD_V3_ACL) += nfs3acl.o
 nfsd-$(CONFIG_NFSD_V4)	+= nfs4proc.o nfs4xdr.o nfs4state.o nfs4idmap.o \
 			   nfs4acl.o nfs4callback.o nfs4recover.o
+nfsd-$(CONFIG_NFSD_V4_PACL) += nfs4pacl.o
diff --git a/fs/nfsd/nfs4pacl.c b/fs/nfsd/nfs4pacl.c
new file mode 100644
index 0000000..42d706a
--- /dev/null
+++ b/fs/nfsd/nfs4pacl.c
@@ -0,0 +1,322 @@
+/*
+ *
+ * Process version NFS4 POSIX ACL requests.
+ *
+ */
+
+#include <linux/sunrpc/svc.h>
+#include <linux/nfs4.h>
+#include <linux/nfsd/nfsd.h>
+#include <linux/nfsd/cache.h>
+#include <linux/posix_acl.h>
+#include <linux/nfsacl.h>
+
+
+#define nfs4svc_decode_voidargs		NULL
+#define nfs4svc_release_void		NULL
+struct nfsd4_voidargs {
+	int dummy;
+};
+#define nfsd4_voidres			nfsd4_voidargs
+
+struct nfsd4_getpaclargs {
+	struct svc_fh           fh;
+	int                     mask;
+};
+struct posix_acl;
+struct nfsd4_setpaclargs {
+	struct svc_fh           fh;
+	int                     mask;
+	struct posix_acl        *acl_access;
+	struct posix_acl        *acl_default;
+};
+struct nfsd4_getpaclres {
+	__be32                  status;
+	struct svc_fh           fh;
+	int                     mask;
+	struct posix_acl        *acl_access;
+	struct posix_acl        *acl_default;
+};
+struct nfsd4_setpaclres {
+	__be32 status;
+	struct svc_fh           fh;
+};
+union nfs4paclstore {
+	struct nfsd4_getpaclargs  gaclargs;
+	struct nfsd4_setpaclargs  saclargs;
+	struct nfsd4_getpaclres   gaclres;
+	struct nfsd4_setpaclres   saclres;
+};
+
+#define NFS4_SVC_ACLXDRSZ    sizeof(union nfs4paclstore)
+
+/*
+ * NULL call.
+ */
+static __be32
+nfsd4_proc_null(struct svc_rqst *rqstp, void *argp, void *resp)
+{
+	return nfs_ok;
+}
+
+/*
+ * Get the Access and/or Default ACL of a file.
+ */
+static __be32 nfsd4_proc_getpacl(struct svc_rqst *rqstp,
+		struct nfsd4_getpaclargs *argp, struct nfsd4_getpaclres *resp)
+{
+	svc_fh *fh;
+	struct posix_acl *acl;
+	__be32 nfserr = 0;
+
+	fh = fh_copy(&resp->fh, &argp->fh);
+	nfserr = fh_verify(rqstp, &resp->fh, 0, NFSD_MAY_NOP);
+	if (nfserr)
+		goto err_out;
+	if (argp->mask & ~(NFS_ACL|NFS_ACLCNT|NFS_DFACL|NFS_DFACLCNT)) {
+		nfserr = nfserr_inval;
+		goto err_out;
+	}
+	resp->mask = argp->mask;
+
+	if (resp->mask & (NFS_ACL|NFS_ACLCNT)) {
+		acl = nfsd_get_posix_acl(fh, ACL_TYPE_ACCESS);
+		if (IS_ERR(acl)) {
+			int err = PTR_ERR(acl);
+
+			if (err == -ENODATA || err == -EOPNOTSUPP)
+				acl = NULL;
+			else {
+				nfserr = nfserrno(err);
+				goto fail;
+			}
+		}
+		if (acl == NULL) {
+			/* Solaris returns the inode's minimum ACL. */
+
+			struct inode *inode = fh->fh_dentry->d_inode;
+			acl = posix_acl_from_mode(inode->i_mode, GFP_KERNEL);
+		}
+		resp->acl_access = acl;
+	}
+	if (resp->mask & (NFS_DFACL|NFS_DFACLCNT)) {
+		/* Check how Solaris handles requests for the Default ACL
+		   of a non-directory! */
+
+		acl = nfsd_get_posix_acl(fh, ACL_TYPE_DEFAULT);
+		if (IS_ERR(acl)) {
+			int err = PTR_ERR(acl);
+
+			if (err == -ENODATA || err == -EOPNOTSUPP)
+				acl = NULL;
+			else {
+				nfserr = nfserrno(err);
+				goto fail;
+			}
+		}
+		resp->acl_default = acl;
+	}
+
+	/*
+	 * resp->acl_{access,default} are released in
+	 * nfs4svc_release_getpacl.
+	 */
+	resp->status  = 0;
+	return 0;
+
+fail:
+	posix_acl_release(resp->acl_access);
+	posix_acl_release(resp->acl_default);
+err_out:
+	resp->status = nfserr;
+	return nfserr;
+}
+
+/*
+ * Set the Access and/or Default ACL of a file.
+ */
+static __be32 nfsd4_proc_setpacl(struct svc_rqst *rqstp,
+		struct nfsd4_setpaclargs *argp,
+		struct nfsd4_setpaclres *resp)
+{
+	svc_fh *fh;
+	__be32 nfserr = 0;
+
+	fh = fh_copy(&resp->fh, &argp->fh);
+	nfserr = fh_verify(rqstp, &resp->fh, 0, NFSD_MAY_SATTR);
+
+	if (!nfserr) {
+		nfserr = nfserrno( nfsd_set_posix_acl(
+			fh, ACL_TYPE_ACCESS, argp->acl_access));
+	}
+	if (!nfserr) {
+		nfserr = nfserrno( nfsd_set_posix_acl(
+			fh, ACL_TYPE_DEFAULT, argp->acl_default));
+	}
+
+	/* argp->acl_{access,default} may have been allocated in
+	   nfs4svc_decode_setpaclargs. */
+	posix_acl_release(argp->acl_access);
+	posix_acl_release(argp->acl_default);
+	resp->status = nfserr;
+	return nfserr;
+}
+
+/*
+ * XDR decode functions
+ */
+__be32 *nfs4svc_decode_fh(__be32 *p, struct svc_fh *fhp)
+{
+	unsigned int size;
+	fh_init(fhp, NFS4_FHSIZE);
+	size = ntohl(*p++);
+	if (size > NFS4_FHSIZE)
+		return NULL;
+
+	memcpy(&fhp->fh_handle.fh_base, p, size);
+	fhp->fh_handle.fh_size = size;
+	return p + XDR_QUADLEN(size);
+}
+static int nfs4svc_decode_getpaclargs(struct svc_rqst *rqstp, __be32 *p,
+		struct nfsd4_getpaclargs *args)
+{
+	p = nfs4svc_decode_fh(p, &args->fh);
+	if (!p)
+		return 0;
+	args->mask = ntohl(*p); p++;
+
+	return xdr_argsize_check(rqstp, p);
+}
+
+
+static int nfs4svc_decode_setpaclargs(struct svc_rqst *rqstp, __be32 *p,
+		struct nfsd4_setpaclargs *args)
+{
+	struct kvec *head = rqstp->rq_arg.head;
+	unsigned int base;
+	int n;
+
+	p = nfs4svc_decode_fh(p, &args->fh);
+	if (!p)
+		return 0;
+	args->mask = ntohl(*p++);
+	if (args->mask & ~(NFS_ACL|NFS_ACLCNT|NFS_DFACL|NFS_DFACLCNT) ||
+	    !xdr_argsize_check(rqstp, p))
+		return 0;
+
+	base = (char *)p - (char *)head->iov_base;
+	n = nfsacl_decode(&rqstp->rq_arg, base, NULL,
+			  (args->mask & NFS_ACL) ?
+			  &args->acl_access : NULL);
+	if (n > 0)
+		n = nfsacl_decode(&rqstp->rq_arg, base + n, NULL,
+				  (args->mask & NFS_DFACL) ?
+				  &args->acl_default : NULL);
+	return (n > 0);
+}
+
+/*
+ * XDR encode functions
+ */
+extern int nfs4svc_encode_voidres(struct svc_rqst *rqstp,
+				__be32 *p, void *dummy);
+
+/* GETPACL */
+static int nfs4svc_encode_getpaclres(struct svc_rqst *rqstp, __be32 *p,
+		struct nfsd4_getpaclres *resp)
+{
+	struct dentry *dentry = resp->fh.fh_dentry;
+
+	if (resp->status == 0 && dentry && dentry->d_inode) {
+		struct inode *inode = dentry->d_inode;
+		struct kvec *head = rqstp->rq_res.head;
+		unsigned int base;
+		int n;
+		int w;
+
+		*p++ = htonl(resp->mask);
+		if (!xdr_ressize_check(rqstp, p))
+			return 0;
+		base = (char *)p - (char *)head->iov_base;
+
+		rqstp->rq_res.page_len = w = nfsacl_size(
+			(resp->mask & NFS_ACL)   ? resp->acl_access  : NULL,
+			(resp->mask & NFS_DFACL) ? resp->acl_default : NULL);
+		while (w > 0) {
+			if (!rqstp->rq_respages[rqstp->rq_resused++])
+				return 0;
+			w -= PAGE_SIZE;
+		}
+
+		n = nfsacl_encode(&rqstp->rq_res, base, inode,
+				  resp->acl_access,
+				  resp->mask & NFS_ACL, 0);
+		if (n > 0)
+			n = nfsacl_encode(&rqstp->rq_res, base + n, inode,
+					  resp->acl_default,
+					  resp->mask & NFS_DFACL,
+					  NFS_ACL_DEFAULT);
+		if (n <= 0)
+			return 0;
+	} else
+		if (!xdr_ressize_check(rqstp, p))
+			return 0;
+
+	return 1;
+}
+
+/* SETPACL */
+static int nfs4svc_encode_setpaclres(struct svc_rqst *rqstp, __be32 *p,
+		struct nfsd4_setpaclres *resp)
+{
+	return xdr_ressize_check(rqstp, p);
+}
+
+/*
+ * XDR release functions
+ */
+static int nfs4svc_release_getpacl(struct svc_rqst *rqstp, __be32 *p,
+		struct nfsd4_getpaclres *resp)
+{
+	fh_put(&resp->fh);
+	posix_acl_release(resp->acl_access);
+	posix_acl_release(resp->acl_default);
+	return 1;
+}
+
+static int nfs4svc_release_setpacl(struct svc_rqst *rqstp, __be32 *p,
+			struct nfsd4_setpaclres *resp)
+{
+	fh_put(&resp->fh);
+	return 1;
+}
+
+#define PROC(name, argt, rest, relt, cache, respsize)	\
+ { (svc_procfunc) nfsd4_proc_##name,		\
+   (kxdrproc_t) nfs4svc_decode_##argt##args,	\
+   (kxdrproc_t) nfs4svc_encode_##rest##res,	\
+   (kxdrproc_t) nfs4svc_release_##relt,		\
+   sizeof(struct nfsd4_##argt##args),		\
+   sizeof(struct nfsd4_##rest##res),		\
+   0,						\
+   cache,					\
+   respsize,					\
+ }
+
+#define ST 1		/* status*/
+#define ACL (1+NFS_ACL_MAX_ENTRIES*3)  /* Access Control List */
+
+static struct svc_procedure		nfsd_pacl_procedures4[] = {
+  PROC(null,	void,		void,		void,	  RC_NOCACHE, ST),
+  PROC(getpacl,	getpacl,	getpacl,	getpacl,	  RC_NOCACHE, ST+1+2*(1+ACL)),
+  PROC(setpacl,	setpacl,	setpacl,	setpacl,   RC_NOCACHE, ST),
+};
+
+struct svc_version nfsd_pacl_version4 = {
+		.vs_vers	= 4,
+		.vs_nproc	= 3,
+		.vs_proc	= nfsd_pacl_procedures4,
+		.vs_dispatch	= nfsd_dispatch,
+		.vs_xdrsize	= NFS4_SVC_ACLXDRSZ,
+		.vs_hidden	= 1,
+};
diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c
index 492c79b..e970a60 100644
--- a/fs/nfsd/nfssvc.c
+++ b/fs/nfsd/nfssvc.c
@@ -66,11 +66,12 @@ struct timeval			nfssvc_boot;
 DEFINE_MUTEX(nfsd_mutex);
 struct svc_serv 		*nfsd_serv;
 
-#if defined(CONFIG_NFSD_V2_ACL) || defined(CONFIG_NFSD_V3_ACL)
+#if defined(CONFIG_NFSD_V2_ACL) || defined(CONFIG_NFSD_V3_ACL) || defined(CONFIG_NFSD_V4_PACL)
 static struct svc_stat	nfsd_acl_svcstats;
 static struct svc_version *	nfsd_acl_version[] = {
 	[2] = &nfsd_acl_version2,
 	[3] = &nfsd_acl_version3,
+	[4] = &nfsd_pacl_version4,
 };
 
 #define NFSD_ACL_MINVERS            2
@@ -107,7 +108,7 @@ static struct svc_version *	nfsd_version[] = {
 static struct svc_version *nfsd_versions[NFSD_NRVERS];
 
 struct svc_program		nfsd_program = {
-#if defined(CONFIG_NFSD_V2_ACL) || defined(CONFIG_NFSD_V3_ACL)
+#if defined(CONFIG_NFSD_V2_ACL) || defined(CONFIG_NFSD_V3_ACL) || defined(CONFIG_NFSD_V4_PACL)
 	.pg_next		= &nfsd_acl_program,
 #endif
 	.pg_prog		= NFS_PROGRAM,		/* program number */
@@ -129,14 +130,14 @@ int nfsd_vers(int vers, enum vers_op change)
 	switch(change) {
 	case NFSD_SET:
 		nfsd_versions[vers] = nfsd_version[vers];
-#if defined(CONFIG_NFSD_V2_ACL) || defined(CONFIG_NFSD_V3_ACL)
+#if defined(CONFIG_NFSD_V2_ACL) || defined(CONFIG_NFSD_V3_ACL) || defined(CONFIG_NFSD_V4_PACL)
 		if (vers < NFSD_ACL_NRVERS)
 			nfsd_acl_versions[vers] = nfsd_acl_version[vers];
 #endif
 		break;
 	case NFSD_CLEAR:
 		nfsd_versions[vers] = NULL;
-#if defined(CONFIG_NFSD_V2_ACL) || defined(CONFIG_NFSD_V3_ACL)
+#if defined(CONFIG_NFSD_V2_ACL) || defined(CONFIG_NFSD_V3_ACL) || defined(CONFIG_NFSD_V4_PACL)
 		if (vers < NFSD_ACL_NRVERS)
 			nfsd_acl_versions[vers] = NULL;
 #endif
@@ -213,7 +214,7 @@ void nfsd_reset_versions(void)
 	if (!found_one) {
 		for (i = NFSD_MINVERS; i < NFSD_NRVERS; i++)
 			nfsd_program.pg_vers[i] = nfsd_version[i];
-#if defined(CONFIG_NFSD_V2_ACL) || defined(CONFIG_NFSD_V3_ACL)
+#if defined(CONFIG_NFSD_V2_ACL) || defined(CONFIG_NFSD_V3_ACL) || defined(CONFIG_NFSD_V4_PACL)
 		for (i = NFSD_ACL_MINVERS; i < NFSD_ACL_NRVERS; i++)
 			nfsd_acl_program.pg_vers[i] =
 				nfsd_acl_version[i];
diff --git a/include/linux/nfsd/nfsd.h b/include/linux/nfsd/nfsd.h
index 2b49d67..d9263b6 100644
--- a/include/linux/nfsd/nfsd.h
+++ b/include/linux/nfsd/nfsd.h
@@ -133,7 +133,7 @@ __be32		nfsd_permission(struct svc_rqst *, struct svc_export *,
 				struct dentry *, int);
 int		nfsd_sync_dir(struct dentry *dp);
 
-#if defined(CONFIG_NFSD_V2_ACL) || defined(CONFIG_NFSD_V3_ACL)
+#if defined(CONFIG_NFSD_V2_ACL) || defined(CONFIG_NFSD_V3_ACL) || defined(CONFIG_NFSD_V4_PACL)
 #ifdef CONFIG_NFSD_V2_ACL
 extern struct svc_version nfsd_acl_version2;
 #else
@@ -144,6 +144,11 @@ extern struct svc_version nfsd_acl_version3;
 #else
 #define nfsd_acl_version3 NULL
 #endif
+#ifdef CONFIG_NFSD_V4_PACL
+extern struct svc_version nfsd_pacl_version4;
+#else
+#define nfsd_pacl_version4 NULL
+#endif
 struct posix_acl *nfsd_get_posix_acl(struct svc_fh *, int);
 int nfsd_set_posix_acl(struct svc_fh *, int, struct posix_acl *);
 #endif
-- 
1.6.4.2.253.g0b1fac

[RFC PATCH 2/8] nfsv4: Switch to generic xattr handling code

[Aneesh Kumar K.V]

This patch make nfsv4 use the generic xattr handling code
to get the nfsv4 acl. This will help us to add posix acl
support to nfsv4 in later patches

Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
---
 fs/nfs/dir.c      |    9 +++++--
 fs/nfs/nfs4_fs.h  |    6 -----
 fs/nfs/nfs4proc.c |   57 ++++++++++++++++++++++++++++++----------------------
 fs/nfs/super.c    |    3 ++
 4 files changed, 42 insertions(+), 33 deletions(-)

diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index 32062c3..f9278a2 100644
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -33,6 +33,8 @@
 #include <linux/namei.h>
 #include <linux/mount.h>
 #include <linux/sched.h>
+#include <linux/xattr.h>
+
 
 #include "nfs4_fs.h"
 #include "delegation.h"
@@ -117,9 +119,10 @@ const struct inode_operations nfs4_dir_inode_operations = {
 	.permission	= nfs_permission,
 	.getattr	= nfs_getattr,
 	.setattr	= nfs_setattr,
-	.getxattr       = nfs4_getxattr,
-	.setxattr       = nfs4_setxattr,
-	.listxattr      = nfs4_listxattr,
+	.getxattr	= generic_getxattr,
+	.setxattr	= generic_setxattr,
+	.listxattr	= generic_listxattr,
+	.removexattr	= generic_removexattr,
 };
 
 #endif /* CONFIG_NFS_V4 */
diff --git a/fs/nfs/nfs4_fs.h b/fs/nfs/nfs4_fs.h
index 6ea07a3..c9869f5 100644
--- a/fs/nfs/nfs4_fs.h
+++ b/fs/nfs/nfs4_fs.h
@@ -191,12 +191,6 @@ struct nfs4_state_maintenance_ops {
 extern const struct dentry_operations nfs4_dentry_operations;
 extern const struct inode_operations nfs4_dir_inode_operations;
 
-/* inode.c */
-extern ssize_t nfs4_getxattr(struct dentry *, const char *, void *, size_t);
-extern int nfs4_setxattr(struct dentry *, const char *, const void *, size_t, int);
-extern ssize_t nfs4_listxattr(struct dentry *, char *, size_t);
-
-
 /* nfs4proc.c */
 extern int nfs4_proc_setclientid(struct nfs_client *, u32, unsigned short, struct rpc_cred *);
 extern int nfs4_proc_setclientid_confirm(struct nfs_client *, struct rpc_cred *);
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 6917311..fa60261 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -49,6 +49,7 @@
 #include <linux/mount.h>
 #include <linux/module.h>
 #include <linux/sunrpc/bc_xprt.h>
+#include <linux/xattr.h>
 
 #include "nfs4_fs.h"
 #include "delegation.h"
@@ -4172,42 +4173,37 @@ out:
 
 #define XATTR_NAME_NFSV4_ACL "system.nfs4_acl"
 
-int nfs4_setxattr(struct dentry *dentry, const char *key, const void *buf,
-		size_t buflen, int flags)
+static int nfs4_xattr_set_nfs4_acl(struct inode *inode, const char *key,
+			const void *buf, size_t buflen, int flags)
 {
-	struct inode *inode = dentry->d_inode;
-
-	if (strcmp(key, XATTR_NAME_NFSV4_ACL) != 0)
-		return -EOPNOTSUPP;
+	if (strcmp(key, "") != 0)
+		return -EINVAL;
 
 	return nfs4_proc_set_acl(inode, buf, buflen);
 }
 
-/* The getxattr man page suggests returning -ENODATA for unknown attributes,
- * and that's what we'll do for e.g. user attributes that haven't been set.
- * But we'll follow ext2/ext3's lead by returning -EOPNOTSUPP for unsupported
- * attributes in kernel-managed attribute namespaces. */
-ssize_t nfs4_getxattr(struct dentry *dentry, const char *key, void *buf,
-		size_t buflen)
+static int nfs4_xattr_get_nfs4_acl(struct inode *inode, const char *key,
+				void *buf, size_t buflen)
 {
-	struct inode *inode = dentry->d_inode;
-
-	if (strcmp(key, XATTR_NAME_NFSV4_ACL) != 0)
-		return -EOPNOTSUPP;
+	if (strcmp(key, "") != 0)
+		return -EINVAL;
 
 	return nfs4_proc_get_acl(inode, buf, buflen);
 }
 
-ssize_t nfs4_listxattr(struct dentry *dentry, char *buf, size_t buflen)
+static size_t nfs4_xattr_list_nfs4_acl(struct inode *inode, char *list,
+				size_t list_len, const char *name,
+				size_t name_len)
 {
 	size_t len = strlen(XATTR_NAME_NFSV4_ACL) + 1;
 
-	if (!nfs4_server_supports_acls(NFS_SERVER(dentry->d_inode)))
+	if (!nfs4_server_supports_acls(NFS_SERVER(inode)))
 		return 0;
-	if (buf && buflen < len)
+
+	if (list && len <= list_len)
+		memcpy(list, XATTR_NAME_NFSV4_ACL, len);
+	else
 		return -ERANGE;
-	if (buf)
-		memcpy(buf, XATTR_NAME_NFSV4_ACL, len);
 	return len;
 }
 
@@ -4988,9 +4984,10 @@ static const struct inode_operations nfs4_file_inode_operations = {
 	.permission	= nfs_permission,
 	.getattr	= nfs_getattr,
 	.setattr	= nfs_setattr,
-	.getxattr	= nfs4_getxattr,
-	.setxattr	= nfs4_setxattr,
-	.listxattr	= nfs4_listxattr,
+	.getxattr	= generic_getxattr,
+	.setxattr	= generic_setxattr,
+	.listxattr	= generic_listxattr,
+	.removexattr	= generic_removexattr,
 };
 
 const struct nfs_rpc_ops nfs_v4_clientops = {
@@ -5032,6 +5029,18 @@ const struct nfs_rpc_ops nfs_v4_clientops = {
 	.close_context  = nfs4_close_context,
 };
 
+struct xattr_handler nfs4_xattr_nfs4_acl_handler = {
+	.prefix	= XATTR_NAME_NFSV4_ACL,
+	.list	= nfs4_xattr_list_nfs4_acl,
+	.get	= nfs4_xattr_get_nfs4_acl,
+	.set	= nfs4_xattr_set_nfs4_acl,
+};
+
+struct xattr_handler *nfs4_xattr_handlers[] = {
+	&nfs4_xattr_nfs4_acl_handler,
+	NULL
+};
+
 /*
  * Local variables:
  *  c-basic-offset: 8
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 0b4cbdc..2f2a5bd 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -242,6 +242,7 @@ static int nfs_xdev_get_sb(struct file_system_type *fs_type,
 		int flags, const char *dev_name, void *raw_data, struct vfsmount *mnt);
 static void nfs_kill_super(struct super_block *);
 static int nfs_remount(struct super_block *sb, int *flags, char *raw_data);
+extern struct xattr_handler *nfs4_xattr_handlers[];
 
 static struct file_system_type nfs_fs_type = {
 	.owner		= THIS_MODULE,
@@ -2299,6 +2300,7 @@ static void nfs4_clone_super(struct super_block *sb,
 	sb->s_maxbytes = old_sb->s_maxbytes;
 	sb->s_time_gran = 1;
 	sb->s_op = old_sb->s_op;
+	sb->s_xattr  = old_sb->s_xattr;
  	nfs_initialise_sb(sb);
 }
 
@@ -2309,6 +2311,7 @@ static void nfs4_fill_super(struct super_block *sb)
 {
 	sb->s_time_gran = 1;
 	sb->s_op = &nfs4_sops;
+	sb->s_xattr = nfs4_xattr_handlers;
 	nfs_initialise_sb(sb);
 }
 
-- 
1.6.4.2.253.g0b1fac

[RFC PATCH 3/8] nfsv4: Add support for posix ACL

[Aneesh Kumar K.V]

Add posix ACL support. This implements POSIX over NFSV4 ACL.

Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
---
 fs/nfs/Kconfig    |    6 +++++
 fs/nfs/Makefile   |    1 +
 fs/nfs/nfs4pacl.c |   62 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 fs/nfs/nfs4proc.c |    7 +++++-
 4 files changed, 75 insertions(+), 1 deletions(-)
 create mode 100644 fs/nfs/nfs4pacl.c

diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig
index 2a77bc2..744ea00 100644
--- a/fs/nfs/Kconfig
+++ b/fs/nfs/Kconfig
@@ -101,3 +101,9 @@ config NFS_FSCACHE
 	help
 	  Say Y here if you want NFS data to be cached locally on disc through
 	  the general filesystem cache manager
+
+config NFS4_FS_POSIX_ACL
+       bool "NFS client support for NFSV4 posix acl support"
+       depends on NFS_V4
+       help
+         This option enables support for modifying POSIX ACL from NFS clients
diff --git a/fs/nfs/Makefile b/fs/nfs/Makefile
index 8451598..f888f5c 100644
--- a/fs/nfs/Makefile
+++ b/fs/nfs/Makefile
@@ -16,3 +16,4 @@ nfs-$(CONFIG_NFS_V4)	+= nfs4proc.o nfs4xdr.o nfs4state.o nfs4renewd.o \
 			   nfs4namespace.o
 nfs-$(CONFIG_SYSCTL) += sysctl.o
 nfs-$(CONFIG_NFS_FSCACHE) += fscache.o fscache-index.o
+nfs-$(CONFIG_NFS4_FS_POSIX_ACL) += nfs4pacl.o
diff --git a/fs/nfs/nfs4pacl.c b/fs/nfs/nfs4pacl.c
new file mode 100644
index 0000000..c1c2b04
--- /dev/null
+++ b/fs/nfs/nfs4pacl.c
@@ -0,0 +1,62 @@
+#include <linux/fs.h>
+#include <linux/nfs.h>
+#include <linux/nfs3.h>
+#include <linux/nfs_fs.h>
+#include <linux/posix_acl_xattr.h>
+#include <linux/nfsacl.h>
+#include <linux/xattr.h>
+
+#include "internal.h"
+
+static size_t nfs4_xattr_list_pacl_default(struct inode *inode, char *list,
+				size_t list_len, const char *name,
+				size_t name_len)
+{
+	return 0;
+}
+
+static int nfs4_xattr_get_pacl_default(struct inode *inode, const char *key,
+				void *buf, size_t buflen)
+{
+	return -EOPNOTSUPP;
+}
+
+static int nfs4_xattr_set_pacl_default(struct inode *inode, const char *key,
+			const void *buf, size_t buflen, int flags)
+{
+	return -EOPNOTSUPP;
+}
+
+struct xattr_handler nfs4_xattr_pacl_default_handler = {
+	.prefix	= POSIX_ACL_XATTR_DEFAULT,
+	.list	= nfs4_xattr_list_pacl_default,
+	.get	= nfs4_xattr_get_pacl_default,
+	.set	= nfs4_xattr_set_pacl_default,
+};
+
+static size_t nfs4_xattr_list_pacl_access(struct inode *inode, char *list,
+				size_t list_len, const char *name,
+				size_t name_len)
+{
+	return 0;
+}
+
+static int nfs4_xattr_get_pacl_access(struct inode *inode, const char *key,
+				void *buf, size_t buflen)
+{
+	return -EOPNOTSUPP;
+}
+
+static int nfs4_xattr_set_pacl_access(struct inode *inode, const char *key,
+			const void *buf, size_t buflen, int flags)
+{
+	return -EOPNOTSUPP;
+}
+
+
+struct xattr_handler nfs4_xattr_pacl_access_handler = {
+	.prefix	= POSIX_ACL_XATTR_ACCESS,
+	.list	= nfs4_xattr_list_pacl_access,
+	.get	= nfs4_xattr_get_pacl_access,
+	.set	= nfs4_xattr_set_pacl_access,
+};
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index fa60261..eb93426 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -5035,9 +5035,14 @@ struct xattr_handler nfs4_xattr_nfs4_acl_handler = {
 	.get	= nfs4_xattr_get_nfs4_acl,
 	.set	= nfs4_xattr_set_nfs4_acl,
 };
-
+extern struct xattr_handler nfs4_xattr_pacl_access_handler;
+extern struct xattr_handler nfs4_xattr_pacl_default_handler;
 struct xattr_handler *nfs4_xattr_handlers[] = {
 	&nfs4_xattr_nfs4_acl_handler,
+#ifdef CONFIG_NFS4_FS_POSIX_ACL
+	&nfs4_xattr_pacl_access_handler,
+	&nfs4_xattr_pacl_default_handler,
+#endif
 	NULL
 };
 
-- 
1.6.4.2.253.g0b1fac

[RFC PATCH 4/8] nfs: use different capability flag for v4 and posix acl

[Aneesh Kumar K.V]

NVFSv4 can now support V4 acl and posix ACL. Use different
flag indicate the capability

Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
---
 fs/nfs/client.c           |    6 +++---
 fs/nfs/nfs3acl.c          |    8 ++++----
 fs/nfs/nfs4proc.c         |    4 ++--
 fs/nfs/super.c            |    2 +-
 include/linux/nfs_fs_sb.h |    4 ++--
 5 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/fs/nfs/client.c b/fs/nfs/client.c
index 8d25ccb..ea3a6b7 100644
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -685,17 +685,17 @@ static void nfs_init_server_aclclient(struct nfs_server *server)
 		goto out_noacl;
 
 	/* No errors! Assume that Sun nfsacls are supported */
-	server->caps |= NFS_CAP_ACLS;
+	server->caps |= NFS_CAP_PACLS;
 	return;
 
 out_noacl:
-	server->caps &= ~NFS_CAP_ACLS;
+	server->caps &= ~NFS_CAP_PACLS;
 }
 #else
 static inline void nfs_init_server_aclclient(struct nfs_server *server)
 {
 	server->flags &= ~NFS_MOUNT_NOACL;
-	server->caps &= ~NFS_CAP_ACLS;
+	server->caps &= ~NFS_CAP_PACLS;
 }
 #endif
 
diff --git a/fs/nfs/nfs3acl.c b/fs/nfs/nfs3acl.c
index bac6051..963b5d6 100644
--- a/fs/nfs/nfs3acl.c
+++ b/fs/nfs/nfs3acl.c
@@ -201,7 +201,7 @@ struct posix_acl *nfs3_proc_getacl(struct inode *inode, int type)
 	struct posix_acl *acl;
 	int status, count;
 
-	if (!nfs_server_capable(inode, NFS_CAP_ACLS))
+	if (!nfs_server_capable(inode, NFS_CAP_PACLS))
 		return ERR_PTR(-EOPNOTSUPP);
 
 	status = nfs_revalidate_inode(server, inode);
@@ -242,7 +242,7 @@ struct posix_acl *nfs3_proc_getacl(struct inode *inode, int type)
 		case -EPFNOSUPPORT:
 		case -EPROTONOSUPPORT:
 			dprintk("NFS_V3_ACL extension not supported; disabling\n");
-			server->caps &= ~NFS_CAP_ACLS;
+			server->caps &= ~NFS_CAP_PACLS;
 		case -ENOTSUPP:
 			status = -EOPNOTSUPP;
 		default:
@@ -304,7 +304,7 @@ static int nfs3_proc_setacls(struct inode *inode, struct posix_acl *acl,
 	int status;
 
 	status = -EOPNOTSUPP;
-	if (!nfs_server_capable(inode, NFS_CAP_ACLS))
+	if (!nfs_server_capable(inode, NFS_CAP_PACLS))
 		goto out;
 
 	/* We are doing this here, because XDR marshalling can only
@@ -350,7 +350,7 @@ static int nfs3_proc_setacls(struct inode *inode, struct posix_acl *acl,
 		case -EPROTONOSUPPORT:
 			dprintk("NFS_V3_ACL SETACL RPC not supported"
 					"(will not retry)\n");
-			server->caps &= ~NFS_CAP_ACLS;
+			server->caps &= ~NFS_CAP_PACLS;
 		case -ENOTSUPP:
 			status = -EOPNOTSUPP;
 	}
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index eb93426..2c71885 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -1999,7 +1999,7 @@ static int _nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *f
 	if (status == 0) {
 		memcpy(server->attr_bitmask, res.attr_bitmask, sizeof(server->attr_bitmask));
 		if (res.attr_bitmask[0] & FATTR4_WORD0_ACL)
-			server->caps |= NFS_CAP_ACLS;
+			server->caps |= NFS_CAP_V4ACLS;
 		if (res.has_links != 0)
 			server->caps |= NFS_CAP_HARDLINKS;
 		if (res.has_symlinks != 0)
@@ -3077,7 +3077,7 @@ int nfs4_proc_renew(struct nfs_client *clp, struct rpc_cred *cred)
 
 static inline int nfs4_server_supports_acls(struct nfs_server *server)
 {
-	return (server->caps & NFS_CAP_ACLS)
+	return (server->caps & NFS_CAP_V4ACLS)
 		&& (server->acl_bitmask & ACL4_SUPPORT_ALLOW_ACL)
 		&& (server->acl_bitmask & ACL4_SUPPORT_DENY_ACL);
 }
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 2f2a5bd..abe9251 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -2317,7 +2317,7 @@ static void nfs4_fill_super(struct super_block *sb)
 
 static void nfs4_validate_mount_flags(struct nfs_parsed_mount_data *args)
 {
-	args->flags &= ~(NFS_MOUNT_NONLM|NFS_MOUNT_NOACL|NFS_MOUNT_VER3);
+	args->flags &= ~(NFS_MOUNT_NONLM|NFS_CAP_V4ACLS|NFS_MOUNT_VER3);
 }
 
 /*
diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h
index 19fe15d..2837ce3 100644
--- a/include/linux/nfs_fs_sb.h
+++ b/include/linux/nfs_fs_sb.h
@@ -165,9 +165,9 @@ struct nfs_server {
 #define NFS_CAP_READDIRPLUS	(1U << 0)
 #define NFS_CAP_HARDLINKS	(1U << 1)
 #define NFS_CAP_SYMLINKS	(1U << 2)
-#define NFS_CAP_ACLS		(1U << 3)
+#define NFS_CAP_PACLS		(1U << 3)
 #define NFS_CAP_ATOMIC_OPEN	(1U << 4)
-
+#define NFS_CAP_V4ACLS		(1U << 8)
 
 /* maximum number of slots to use */
 #define NFS4_MAX_SLOT_TABLE RPC_MAX_SLOT_TABLE
-- 
1.6.4.2.253.g0b1fac

[RFC PATCH 5/8] nfsv4: Add nfsv4 rpc client side support

[Aneesh Kumar K.V]

Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
---
 fs/nfs/client.c         |   32 +++++++----
 fs/nfs/nfs4xdr.c        |  149 +++++++++++++++++++++++++++++++++++++++++++++++
 include/linux/nfs_xdr.h |   25 ++++++++
 include/linux/nfsacl.h  |    2 +
 4 files changed, 197 insertions(+), 11 deletions(-)

diff --git a/fs/nfs/client.c b/fs/nfs/client.c
index ea3a6b7..31f4a0b 100644
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -81,11 +81,15 @@ struct rpc_stat nfs_rpcstat = {
 	.program		= &nfs_program
 };
 
-
-#ifdef CONFIG_NFS_V3_ACL
+#if defined(CONFIG_NFS_V3_ACL) || defined(CONFIG_NFS4_FS_POSIX_ACL)
 static struct rpc_stat		nfsacl_rpcstat = { &nfsacl_program };
 static struct rpc_version *	nfsacl_version[] = {
+#ifdef CONFIG_NFS_V3_ACL
 	[3]			= &nfsacl_version3,
+#endif
+#ifdef CONFIG_NFS4_FS_POSIX_ACL
+	[4]			= &nfspacl_version4,
+#endif
 };
 
 struct rpc_program		nfsacl_program = {
@@ -670,17 +674,18 @@ static int nfs_start_lockd(struct nfs_server *server)
 }
 
 /*
- * Initialise an NFSv3 ACL client connection
+ * Initialise an NFSv3/NFSv4 ACL client connection
  */
-#ifdef CONFIG_NFS_V3_ACL
-static void nfs_init_server_aclclient(struct nfs_server *server)
+#if defined(CONFIG_NFS_V3_ACL) ||  defined(CONFIG_NFS4_FS_POSIX_ACL)
+static void nfs_init_server_aclclient(struct nfs_server *server, int version)
 {
-	if (server->nfs_client->rpc_ops->version != 3)
+	if (server->nfs_client->rpc_ops->version != version)
 		goto out_noacl;
 	if (server->flags & NFS_MOUNT_NOACL)
 		goto out_noacl;
 
-	server->client_acl = rpc_bind_new_program(server->client, &nfsacl_program, 3);
+	server->client_acl = rpc_bind_new_program(server->client,
+						&nfsacl_program, version);
 	if (IS_ERR(server->client_acl))
 		goto out_noacl;
 
@@ -692,7 +697,8 @@ out_noacl:
 	server->caps &= ~NFS_CAP_PACLS;
 }
 #else
-static inline void nfs_init_server_aclclient(struct nfs_server *server)
+static inline void nfs_init_server_aclclient(struct nfs_server *server,
+					int version)
 {
 	server->flags &= ~NFS_MOUNT_NOACL;
 	server->caps &= ~NFS_CAP_PACLS;
@@ -843,7 +849,7 @@ static int nfs_init_server(struct nfs_server *server,
 
 	server->namelen  = data->namlen;
 	/* Create a client RPC handle for the NFSv3 ACL management interface */
-	nfs_init_server_aclclient(server);
+	nfs_init_server_aclclient(server, 3);
 	dprintk("<-- nfs_init_server() = 0 [new %p]\n", clp);
 	return 0;
 
@@ -1303,7 +1309,10 @@ static int nfs4_init_server(struct nfs_server *server,
 	server->port = data->nfs_server.port;
 
 	error = nfs_init_server_rpcclient(server, &timeparms, data->auth_flavors[0]);
-
+	if (error < 0)
+		goto error;
+	/* Create a client RPC handle for the NFSv4 ACL management interface */
+	nfs_init_server_aclclient(server, 4);
 error:
 	/* Done */
 	dprintk("<-- nfs4_init_server() = %d\n", error);
@@ -1490,7 +1499,8 @@ struct nfs_server *nfs_clone_server(struct nfs_server *source,
 	if (error < 0)
 		goto out_free_server;
 	if (!IS_ERR(source->client_acl))
-		nfs_init_server_aclclient(server);
+		nfs_init_server_aclclient(server,
+					source->nfs_client->rpc_ops->version);
 
 	/* probe the filesystem info for this server filesystem */
 	error = nfs_probe_fsinfo(server, fh, &fattr_fsinfo);
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
index 617273e..eac604e 100644
--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -5502,8 +5502,157 @@ struct rpc_version		nfs_version4 = {
 	.procs			= nfs4_procedures
 };
 
+#ifdef CONFIG_NFS4_FS_POSIX_ACL
+
+#define NFS4_fh_sz            (1 + (NFS4_FHSIZE >> 2))
+#define NFS4_getpaclargs_sz   (NFS4_fh_sz + 1)
+#define NFS4_setpaclargs_sz   (NFS4_fh_sz + 1 + XDR_QUADLEN(NFS_ACL_INLINE_BUFSIZE))
+#define NFS4_getpaclres_sz    (1 + 1 + XDR_QUADLEN(NFS_ACL_INLINE_BUFSIZE))
+#define NFS4_setpaclres_sz    (1)
+
+/*
+ * Encode GETACL arguments
+ */
+static inline __be32 *
+nfs4_xdr_encode_fhandle(__be32 *p, const struct nfs_fh *fh)
+{
+	return xdr_encode_array(p, fh->data, fh->size);
+}
+
+static int
+nfs4_xdr_getpaclargs(struct rpc_rqst *req, __be32 *p,
+		    struct nfs4_getpaclargs *args)
+{
+	struct rpc_auth	*auth = req->rq_task->tk_msg.rpc_cred->cr_auth;
+	unsigned int replen;
+
+	p = nfs4_xdr_encode_fhandle(p, args->fh);
+	*p++ = htonl(args->mask);
+	req->rq_slen = xdr_adjust_iovec(req->rq_svec, p);
+
+	if (args->mask & (NFS_ACL | NFS_DFACL)) {
+		/* Inline the page array */
+		replen = (RPC_REPHDRSIZE + auth->au_rslack +
+			  NFS4_getpaclres_sz) << 2;
+		xdr_inline_pages(&req->rq_rcv_buf, replen, args->pages, 0,
+				 NFSACL_MAXPAGES << PAGE_SHIFT);
+	}
+	return 0;
+}
+
+/*
+ * Encode SETACL arguments
+ */
+static int
+nfs4_xdr_setpaclargs(struct rpc_rqst *req, __be32 *p,
+		struct nfs4_setpaclargs *args)
+{
+	struct xdr_buf *buf = &req->rq_snd_buf;
+	unsigned int base;
+	int err;
+
+	p = nfs4_xdr_encode_fhandle(p, NFS_FH(args->inode));
+	*p++ = htonl(args->mask);
+	req->rq_slen = xdr_adjust_iovec(req->rq_svec, p);
+	base = req->rq_slen;
+
+	if (args->npages != 0)
+		xdr_encode_pages(buf, args->pages, 0, args->len);
+	else
+		req->rq_slen = xdr_adjust_iovec(req->rq_svec,
+				p + XDR_QUADLEN(args->len));
+
+	err = nfsacl_encode(buf, base, args->inode,
+			    (args->mask & NFS_ACL) ?
+			    args->acl_access : NULL, 1, 0);
+	if (err > 0)
+		err = nfsacl_encode(buf, base + err, args->inode,
+				    (args->mask & NFS_DFACL) ?
+				    args->acl_default : NULL, 1,
+				    NFS_ACL_DEFAULT);
+	return (err > 0) ? 0 : err;
+}
+
+/*
+ * Decode GETACL reply
+ */
+static int
+nfs4_xdr_getpaclres(struct rpc_rqst *req, __be32 *p,
+		   struct nfs4_getpaclres *res)
+{
+	struct xdr_buf *buf = &req->rq_rcv_buf;
+	int status = ntohl(*p++);
+	struct posix_acl **acl;
+	unsigned int *aclcnt;
+	int err, base;
+
+	if (status != 0)
+		return nfs4_stat_to_errno(status);
+	res->mask = ntohl(*p++);
+	if (res->mask & ~(NFS_ACL|NFS_ACLCNT|NFS_DFACL|NFS_DFACLCNT))
+		return -EINVAL;
+	base = (char *)p - (char *)req->rq_rcv_buf.head->iov_base;
+
+	acl = (res->mask & NFS_ACL) ? &res->acl_access : NULL;
+	aclcnt = (res->mask & NFS_ACLCNT) ? &res->acl_access_count : NULL;
+	err = nfsacl_decode(buf, base, aclcnt, acl);
+
+	acl = (res->mask & NFS_DFACL) ? &res->acl_default : NULL;
+	aclcnt = (res->mask & NFS_DFACLCNT) ? &res->acl_default_count : NULL;
+	if (err > 0)
+		err = nfsacl_decode(buf, base + err, aclcnt, acl);
+	return (err > 0) ? 0 : err;
+}
+
+/*
+ * Decode setacl reply.
+ */
+static int
+nfs4_xdr_setpaclres(struct rpc_rqst *req, __be32 *p, void *dummy)
+{
+	int status = ntohl(*p++);
+
+	if (status)
+		return nfs4_stat_to_errno(status);
+	return 0;
+}
+
+static struct rpc_procinfo nfs4_pacl_procedures[] = {
+	[NFSPROC4_CLNT_GETPACL] = {
+		.p_proc = NFSPROC4_CLNT_GETPACL,
+		.p_encode = (kxdrproc_t) nfs4_xdr_getpaclargs,
+		.p_decode = (kxdrproc_t) nfs4_xdr_getpaclres,
+		.p_arglen = NFS4_getpaclargs_sz,
+		.p_replen = NFS4_getpaclres_sz,
+		.p_statidx = NFSPROC4_CLNT_GETPACL,
+		.p_timer = 1,
+		.p_name = "GETPACL",
+	},
+	[NFSPROC4_CLNT_SETPACL] = {
+		.p_proc = NFSPROC4_CLNT_SETPACL,
+		.p_encode = (kxdrproc_t) nfs4_xdr_setpaclargs,
+		.p_decode = (kxdrproc_t) nfs4_xdr_setpaclres,
+		.p_arglen = NFS4_setpaclargs_sz,
+		.p_replen = NFS4_setpaclres_sz,
+		.p_statidx = NFSPROC4_CLNT_SETPACL,
+		.p_timer = 0,
+		.p_name = "SETPACL",
+	},
+};
+
+struct rpc_version		nfspacl_version4 = {
+	.number			= 4,
+	.nrprocs		= sizeof(nfs4_pacl_procedures)/
+				  sizeof(nfs4_pacl_procedures[0]),
+	.procs			= nfs4_pacl_procedures,
+};
+#endif  /* CONFIG_NFS4_FS_POSIX_ACL */
+
 /*
  * Local variables:
  *  c-basic-offset: 8
  * End:
  */
+
+/*  LocalWords:  nfs
+ */
diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h
index 62f63fb..39acac6 100644
--- a/include/linux/nfs_xdr.h
+++ b/include/linux/nfs_xdr.h
@@ -886,6 +886,30 @@ struct nfs4_fs_locations_res {
 	struct nfs4_sequence_res	seq_res;
 };
 
+struct nfs4_getpaclargs {
+	struct nfs_fh		*fh;
+	int			mask;
+	struct page		**pages;
+};
+
+struct nfs4_setpaclargs {
+	struct inode		*inode;
+	int			mask;
+	struct posix_acl	*acl_access;
+	struct posix_acl	*acl_default;
+	size_t			len;
+	unsigned int		npages;
+	struct page		**pages;
+};
+
+struct nfs4_getpaclres {
+	int			mask;
+	unsigned int		acl_access_count;
+	unsigned int		acl_default_count;
+	struct posix_acl	*acl_access;
+	struct posix_acl	*acl_default;
+};
+
 #endif /* CONFIG_NFS_V4 */
 
 struct nfstime4 {
@@ -1061,5 +1085,6 @@ extern struct rpc_version	nfs_version4;
 
 extern struct rpc_version	nfsacl_version3;
 extern struct rpc_program	nfsacl_program;
+extern struct rpc_version	nfspacl_version4;
 
 #endif
diff --git a/include/linux/nfsacl.h b/include/linux/nfsacl.h
index 43011b6..15ffa58 100644
--- a/include/linux/nfsacl.h
+++ b/include/linux/nfsacl.h
@@ -16,6 +16,8 @@
 #define ACLPROC3_GETACL		1
 #define ACLPROC3_SETACL		2
 
+#define NFSPROC4_CLNT_GETPACL   1
+#define NFSPROC4_CLNT_SETPACL   2
 
 /* Flags for the getacl/setacl mode */
 #define NFS_ACL			0x0001
-- 
1.6.4.2.253.g0b1fac

[RFC PATCH 6/8] nfsv4: Implement posix listxattr

[Aneesh Kumar K.V]

Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
---
 fs/nfs/nfs4pacl.c |  141 +++++++++++++++++++++++++++++++++++++++++++++++++++-
 fs/nfs/nfs4proc.c |    4 ++
 2 files changed, 142 insertions(+), 3 deletions(-)

diff --git a/fs/nfs/nfs4pacl.c b/fs/nfs/nfs4pacl.c
index c1c2b04..162f4c5 100644
--- a/fs/nfs/nfs4pacl.c
+++ b/fs/nfs/nfs4pacl.c
@@ -7,12 +7,132 @@
 #include <linux/xattr.h>
 
 #include "internal.h"
+#define NFSDBG_FACILITY	NFSDBG_PROC
+
+struct posix_acl *nfs4_proc_getacl(struct inode *inode, int type)
+{
+	struct nfs_server *server = NFS_SERVER(inode);
+	struct nfs4_getpaclres res;
+	struct page *pages[NFSACL_MAXPAGES] = { };
+	struct nfs4_getpaclargs args = {
+		.fh = NFS_FH(inode),
+		/* The xdr layer may allocate pages here. */
+		.pages = pages,
+	};
+	struct rpc_message msg = {
+		.rpc_argp	= &args,
+		.rpc_resp	= &res,
+	};
+	struct posix_acl *acl;
+	int status, count;
+
+	memset(&res, 0, sizeof(struct nfs4_getpaclres));
+	if (!nfs_server_capable(inode, NFS_CAP_PACLS))
+		return ERR_PTR(-EOPNOTSUPP);
+
+	status = nfs_revalidate_inode(server, inode);
+	if (status < 0)
+		return ERR_PTR(status);
+	acl  = get_cached_acl(inode, type);
+	if (acl != ACL_NOT_CACHED)
+		return acl;
+	acl = NULL;
+
+	/*
+	 * Only get the access acl when explicitly requested: We don't
+	 * need it for access decisions, and only some applications use
+	 * it. Applications which request the access acl first are not
+	 * penalized from this optimization.
+	 */
+	if (type == ACL_TYPE_ACCESS)
+		args.mask |= NFS_ACLCNT|NFS_ACL;
+	if (S_ISDIR(inode->i_mode))
+		args.mask |= NFS_DFACLCNT|NFS_DFACL;
+	if (args.mask == 0)
+		return NULL;
+
+	dprintk("NFS4 call getacl\n");
+	msg.rpc_proc = &server->client_acl->cl_procinfo[NFSPROC4_CLNT_GETPACL];
+	status = rpc_call_sync(server->client_acl, &msg, 0);
+	dprintk("NFS4 reply getacl: %d\n", status);
+
+	/* pages may have been allocated at the xdr layer. */
+	for (count = 0; count < NFSACL_MAXPAGES && args.pages[count]; count++)
+		__free_page(args.pages[count]);
+
+	switch (status) {
+	case 0:
+		break;
+	case -EPFNOSUPPORT:
+	case -EPROTONOSUPPORT:
+		dprintk("NFS_V4_PACL extension not supported; disabling\n");
+		server->caps &= ~NFS_CAP_PACLS;
+	case -ENOTSUPP:
+		status = -EOPNOTSUPP;
+	default:
+		goto getout;
+	}
+	if ((args.mask & res.mask) != args.mask) {
+		status = -EIO;
+		goto getout;
+	}
+
+	if (res.acl_access != NULL) {
+		if (posix_acl_equiv_mode(res.acl_access, NULL) == 0) {
+			posix_acl_release(res.acl_access);
+			res.acl_access = NULL;
+		}
+	}
+	if (res.mask & NFS_ACL)
+		set_cached_acl(inode, type, res.acl_access);
+	if (res.mask & NFS_DFACL)
+		set_cached_acl(inode, type, res.acl_default);
+
+	switch (type) {
+	case ACL_TYPE_ACCESS:
+		acl = res.acl_access;
+		res.acl_access = NULL;
+		break;
+
+	case ACL_TYPE_DEFAULT:
+		acl = res.acl_default;
+		res.acl_default = NULL;
+	}
+
+getout:
+	posix_acl_release(res.acl_access);
+	posix_acl_release(res.acl_default);
+
+	if (status != 0) {
+		posix_acl_release(acl);
+		acl = ERR_PTR(status);
+	}
+	return acl;
+}
 
 static size_t nfs4_xattr_list_pacl_default(struct inode *inode, char *list,
 				size_t list_len, const char *name,
 				size_t name_len)
 {
-	return 0;
+	int ret = 0;
+	struct posix_acl *acl;
+	size_t len = strlen(POSIX_ACL_XATTR_DEFAULT) + 1;
+
+	if (S_ISDIR(inode->i_mode)) {
+		acl = nfs4_proc_getacl(inode, ACL_TYPE_DEFAULT);
+		if (IS_ERR(acl))
+			return PTR_ERR(acl);
+		if (acl) {
+			if (list && len <= list_len) {
+				memcpy(list, POSIX_ACL_XATTR_DEFAULT, len);
+				ret = len;
+			} else
+				ret = -ERANGE;
+			posix_acl_release(acl);
+		}
+		return ret;
+	}
+	return ret;
 }
 
 static int nfs4_xattr_get_pacl_default(struct inode *inode, const char *key,
@@ -35,10 +155,25 @@ struct xattr_handler nfs4_xattr_pacl_default_handler = {
 };
 
 static size_t nfs4_xattr_list_pacl_access(struct inode *inode, char *list,
-				size_t list_len, const char *name,
+					size_t list_len, const char *name,
 				size_t name_len)
 {
-	return 0;
+	int ret = 0;
+	struct posix_acl *acl;
+	size_t len = strlen(POSIX_ACL_XATTR_ACCESS) + 1;
+
+	acl = nfs4_proc_getacl(inode, ACL_TYPE_ACCESS);
+	if (IS_ERR(acl))
+		return PTR_ERR(acl);
+	if (acl) {
+		if (list && len <= list_len) {
+			memcpy(list, POSIX_ACL_XATTR_ACCESS, len);
+			ret = len;
+		} else
+			ret = -ERANGE;
+		posix_acl_release(acl);
+	}
+	return ret;
 }
 
 static int nfs4_xattr_get_pacl_access(struct inode *inode, const char *key,
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 2c71885..b2e8fe4 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -3120,6 +3120,10 @@ static void nfs4_set_cached_acl(struct inode *inode, struct nfs4_cached_acl *acl
 static void nfs4_zap_acl_attr(struct inode *inode)
 {
 	nfs4_set_cached_acl(inode, NULL);
+#ifdef CONFIG_NFS4_FS_POSIX_ACL
+	forget_cached_acl(inode, ACL_TYPE_DEFAULT);
+	forget_cached_acl(inode, ACL_TYPE_ACCESS);
+#endif
 }
 
 static inline ssize_t nfs4_read_cached_acl(struct inode *inode, char *buf, size_t buflen)
-- 
1.6.4.2.253.g0b1fac

[RFC PATCH 7/8] nfsv4: Implement getfacl

[Aneesh Kumar K.V]

Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
---
 fs/nfs/nfs4pacl.c |   31 +++++++++++++++++++++++++++++--
 1 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/fs/nfs/nfs4pacl.c b/fs/nfs/nfs4pacl.c
index 162f4c5..a13a833 100644
--- a/fs/nfs/nfs4pacl.c
+++ b/fs/nfs/nfs4pacl.c
@@ -138,7 +138,22 @@ static size_t nfs4_xattr_list_pacl_default(struct inode *inode, char *list,
 static int nfs4_xattr_get_pacl_default(struct inode *inode, const char *key,
 				void *buf, size_t buflen)
 {
-	return -EOPNOTSUPP;
+	int error = 0;
+	struct posix_acl *acl;
+
+	acl = nfs4_proc_getacl(inode, ACL_TYPE_DEFAULT);
+	if (IS_ERR(acl))
+		return PTR_ERR(acl);
+	else if (acl) {
+		if (acl->a_count == 0)
+			error = -ENODATA;
+		else
+			error = posix_acl_to_xattr(acl, buf, buflen);
+		posix_acl_release(acl);
+	} else
+		error = -ENODATA;
+
+	return error;
 }
 
 static int nfs4_xattr_set_pacl_default(struct inode *inode, const char *key,
@@ -179,7 +194,19 @@ static size_t nfs4_xattr_list_pacl_access(struct inode *inode, char *list,
 static int nfs4_xattr_get_pacl_access(struct inode *inode, const char *key,
 				void *buf, size_t buflen)
 {
-	return -EOPNOTSUPP;
+	int error = 0;
+	struct posix_acl *acl;
+
+	acl = nfs4_proc_getacl(inode, ACL_TYPE_ACCESS);
+	if (IS_ERR(acl))
+		return PTR_ERR(acl);
+	else if (acl) {
+		error = posix_acl_to_xattr(acl, buf, buflen);
+		posix_acl_release(acl);
+	} else
+		error = -ENODATA;
+
+	return error;
 }
 
 static int nfs4_xattr_set_pacl_access(struct inode *inode, const char *key,
-- 
1.6.4.2.253.g0b1fac

[RFC PATCH 8/8] nfsv4: Implement setfacl

[Aneesh Kumar K.V]

Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
---
 fs/nfs/nfs4pacl.c |  140 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 files changed, 138 insertions(+), 2 deletions(-)

diff --git a/fs/nfs/nfs4pacl.c b/fs/nfs/nfs4pacl.c
index a13a833..1978739 100644
--- a/fs/nfs/nfs4pacl.c
+++ b/fs/nfs/nfs4pacl.c
@@ -110,6 +110,124 @@ getout:
 	return acl;
 }
 
+static int nfs4_proc_setacls(struct inode *inode, struct posix_acl *acl,
+		  struct posix_acl *dfacl)
+{
+	struct nfs_server *server = NFS_SERVER(inode);
+	struct page *pages[NFSACL_MAXPAGES];
+	struct nfs4_setpaclargs args = {
+		.inode = inode,
+		.mask = NFS_ACL,
+		.acl_access = acl,
+		.pages = pages,
+	};
+	struct rpc_message msg = {
+		.rpc_argp	= &args,
+	};
+	int status;
+
+	status = -EOPNOTSUPP;
+	if (!nfs_server_capable(inode, NFS_CAP_PACLS))
+		goto out;
+
+	/* We are doing this here, because XDR marshalling can only
+	   return -ENOMEM. */
+	status = -ENOSPC;
+	if (acl != NULL && acl->a_count > NFS_ACL_MAX_ENTRIES)
+		goto out;
+	if (dfacl != NULL && dfacl->a_count > NFS_ACL_MAX_ENTRIES)
+		goto out;
+	if (S_ISDIR(inode->i_mode)) {
+		args.mask |= NFS_DFACL;
+		args.acl_default = dfacl;
+		args.len = nfsacl_size(acl, dfacl);
+	} else
+		args.len = nfsacl_size(acl, NULL);
+
+	if (args.len > NFS_ACL_INLINE_BUFSIZE) {
+		unsigned int npages = 1 + ((args.len - 1) >> PAGE_SHIFT);
+
+		status = -ENOMEM;
+		do {
+			args.pages[args.npages] = alloc_page(GFP_KERNEL);
+			if (args.pages[args.npages] == NULL)
+				goto out_freepages;
+			args.npages++;
+		} while (args.npages < npages);
+	}
+
+	dprintk("NFSV4 call setacl\n");
+	msg.rpc_proc = &server->client_acl->cl_procinfo[NFSPROC4_CLNT_SETPACL];
+	status = rpc_call_sync(server->client_acl, &msg, 0);
+	nfs_access_zap_cache(inode);
+	nfs_zap_acl_cache(inode);
+	dprintk("NFSv4 reply setacl: %d\n", status);
+
+	switch (status) {
+	case 0:
+		if (!IS_ERR(dfacl))
+			set_cached_acl(inode, ACL_TYPE_DEFAULT, dfacl);
+		if (!IS_ERR(acl))
+			set_cached_acl(inode, ACL_TYPE_ACCESS, acl);
+		break;
+	case -EPFNOSUPPORT:
+	case -EPROTONOSUPPORT:
+		dprintk("NFS_V4_PACL SETACL RPC not supported"
+				"(will not retry)\n");
+		server->caps &= ~NFS_CAP_PACLS;
+	case -ENOTSUPP:
+		status = -EOPNOTSUPP;
+	}
+out_freepages:
+	while (args.npages != 0) {
+		args.npages--;
+		__free_page(args.pages[args.npages]);
+	}
+out:
+	return status;
+}
+
+int nfs4_proc_setacl(struct inode *inode, int type, struct posix_acl *acl)
+{
+	int status;
+	struct posix_acl *alloc = NULL, *dfacl = NULL;
+
+	if (S_ISDIR(inode->i_mode)) {
+		switch (type) {
+		case ACL_TYPE_ACCESS:
+			alloc = dfacl = nfs4_proc_getacl(inode,
+						ACL_TYPE_DEFAULT);
+			if (IS_ERR(alloc))
+				goto fail;
+			break;
+
+		case ACL_TYPE_DEFAULT:
+			dfacl = acl;
+			alloc = acl = nfs4_proc_getacl(inode,
+						ACL_TYPE_ACCESS);
+			if (IS_ERR(alloc))
+				goto fail;
+			break;
+
+		default:
+			return -EINVAL;
+		}
+	} else if (type != ACL_TYPE_ACCESS)
+			return -EINVAL;
+
+	if (acl == NULL) {
+		alloc = acl = posix_acl_from_mode(inode->i_mode, GFP_KERNEL);
+		if (IS_ERR(alloc))
+			goto fail;
+	}
+	status = nfs4_proc_setacls(inode, acl, dfacl);
+	posix_acl_release(alloc);
+	return status;
+
+fail:
+	return PTR_ERR(alloc);
+}
+
 static size_t nfs4_xattr_list_pacl_default(struct inode *inode, char *list,
 				size_t list_len, const char *name,
 				size_t name_len)
@@ -159,7 +277,16 @@ static int nfs4_xattr_get_pacl_default(struct inode *inode, const char *key,
 static int nfs4_xattr_set_pacl_default(struct inode *inode, const char *key,
 			const void *buf, size_t buflen, int flags)
 {
-	return -EOPNOTSUPP;
+	int error;
+	struct posix_acl *acl;
+
+	acl = posix_acl_from_xattr(buf, buflen);
+	if (IS_ERR(acl))
+		return PTR_ERR(acl);
+	error = nfs4_proc_setacl(inode, ACL_TYPE_DEFAULT, acl);
+	posix_acl_release(acl);
+
+	return error;
 }
 
 struct xattr_handler nfs4_xattr_pacl_default_handler = {
@@ -212,7 +339,16 @@ static int nfs4_xattr_get_pacl_access(struct inode *inode, const char *key,
 static int nfs4_xattr_set_pacl_access(struct inode *inode, const char *key,
 			const void *buf, size_t buflen, int flags)
 {
-	return -EOPNOTSUPP;
+	int error;
+	struct posix_acl *acl;
+
+	acl = posix_acl_from_xattr(buf, buflen);
+	if (IS_ERR(acl))
+		return PTR_ERR(acl);
+	error = nfs4_proc_setacl(inode, ACL_TYPE_ACCESS, acl);
+	posix_acl_release(acl);
+
+	return error;
 }
 
 
-- 
1.6.4.2.253.g0b1fac

Re: POSIX ACL support for NFSV4 (using sideband protocol)

[J. Bruce Fields]

On Wed, Sep 02, 2009 at 05:54:20PM +0530, Aneesh Kumar K.V wrote:
> This patch series implement POSIX ACL support for NFSV4 clients
> using sideband protocol.

What motivates this?  Who exactly wants this and why?   What would be
the advantages compared to other options, such as:

	- native v4 support in filesystems, or
	- improved client-side acl tools that provided a user interface
	  for v4 acls closer to that for v3 acls, or
	- a v4.x extension to add support to the main protocol?

Is there interest in implementing this on any OS other than linux, or
would this be a linux-only extension for the forseeable future?

What sideband protocol exactly?  If it's exactly the same protocol as
the one used with v3, there must be some slight mismatches: e.g. v4
filehandles are allowed to be longer.  How do you deal with these?

--b.

> The ACL support can be disabled/enabled
> using -o noacl/-o acl mount option. The feature enables to
> view and  modify POSIX acls from NFSv4 client.
_______________________________________________
NFSv4 mailing list
NFSv4@linux-nfs.org
http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4

Re: POSIX ACL support for NFSV4 (using sideband protocol)

[Aneesh Kumar K.V]

On Wed, Sep 02, 2009 at 12:42:43PM -0400, J. Bruce Fields wrote:
> On Wed, Sep 02, 2009 at 05:54:20PM +0530, Aneesh Kumar K.V wrote:
> > This patch series implement POSIX ACL support for NFSV4 clients
> > using sideband protocol.
> 
> What motivates this?  Who exactly wants this and why?   What would be
> the advantages compared to other options, such as:
> 
> 	- native v4 support in filesystems, or
> 	- improved client-side acl tools that provided a user interface
> 	  for v4 acls closer to that for v3 acls, or
> 	- a v4.x extension to add support to the main protocol?
> 
> Is there interest in implementing this on any OS other than linux, or
> would this be a linux-only extension for the forseeable future?
> 
> What sideband protocol exactly?  If it's exactly the same protocol as
> the one used with v3, there must be some slight mismatches: e.g. v4
> filehandles are allowed to be longer.  How do you deal with these?
> 

It is similar to v3 with longer file handle. Also it doesn't support
attribute update as a part of the acl calls. I does zap cache and expect
the client to do another call to get the updated attribute values. Primary
motivation is to avoid side band rpc having to handle compound request so
that we can keep it simple.

-aneesh

Re: POSIX ACL support for NFSV4 (using sideband protocol)

[J. Bruce Fields]

On Wed, Sep 02, 2009 at 11:19:57PM +0530, Aneesh Kumar K.V wrote:
> On Wed, Sep 02, 2009 at 12:42:43PM -0400, J. Bruce Fields wrote:
> > On Wed, Sep 02, 2009 at 05:54:20PM +0530, Aneesh Kumar K.V wrote:
> > > This patch series implement POSIX ACL support for NFSV4 clients
> > > using sideband protocol.
> > 
> > What motivates this?  Who exactly wants this and why?   What would be
> > the advantages compared to other options, such as:
> > 
> > 	- native v4 support in filesystems, or
> > 	- improved client-side acl tools that provided a user interface
> > 	  for v4 acls closer to that for v3 acls, or
> > 	- a v4.x extension to add support to the main protocol?
> > 
> > Is there interest in implementing this on any OS other than linux, or
> > would this be a linux-only extension for the forseeable future?
> > 
> > What sideband protocol exactly?  If it's exactly the same protocol as
> > the one used with v3, there must be some slight mismatches: e.g. v4
> > filehandles are allowed to be longer.  How do you deal with these?
> > 
> 
> It is similar to v3 with longer file handle.  Also it doesn't support
> attribute update as a part of the acl calls. I does zap cache and expect
> the client to do another call to get the updated attribute values. Primary
> motivation is to avoid side band rpc having to handle compound request so
> that we can keep it simple.

That doesn't really answer the "motivation" question.

If you really want to do this, writing the code is the easy part.  The
really (extremely) hard part is coming up with good answers to the
questions above.

--b.
_______________________________________________
NFSv4 mailing list
NFSv4@linux-nfs.org
http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4

Re: POSIX ACL support for NFSV4 (using sideband protocol)

[Andreas Gruenbacher]

On Wednesday, 2 September 2009 18:42:43 J. Bruce Fields wrote:
> On Wed, Sep 02, 2009 at 05:54:20PM +0530, Aneesh Kumar K.V wrote:
> > This patch series implement POSIX ACL support for NFSV4 clients
> > using sideband protocol.
>
> What motivates this?  Who exactly wants this and why?   What would be
> the advantages compared to other options, such as:
>
> 	- native v4 support in filesystems, or
> 	- improved client-side acl tools that provided a user interface
> 	  for v4 acls closer to that for v3 acls, or
> 	- a v4.x extension to add support to the main protocol?

I can't speak for Aneesh, but my expectation is that we'll get native NFSv4 
ACL support eventually, just maybe not in the next few years. Even then, 
systems with native POSIX ACLs will coexist with machines with native NFSv4 
ACLs for a long time, and so NFSv4's lack of decent support for POSIX ACLs is 
a major problem.

I'm not sure what you mean by improved client-side tool. Some information is 
unrecoverably lost when POSIX ACLs are converted into NFSv4 ACLs; no tool on 
the client can make up for this. Besides, presenting server-side POSIX ACLs 
as similar (but not quite identical) NFSv4 ACLs on the client is really not a 
good idea: right now, clients can only guess which NFSv4 ACLs are actually 
POSIX ACLs in disguise.

> Is there interest in implementing this on any OS other than linux, or
> would this be a linux-only extension for the forseeable future?

Good question. I would sure prefer a standard solution to a Linux specific 
hack -- but that being said, I would prefer a solution to the current 
mess ;-)

Thanks,
Andreas
_______________________________________________
NFSv4 mailing list
NFSv4@linux-nfs.org
http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4

Re: POSIX ACL support for NFSV4 (using sideband protocol)

[Steve French]

On Mon, Oct 5, 2009 at 12:09 PM, Andreas Gruenbacher <agruen@suse.de> wrote:
> On Monday 05 October 2009 18:44:34 Steve French wrote:
>> Recently I looked through NFSv4.1 spec, and it seems to address some
>> ACL incompatibilities (with CIFS) by extending the NFSv4 ACL model.
>>
>> Should we be aiming for an eventual interface that would work for NFSv4.1
>> or limiting it to current NFSv4?
>
> I think Automatic Inheritance [*] is important for current Windows clients:
> without it it's basically impossible to manage the permissions of entire
> directory trees without shooting yourself in the foot.

Yes - that piece among the various NFSv41 ACL changes also
jumped out to me as I scanned the NFSv4.1 summary ... in part
because I was looking at some Samba mapping problems (CIFS to NFSv4
ACLs) recently.   In any case, seems very useful (even without
any CIFS compatibility issues).


-- 
Thanks,

Steve
_______________________________________________
NFSv4 mailing list
NFSv4@linux-nfs.org
http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4

Re: POSIX ACL support for NFSV4 (using sideband protocol)

[Andreas Gruenbacher]

On Monday 05 October 2009 18:44:34 Steve French wrote:
> Recently I looked through NFSv4.1 spec, and it seems to address some
> ACL incompatibilities (with CIFS) by extending the NFSv4 ACL model.
> 
> Should we be aiming for an eventual interface that would work for NFSv4.1
> or limiting it to current NFSv4?

I think Automatic Inheritance [*] is important for current Windows clients:
without it it's basically impossible to manage the permissions of entire
directory trees without shooting yourself in the foot.

[*] http://www.nfsv4-editor.org/draft-25/draft-ietf-nfsv4-minorversion1-25.html#auto_inherit

> Any idea on the state of NFSv4.1 it seems to be stuck for almost a year?

Sorry, don't know.

Andreas
_______________________________________________
NFSv4 mailing list
NFSv4@linux-nfs.org
http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4

Re: POSIX ACL support for NFSV4 (using sideband protocol)

[Steve French]

On Mon, Oct 5, 2009 at 11:31 AM, Andreas Gruenbacher <agruen@suse.de> wrote:
> On Wednesday 02 September 2009 22:22:06 J. Bruce Fields wrote:
>> On Wed, Sep 02, 2009 at 01:56:23PM -0500, Steve French wrote:
>> > In the meantime we don't even have a generalized system interface to
>> > set/get nfsv4/cifs/ntfs acls
>>
>> The current client is using raw xdr-formatted v4 acls in an extended
>> attribute.  We could consider some other interface if that would be more
>> useful to other projects.  (Andreas' patches have a different
>> xattr-based interface which might serve as another example.)
>
> Yes, the current nfsv4 client exposes NFSv4 ACLs with "user@domain" and
> "group@domain" identifiers in xattrs. Users and groups of local processes and
> files are are identified by ID though, so the kernel would have to map between
> "user@domain" and "group@domain" identifiers and IDs even for local accesses.
> This doesn't make sense. The native NSFv4 ACL prototype [1] uses IDs in its
> xattr format instead; all the ID mapping logic remains in NFSv4 (and in Samba
> for CIFS).
>
> [1] http://www.suse.de/~agruen/nfs4acl/

Recently I looked through NFSv4.1 spec, and it seems to address some
ACL incompatibilities (with CIFS) by extending the NFSv4 ACL model.

Should we be aiming for an eventual interface that would work for NFSv4.1
or limiting it to current NFSv4?

Any idea on the state of NFSv4.1 it seems to be stuck for almost a year?


-- 
Thanks,

Steve

Re: POSIX ACL support for NFSV4 (using sideband protocol)

[Andreas Gruenbacher]

On Wednesday 02 September 2009 22:22:06 J. Bruce Fields wrote:
> On Wed, Sep 02, 2009 at 01:56:23PM -0500, Steve French wrote:
> > In the meantime we don't even have a generalized system interface to
> > set/get nfsv4/cifs/ntfs acls
> 
> The current client is using raw xdr-formatted v4 acls in an extended
> attribute.  We could consider some other interface if that would be more
> useful to other projects.  (Andreas' patches have a different
> xattr-based interface which might serve as another example.)

Yes, the current nfsv4 client exposes NFSv4 ACLs with "user@domain" and 
"group@domain" identifiers in xattrs. Users and groups of local processes and 
files are are identified by ID though, so the kernel would have to map between 
"user@domain" and "group@domain" identifiers and IDs even for local accesses. 
This doesn't make sense. The native NSFv4 ACL prototype [1] uses IDs in its 
xattr format instead; all the ID mapping logic remains in NFSv4 (and in Samba 
for CIFS).

[1] http://www.suse.de/~agruen/nfs4acl/

Andreas

Re: POSIX ACL support for NFSV4 (using sideband protocol)

[Andreas Gruenbacher]

On Thursday, 3 September 2009 16:09:28 Trond Myklebust wrote:
> The main problem has been finding developers with an interest, and with
> enough time on their hands. Andreas Gruenbacher started working on NFSv4
> acls, but due to his time constraints, his work ended up getting farmed
> out to a developer in SGI, and consequently ended up in a black hole
> somewhere...

Indeed ... I transferred as much knowledge as I could to a group of SGI 
engineers who were then working on the project for a while. Unfortunately 
then the whole group was laid off (for unrelated reasons). I could not find a 
sponsor for continuing from there since.

The open issues in the project include some research (e.g., figuring out how 
Windows applications behave in practice when using Linux NFSv4 ACLs -- this 
is necessary to make a few implementation decisions which the overall design 
has left open), and some more implementation / testing / documentation work.

Thanks,
Andreas

Re: POSIX ACL support for NFSV4 (using sideband protocol)

[J. Bruce Fields]

On Thu, Sep 03, 2009 at 10:35:35AM -0500, Steve French wrote:
> On Thu, Sep 3, 2009 at 8:55 AM, J. Bruce Fields<bfields@fieldses.org> wrote:
> > On Thu, Sep 03, 2009 at 08:54:06AM -0500, Steve French wrote:
> >> if someone were able to convince the linux-fsdevel community to change
> >> fs/posix_acls.c
> >> (or add an fs/cifs_acls.c) to handle NFSv4/CIFS/NTFS ACL evaluation, and add
> >> support to store these richer ACLs on disk for the future (e.g. for
> >> btrfs), that would be
> >> great - but with no local file system in kernel which can store NFSv4 ACLs and
> >> no code to evaluate these ACLs in the VFS and with a NACK from fsdevel when
> >
> > I don't remember that--do you have a pointer?
> 
> Aneesh mentioned one strongly worded objection (I remember more resistance
> from others too)
> 
> http://kerneltrap.org/mailarchive/linux-fsdevel/2006/6/24/313526

Yes, Christoph's always been vehemently opposed.  I share his distaste
for NFSv4/NT ACLs, but I agree with Trond that a solid implementation
with a demonstrated need from CIFS, NFSv4, NTFS, etc., would be likely
to overcome such objections.

--b.

Re: POSIX ACL support for NFSV4 (using sideband protocol)

[Steve French]

On Thu, Sep 3, 2009 at 8:55 AM, J. Bruce Fields<bfields@fieldses.org> wrote:
> On Thu, Sep 03, 2009 at 08:54:06AM -0500, Steve French wrote:
>> if someone were able to convince the linux-fsdevel community to change
>> fs/posix_acls.c
>> (or add an fs/cifs_acls.c) to handle NFSv4/CIFS/NTFS ACL evaluation, and add
>> support to store these richer ACLs on disk for the future (e.g. for
>> btrfs), that would be
>> great - but with no local file system in kernel which can store NFSv4 ACLs and
>> no code to evaluate these ACLs in the VFS and with a NACK from fsdevel when
>
> I don't remember that--do you have a pointer?

Aneesh mentioned one strongly worded objection (I remember more resistance
from others too)

http://kerneltrap.org/mailarchive/linux-fsdevel/2006/6/24/313526



-- 
Thanks,

Steve

Re: POSIX ACL support for NFSV4 (using sideband protocol)

[Steve French]

On Thu, Sep 3, 2009 at 9:16 AM, J. Bruce Fields<bfields@fieldses.org> wrote:
> If I remember correctly, Linux's posix acl support was added at about
> the same time the NFSv4.0 spec was being written--I seem to recall the
> first ACL patches being merged around the same time as the first NFSv4
> patches?

NFSv4 RFC was December 2000 (CIFS/NTFS ACLs, which were much more
complex than earlier OS/2 ACLs,  are about 4 years earlier than NFSv4
ACLs).   POSIX ACL support was added to mainline Linux kernel at the
end of 2002 (see below):

2002/10/31 02:34:21-05:00 tytso
Port of (bugfixed) 0.8.50 acl-ext2 to 2.5

This patch adds ACL support to the ext2 filesystem.

2002/10/31 02:33:05-05:00 tytso
Port of (bugfixed) 0.8.50 acl-ext3 to 2.5.

This patch adds ACL support to the ext3 filesystem.

2002/10/31 02:30:17-05:00 tytso
Port 0.8.50 acl-xattr patch to 2.5 (harmonize header file with SGI/XFS)

This patch provides converts extended attributes passed in from user
space to a generic Posix ACL representation.



-- 
Thanks,

Steve

RE: POSIX ACL support for NFSV4 (using sideband protocol)

[David P. Quigley]

On Thu, 2009-09-03 at 00:46 -0700, Muntz, Daniel wrote:
> 
> ACLs could possibly be made completely opaque to NFS with a module-based
> approach.
> 
>   -Dan

Something to be aware of here is that once you turn a field opaque you
introduce a bunch of other issues. The MAC attribute that I've been
proposing in the IETF is mostly opaque and it has caused some problems
with interoperability. Some questions to be answered are

1) what is the initial set of modules defined? They aren't going to let
you take an opaque field and run away with it to do as you please. I've
been working on ways to define an initial set of label formats to make
the working group happier.

2) How are you going to specify these modules? It needs to be in a way
that implementors can easily use it. Are these specifications maintained
through the IETF or are they maintained by an outside organization?

3) How do modules translate between themselves. Are you going to only
allow like ACL modules to communicate? Will you have a mechanism for
those with ACL type A to still use a system with ACL type B? Will a
server be able to support both ACL type A and B? What happens if you
want both a Windows NFSv4 client and a Linux NFSv4 client to use the
same shares?

These are just some ideas to think about when you decide to make this
opaque.

Dave



_______________________________________________
NFSv4 mailing list
NFSv4@linux-nfs.org
http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4

Re: POSIX ACL support for NFSV4 (using sideband protocol)

[J. Bruce Fields]

T24gV2VkLCBTZXAgMDIsIDIwMDkgYXQgMDM6NTM6MTdQTSAtMDUwMCwgU3RldmUgRnJlbmNoIHdy
b3RlOgo+IE9uIFdlZCwgU2VwIDIsIDIwMDkgYXQgMzoyMiBQTSwgSi4gQnJ1Y2UgRmllbGRzPGJm
aWVsZHNAZmllbGRzZXMub3JnPiB3cm90ZToKPiA+IE9uIFdlZCwgU2VwIDAyLCAyMDA5IGF0IDAx
OjU2OjIzUE0gLTA1MDAsIFN0ZXZlIEZyZW5jaCB3cm90ZToKPiA+PiAiSi4gQnJ1Y2UgRmllbGRz
IiA8YmZpZWxkc0BmaWVsZHNlcy5vcmc+IHdyb3RlIG9uIDA5LzAyLzIwMDkgMTE6NDI6NDMgQU06
Cj4gPj4gPiBPbiBXZWQsIFNlcCAwMiwgMjAwOSBhdCAwNTo1NDoyMFBNICswNTMwLCBBbmVlc2gg
S3VtYXIgSy5WIHdyb3RlOgo+ID4+ID4gPiBUaGlzIHBhdGNoIHNlcmllcyBpbXBsZW1lbnQgUE9T
SVggQUNMIHN1cHBvcnQgZm9yIE5GU1Y0IGNsaWVudHMKPiA+PiA+ID4gdXNpbmcgc2lkZWJhbmQg
cHJvdG9jb2wuCj4gPj4gPgo+ID4+ID4gV2hhdCBtb3RpdmF0ZXMgdGhpcz8gwqBXaG8gZXhhY3Rs
eSB3YW50cyB0aGlzIGFuZCB3aHk/IMKgIFdoYXQgd291bGQgYmUKPiA+PiA+IHRoZSBhZHZhbnRh
Z2VzIGNvbXBhcmVkIHRvIG90aGVyIG9wdGlvbnMsIHN1Y2ggYXM6Cj4gPj4KPiA+PiBUaGUgbW9z
dCBvYnZpb3VzIHJlYXNvbiB0byBtZSBpcyB0aGF0IHNlY3VyaXR5IGluZm9ybWF0aW9uCj4gPj4g
Y2FuIGJlIGxvc3QgYXMgdGhlIEFDTCB3aGljaCB3YXMgZ2VuZXJhdGVkIGJ5IExpbnV4IHV0aWxp
dGllcyBhbmQKPiA+PiBjbGllbnQgYWNsIHRvb2xzICh3aGljaCBnZXQvc2V0IHBvc2l4IGFjbHMp
IGFyZSBjb252ZXJ0ZWQgYnkgdGhlIExpbnV4IG5mcwo+ID4+IHY0IGNsaWVudAo+ID4KPiA+IFRo
ZSBrZXJuZWwgdjQgY2xpZW50IGRvZXNuJ3QgZG8gdGhhdC0taXQgcGFzc2VzIHVudG91Y2hlZCB2
NCBhY2xzIHRvIGFuZAo+ID4gZnJvbSB1c2Vyc3BhY2UuCj4gCj4gMSkgUGFzc2luZyB1bnRvdWNo
ZWQgQUNMcyBkb2Vzbid0IGhlbHAgYXMgdGhlc2UgQUNMcyB3b3VsZCBiZSBORlMgc3BlY2lmaWMs
Cj4gYW5kIHVucmVjb2duaXplZCBieSB0aGUgZGVmYXVsdCBMaW51eCB0b29scyBhbmQgR1VJcy4g
IEFjY2VzcyBDb250cm9sIG9uCj4gZmlsZSBhbmQgZGlyZWN0b3J5IG9iamVjdHMgaXMgYSAic3lz
dGVtIGZlYXR1cmUiIC0gcGFydCBvZiB0aGUgT1MgKGl0IGhhcyBiZWVuCj4gdGhhdCB3YXkgc2lu
Y2UgYXQgbGVhc3QgT1MvMiwgbm90IGp1c3QgV2luZG93cywgTWFjT1MsIFNvbGFyaXMgZXRjLi4p
Cj4gIFlvdSB3b3VsZG4ndCByZXF1aXJlIHRoZSB1c2VyIHRvIHVzZSBkaWZmZXJlbnQgdG9vbHMg
Zm9yIG1vZGlmeWluZyBBQ0xzIGluCj4gV2luZG93cywgTWFjT1MgYW5kIHJlcXVpcmUgdGhhdCB0
aGUgdXNlciB0cnkgdG8gZmlndXJlIG91dCB0aGUgQUNMIG1vZGVsIG9mCj4gdGhlIHVuZGVybHlp
bmcgZmlsZSBzeXN0ZW0gYmVmb3JlIGRlY2lkaW5nIHdoYXQgdG9vbCB0byB1c2UgYW5kIHdoYXQg
cGVybWlzc2lvbnMKPiB0byBhcHBseSB0byBoaXMgaG9tZSBkaXJlY3RvcnkKPiAyKSBJZiBQT1NJ
WC0+TkZTdjQgY2xpZW50IG1hcHBpbmcgaXMgZG9uZSAoYXMgaGFkIGJlZW4gc3VnZ2VzdGVkIElJ
UkMKPiBieSBvdGhlcnMgaW4gdGhlIHBhc3QpIGF0IGxlYXN0IHlvdSBsb3NlIGxlc3MgZGF0YSAo
TkZTdjQgQUNMcyBhcmUgInJpY2hlciIKPiBpbiBmdW5jdGlvbiB0aGFuIFBPU0lYIEFDTHMgLSBz
byBhdCBsZWFzdCB3aXRoIHRoZSBQT1NJWC0+TkZTdjQtPlBPU0lYCj4gY2FzZSB5b3UgYXJlIGxp
bWl0aW5nIHRoZSB1c2VyIHRvIHRoZSBzdWJzZXQgb2YgY2hvaWNlcyB3aGljaCBhcmUgYWN0dWFs
bHkKPiBnb2luZyB0byBiZSBhYmxlIHRvIGJlIHN0b3JlZCwgbm8gaW5oZXJpdGVuY2UgZXRjLikK
CklmIEkgcmVtZW1iZXIgY29ycmVjdGx5LCBMaW51eCdzIHBvc2l4IGFjbCBzdXBwb3J0IHdhcyBh
ZGRlZCBhdCBhYm91dAp0aGUgc2FtZSB0aW1lIHRoZSBORlN2NC4wIHNwZWMgd2FzIGJlaW5nIHdy
aXR0ZW4tLUkgc2VlbSB0byByZWNhbGwgdGhlCmZpcnN0IEFDTCBwYXRjaGVzIGJlaW5nIG1lcmdl
ZCBhcm91bmQgdGhlIHNhbWUgdGltZSBhcyB0aGUgZmlyc3QgTkZTdjQKcGF0Y2hlcz8gIEF0IHdo
aWNoIHBvaW50IGl0IHdhcyByZWFzb25hYmxlIHRvIHNheSB0aGF0IG5vYm9keSByZWFsbHkKdXNl
ZCAiUE9TSVgiIEFDTHMsIGFuZCBub2JvZHkgY291bGQgZXZlciBldmVuIGFncmVlIG9uIGEgc2lu
Z2xlIHN0YW5kYXJkCmZvciB0aGVtLCBzbyB3aHkgYm90aGVyPwoKU28gYW5vdGhlciB3YXkgdG8g
c3RhdGUgeW91ciBhcmd1bWVudCAjMSB3b3VsZCBiZSB0byBzYXkgdGhhdCBhIGxvdCBoYXMKY2hh
bmdlZCBzaW5jZSB0aGVuOiBMaW51eCBhZG1pbmlzdHJhdG9ycyBoYXZlIGdvdHRlbiB1c2VkIHRv
IEFDTHMsIHYyL3YzCmFuZCBDSUZTIGhhdmUgZ2FpbmVkIHN1cHBvcnQgZm9yIHRoZW0sIGV0Yy4s
IHNvIHRoZXkncmUgZXN0YWJsaXNoZWQgbm93CmFuZCB3ZSBoYXZlIHRvIHN1cHBvcnQgdGhlbS4K
CkkgdGhpbmsgdGhhdCBhcmd1bWVudCB3b3VsZCBuZWVkIHRvIGJlIG1hZGUgdG8gbmZzdjRAaWV0
Zi5vcmcsIGFuZCB3aWxsCm5lZWQgc29tZSBldmlkZW5jZSB0byBiYWNrIGl0IHVwLiAgKFVuZm9y
dHVuYXRlbHksIEkgc2VlIHRoYXQgb24gbXkgdmVyeQpyZWNlbnQgKFVidW50dSA5LjEwIGFscGhh
KSBsaW51eCBkZXNrdG9wLCBhY2wgc3VwcG9ydCBvbiB0aGUgZmlsZXN5c3RlbQppc24ndCB0dXJu
ZWQgb24sIGFuZCBuYXV0aWx1cyBkb2Vzbid0IGFwcGVhciB0byBrbm93IGhvdyB0byBlZGl0IGFj
bHMuCk9uIHRoZSBvdGhlciBoYW5kLCBldmVyeXRoaW5nJ3MgY29tcGlsZWQgYWdhaW5zdCBsaWJh
Y2wsIGFuZCB0aGUKY29tbWFuZGxpbmUgdXRpbGl0aWVzIGFwcGVhciB0byBoYXZlIGJlZW4gaW5z
dGFsbGVkIGJ5IGRlZmF1bHQuKQoKLS1iLgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fXwpORlN2NCBtYWlsaW5nIGxpc3QKTkZTdjRAbGludXgtbmZzLm9yZwpo
dHRwOi8vbGludXgtbmZzLm9yZy9jZ2ktYmluL21haWxtYW4vbGlzdGluZm8vbmZzdjQ=

Re: POSIX ACL support for NFSV4 (using sideband protocol)

[Trond Myklebust]

On Thu, 2009-09-03 at 08:54 -0500, Steve French wrote:
> If someone were able to convince the linux-fsdevel community to change
> fs/posix_acls.c
> (or add an fs/cifs_acls.c) to handle NFSv4/CIFS/NTFS ACL evaluation, and add
> support to store these richer ACLs on disk for the future (e.g. for
> btrfs), that would be
> great - but with no local file system in kernel which can store NFSv4 ACLs and
> no code to evaluate these ACLs in the VFS and with a NACK from fsdevel when
> others tried this a few years ago (even after MacOS and others moved to the
> CIFS/NTFS ACLs model)

I don't think the fs-devel community is a problem. We have native
support for plenty of these filesystems which use alternative acl
models, so a very good case can be made for their inclusion.

The main problem has been finding developers with an interest, and with
enough time on their hands. Andreas Gruenbacher started working on NFSv4
acls, but due to his time constraints, his work ended up getting farmed
out to a developer in SGI, and consequently ended up in a black hole
somewhere...

Cheers
  Trond

-- 
Trond Myklebust
Linux NFS client maintainer

NetApp
Trond.Myklebust@netapp.com
www.netapp.com

Re: POSIX ACL support for NFSV4 (using sideband protocol)

[Steve French]

On Thu, Sep 3, 2009 at 8:54 AM, J. Bruce Fields<bfields@fieldses.org> wrote:
> On Thu, Sep 03, 2009 at 08:36:44AM -0500, Steve French wrote:
>> On Thu, Sep 3, 2009 at 2:46 AM, Muntz, Daniel<Dan.Muntz@netapp.com> wrot=
e:
>> > I've always thought of NFS as a means for making physical file systems
>> > available across a network. =A0NFS having its own ACLs doesn't fit this
>> > model. =A0E.g., "NFS ACLs" will never be integrated into NTFS. =A0Howe=
ver, I
>> > could imagine NFS ACLs solving the general problem if they were to form
>> > a superset of the ACLs of exportable physical file systems
>>
>> NFSv4 ACLs are similar to CIFS/NTFS ACLS. NFSv4 ACLs were
>> originally based on CIFS/NTFS ACLs so it would be reasonable
>> to export them from NTFS (although the SIDs (UUIDs) have to be mapped
>> to local Linux UIDs - we have user space code that can do this in Samba).
>
> On the server side, you'd actually have to map between SIDs and NFSv4
> names (strings of the form user@domain).

Yes ... We could add mapping directly from user@domain to SID - Samba
has something similar,
but we already have both mapping to/from unix uid.

1) SID (UUID, a number) to/from a local Unix UID (which winbind and
others have today)
and
2) user@domain mapped to/from local Unix UID (which NFS user space
code has today)

If


-- =

Thanks,

Steve

Re: POSIX ACL support for NFSV4 (using sideband protocol)

[J. Bruce Fields]

On Thu, Sep 03, 2009 at 08:54:06AM -0500, Steve French wrote:
> On Thu, Sep 3, 2009 at 1:20 AM, Ondrej Valousek<webserv@s3group.cz> wrote:
> >
> >> 2) If POSIX->NFSv4 client mapping is done (as had been suggested IIRC
> >> by others in the past) at least you lose less data (NFSv4 ACLs are
> >> "richer"
> >> in function than POSIX ACLs - so at least with the POSIX->NFSv4->POSIX
> >> case you are limiting the user to the subset of choices which are actually
> >> going to be able to be stored, no inheritence etc.)
> >>
> > I must say that I do not understand the motivation either. POSIX is not even
> > a standard and should be replaced with NFSv4 acls.
> > Even now ext3/ext4 support NFSv4 acls (ok. patch is needed but the patch is
> > there already).
> 
> If someone were able to convince the linux-fsdevel community to change
> fs/posix_acls.c
> (or add an fs/cifs_acls.c) to handle NFSv4/CIFS/NTFS ACL evaluation, and add
> support to store these richer ACLs on disk for the future (e.g. for
> btrfs), that would be
> great - but with no local file system in kernel which can store NFSv4 ACLs and
> no code to evaluate these ACLs in the VFS and with a NACK from fsdevel when

I don't remember that--do you have a pointer?

--b.

> others tried this a few years ago (even after MacOS and others moved to the
> CIFS/NTFS ACLs model)
> 
> > If the decision was up to me, I would forbid any nfsv4 acls if the server
> > can not store them properly (i.e. without any conversion)
> 
> That would be a pretty dramatic loss of function - being forced to use
> the primitive
> mode bits to protect files if the server were Linux - and could be
> worseeven NetApp does
> some ACL mapping

Re: POSIX ACL support for NFSV4 (using sideband protocol)

[Steve French]

On Thu, Sep 3, 2009 at 1:20 AM, Ondrej Valousek<webserv@s3group.cz> wrote:
>
>> 2) If POSIX->NFSv4 client mapping is done (as had been suggested IIRC
>> by others in the past) at least you lose less data (NFSv4 ACLs are
>> "richer"
>> in function than POSIX ACLs - so at least with the POSIX->NFSv4->POSIX
>> case you are limiting the user to the subset of choices which are actually
>> going to be able to be stored, no inheritence etc.)
>>
> I must say that I do not understand the motivation either. POSIX is not even
> a standard and should be replaced with NFSv4 acls.
> Even now ext3/ext4 support NFSv4 acls (ok. patch is needed but the patch is
> there already).

If someone were able to convince the linux-fsdevel community to change
fs/posix_acls.c
(or add an fs/cifs_acls.c) to handle NFSv4/CIFS/NTFS ACL evaluation, and add
support to store these richer ACLs on disk for the future (e.g. for
btrfs), that would be
great - but with no local file system in kernel which can store NFSv4 ACLs and
no code to evaluate these ACLs in the VFS and with a NACK from fsdevel when
others tried this a few years ago (even after MacOS and others moved to the
CIFS/NTFS ACLs model)

> If the decision was up to me, I would forbid any nfsv4 acls if the server
> can not store them properly (i.e. without any conversion)

That would be a pretty dramatic loss of function - being forced to use
the primitive
mode bits to protect files if the server were Linux - and could be
worseeven NetApp does
some ACL mapping




-- 
Thanks,

Steve

Re: POSIX ACL support for NFSV4 (using sideband protocol)

[J. Bruce Fields]

T24gVGh1LCBTZXAgMDMsIDIwMDkgYXQgMDg6MzY6NDRBTSAtMDUwMCwgU3RldmUgRnJlbmNoIHdy
b3RlOgo+IE9uIFRodSwgU2VwIDMsIDIwMDkgYXQgMjo0NiBBTSwgTXVudHosIERhbmllbDxEYW4u
TXVudHpAbmV0YXBwLmNvbT4gd3JvdGU6Cj4gPiBJJ3ZlIGFsd2F5cyB0aG91Z2h0IG9mIE5GUyBh
cyBhIG1lYW5zIGZvciBtYWtpbmcgcGh5c2ljYWwgZmlsZSBzeXN0ZW1zCj4gPiBhdmFpbGFibGUg
YWNyb3NzIGEgbmV0d29yay4gwqBORlMgaGF2aW5nIGl0cyBvd24gQUNMcyBkb2Vzbid0IGZpdCB0
aGlzCj4gPiBtb2RlbC4gwqBFLmcuLCAiTkZTIEFDTHMiIHdpbGwgbmV2ZXIgYmUgaW50ZWdyYXRl
ZCBpbnRvIE5URlMuIMKgSG93ZXZlciwgSQo+ID4gY291bGQgaW1hZ2luZSBORlMgQUNMcyBzb2x2
aW5nIHRoZSBnZW5lcmFsIHByb2JsZW0gaWYgdGhleSB3ZXJlIHRvIGZvcm0KPiA+IGEgc3VwZXJz
ZXQgb2YgdGhlIEFDTHMgb2YgZXhwb3J0YWJsZSBwaHlzaWNhbCBmaWxlIHN5c3RlbXMKPiAKPiBO
RlN2NCBBQ0xzIGFyZSBzaW1pbGFyIHRvIENJRlMvTlRGUyBBQ0xTLiBORlN2NCBBQ0xzIHdlcmUK
PiBvcmlnaW5hbGx5IGJhc2VkIG9uIENJRlMvTlRGUyBBQ0xzIHNvIGl0IHdvdWxkIGJlIHJlYXNv
bmFibGUKPiB0byBleHBvcnQgdGhlbSBmcm9tIE5URlMgKGFsdGhvdWdoIHRoZSBTSURzIChVVUlE
cykgaGF2ZSB0byBiZSBtYXBwZWQKPiB0byBsb2NhbCBMaW51eCBVSURzIC0gd2UgaGF2ZSB1c2Vy
IHNwYWNlIGNvZGUgdGhhdCBjYW4gZG8gdGhpcyBpbiBTYW1iYSkuCgpPbiB0aGUgc2VydmVyIHNp
ZGUsIHlvdSdkIGFjdHVhbGx5IGhhdmUgdG8gbWFwIGJldHdlZW4gU0lEcyBhbmQgTkZTdjQKbmFt
ZXMgKHN0cmluZ3Mgb2YgdGhlIGZvcm0gdXNlckBkb21haW4pLgoKLS1iLgoKPiBOb3RlIFNhbWJh
IHNlcnZlciBjYW4gbWFwIGJldHdlZW4gdGhlIENJRlMvTlRGUyBhbmQgTkZTdjQKPiBBQ0xzIGFs
cmVhZHkgYW5kIGhhcyBmb3IgbWFueSB5ZWFycy4KPiAKPiBKUkEgb24gdGhlIFNhbWJhIHRlYW0g
YW5kIEFuZHJlYXMgaGF2ZSBkb25lIHNvbWUgZ29vZAo+IHByZXNlbnRhdGlvbnMgb24gdGhlIGRp
ZmZlcmVuY2VzIGluIEFDTCBtb2RlbHMsIGJ1dCBvdGhlciB0aGFuCj4gc3RvcmluZyB0aGUgIm1h
c2siIG9yIGVxdWl2YWxlbnQgLSBQT1NJWCBBQ0xzIGNhbiBiZSB0aG91Z2h0IG9mIGFzCj4gYSBz
dWJzZXQgb2YgTkZTdjQvQ0lGUy9OVEZTIEFDTHMKX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX18KTkZTdjQgbWFpbGluZyBsaXN0Ck5GU3Y0QGxpbnV4LW5mcy5v
cmcKaHR0cDovL2xpbnV4LW5mcy5vcmcvY2dpLWJpbi9tYWlsbWFuL2xpc3RpbmZvL25mc3Y0

Re: POSIX ACL support for NFSV4 (using sideband protocol)

[Steve French]

On Thu, Sep 3, 2009 at 2:46 AM, Muntz, Daniel<Dan.Muntz@netapp.com> wrote:
> I've always thought of NFS as a means for making physical file systems
> available across a network.  NFS having its own ACLs doesn't fit this
> model.  E.g., "NFS ACLs" will never be integrated into NTFS.  However, I
> could imagine NFS ACLs solving the general problem if they were to form
> a superset of the ACLs of exportable physical file systems

NFSv4 ACLs are similar to CIFS/NTFS ACLS. NFSv4 ACLs were
originally based on CIFS/NTFS ACLs so it would be reasonable
to export them from NTFS (although the SIDs (UUIDs) have to be mapped
to local Linux UIDs - we have user space code that can do this in Samba).
Note Samba server can map between the CIFS/NTFS and NFSv4
ACLs already and has for many years.

JRA on the Samba team and Andreas have done some good
presentations on the differences in ACL models, but other than
storing the "mask" or equivalent - POSIX ACLs can be thought of as
a subset of NFSv4/CIFS/NTFS ACLs



-- 
Thanks,

Steve

Re: POSIX ACL support for NFSV4 (using sideband protocol)

[Aneesh Kumar K.V]

On Thu, Sep 03, 2009 at 12:46:09AM -0700, Muntz, Daniel wrote:
> I've always thought of NFS as a means for making physical file systems
> available across a network.  NFS having its own ACLs doesn't fit this
> model.  E.g., "NFS ACLs" will never be integrated into NTFS.  However, I
> could imagine NFS ACLs solving the general problem if they were to form
> a superset of the ACLs of exportable physical file systems, and the
> mechanism for interpreting ACLs for a particular physical file system
> could be encoded (or modularized) in such a way that NFS' evaluation of
> ACL operations has the same results as the physical file system's
> execution of the same ACL operations.  You could have a POSIX ACL
> module, NTFS ACL module, etc.  There's a challenge for 4.2.
> 
> ACLs could possibly be made completely opaque to NFS with a module-based
> approach.
> 

What would be the acl model on the client side ? Considering that POSIX ACL
is looked at as the native acl model in Linux, I guess we should have the ability
to modify the ACLs using POSIX ACL tools on the nfs client

-aneesh
_______________________________________________
NFSv4 mailing list
NFSv4@linux-nfs.org
http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4

RE: POSIX ACL support for NFSV4 (using sideband protocol)

[Muntz, Daniel]

I've always thought of NFS as a means for making physical file systems
available across a network.  NFS having its own ACLs doesn't fit this
model.  E.g., "NFS ACLs" will never be integrated into NTFS.  However, I
could imagine NFS ACLs solving the general problem if they were to form
a superset of the ACLs of exportable physical file systems, and the
mechanism for interpreting ACLs for a particular physical file system
could be encoded (or modularized) in such a way that NFS' evaluation of
ACL operations has the same results as the physical file system's
execution of the same ACL operations.  You could have a POSIX ACL
module, NTFS ACL module, etc.  There's a challenge for 4.2.

ACLs could possibly be made completely opaque to NFS with a module-based
approach.

  -Dan


> -----Original Message-----
> From: Ondrej Valousek [mailto:webserv@s3group.cz] 
> Sent: Wednesday, September 02, 2009 11:20 PM
> To: Steve French
> Cc: ffilzlnx@linux.vnet.ibm.com; linux-nfs@vger.kernel.org; 
> nfsv4@linux-nfs.org; Myklebust, Trond; jra@samba.org; agruen@suse.de
> Subject: Re: POSIX ACL support for NFSV4 (using sideband protocol)
> 
> 
> > 2) If POSIX->NFSv4 client mapping is done (as had been 
> suggested IIRC 
> > by others in the past) at least you lose less data (NFSv4 
> ACLs are "richer"
> > in function than POSIX ACLs - so at least with the 
> POSIX->NFSv4->POSIX 
> > case you are limiting the user to the subset of choices which are 
> > actually going to be able to be stored, no inheritence etc.)
> >
> >   
> 
> I must say that I do not understand the motivation either. 
> POSIX is not even a standard and should be replaced with NFSv4 acls.
> Even now ext3/ext4 support NFSv4 acls (ok. patch is needed 
> but the patch is there already).
> 
> If the decision was up to me, I would forbid any nfsv4 acls 
> if the server can not store them properly (i.e. without any 
> conversion) + forbid using nfsv4 with posix acls over 
> sideband protocol (no standard, so netapp will never support 
> this and the same is to be expected from Windows and 
> Solaris). This is just adding mess and confusion.
> 
> My 5 cents...
> Ondrej
> _______________________________________________
> NFSv4 mailing list
> NFSv4@linux-nfs.org
> http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4
> 

Re: POSIX ACL support for NFSV4 (using sideband protocol)

[Ondrej Valousek]

> 2) If POSIX->NFSv4 client mapping is done (as had been suggested IIRC
> by others in the past) at least you lose less data (NFSv4 ACLs are "richer"
> in function than POSIX ACLs - so at least with the POSIX->NFSv4->POSIX
> case you are limiting the user to the subset of choices which are actually
> going to be able to be stored, no inheritence etc.)
>
>   

I must say that I do not understand the motivation either. POSIX is not 
even a standard and should be replaced with NFSv4 acls.
Even now ext3/ext4 support NFSv4 acls (ok. patch is needed but the patch 
is there already).

If the decision was up to me, I would forbid any nfsv4 acls if the 
server can not store them properly (i.e. without any conversion) + 
forbid using nfsv4 with posix acls over sideband protocol (no standard, 
so netapp will never support this and the same is to be expected from 
Windows and Solaris). This is just adding mess and confusion.

My 5 cents...
Ondrej
_______________________________________________
NFSv4 mailing list
NFSv4@linux-nfs.org
http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4

Re: POSIX ACL support for NFSV4 (using sideband protocol)

[Steve French]

On Wed, Sep 2, 2009 at 3:22 PM, J. Bruce Fields<bfields@fieldses.org> wrote=
:
> On Wed, Sep 02, 2009 at 01:56:23PM -0500, Steve French wrote:
>> "J. Bruce Fields" <bfields@fieldses.org> wrote on 09/02/2009 11:42:43 AM=
:
>> > On Wed, Sep 02, 2009 at 05:54:20PM +0530, Aneesh Kumar K.V wrote:
>> > > This patch series implement POSIX ACL support for NFSV4 clients
>> > > using sideband protocol.
>> >
>> > What motivates this? =A0Who exactly wants this and why? =A0 What would=
 be
>> > the advantages compared to other options, such as:
>>
>> The most obvious reason to me is that security information
>> can be lost as the ACL which was generated by Linux utilities and
>> client acl tools (which get/set posix acls) are converted by the Linux n=
fs
>> v4 client
>
> The kernel v4 client doesn't do that--it passes untouched v4 acls to and
> from userspace.

1) Passing untouched ACLs doesn't help as these ACLs would be NFS specific,
and unrecognized by the default Linux tools and GUIs.  Access Control on
file and directory objects is a "system feature" - part of the OS (it has b=
een
that way since at least OS/2, not just Windows, MacOS, Solaris etc..)
 You wouldn't require the user to use different tools for modifying ACLs in
Windows, MacOS and require that the user try to figure out the ACL model of
the underlying file system before deciding what tool to use and what permis=
sions
to apply to his home directory
2) If POSIX->NFSv4 client mapping is done (as had been suggested IIRC
by others in the past) at least you lose less data (NFSv4 ACLs are "richer"
in function than POSIX ACLs - so at least with the POSIX->NFSv4->POSIX
case you are limiting the user to the subset of choices which are actually
going to be able to be stored, no inheritence etc.)




--=20
Thanks,

Steve
_______________________________________________
NFSv4 mailing list
NFSv4@linux-nfs.org
http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4

Re: POSIX ACL support for NFSV4 (using sideband protocol)

[J. Bruce Fields]

On Wed, Sep 02, 2009 at 01:56:23PM -0500, Steve French wrote:
> "J. Bruce Fields" <bfields@fieldses.org> wrote on 09/02/2009 11:42:43 AM:
> > On Wed, Sep 02, 2009 at 05:54:20PM +0530, Aneesh Kumar K.V wrote:
> > > This patch series implement POSIX ACL support for NFSV4 clients
> > > using sideband protocol.
> >
> > What motivates this?  Who exactly wants this and why?   What would be
> > the advantages compared to other options, such as:
> 
> The most obvious reason to me is that security information
> can be lost as the ACL which was generated by Linux utilities and
> client acl tools (which get/set posix acls) are converted by the Linux nfs
> v4 client

The kernel v4 client doesn't do that--it passes untouched v4 acls to and
from userspace.

(We do have some patches which do that conversion in libacl, but I don't
believe any distribution has ever applied them.)

> to NFSv4 ACLs on the wire and then the server converts them back to posix
> to save them in ext3 (or ext4 or xfs etc.).  This double conversion can
> result
> in a different ACL returned on subsequent queries (e.g. getfacl) than the
> one that the user just set.

Do you have an example?  I may be forgetting some corner case, but I
don't believe there should be any, *except* for those due to name<->id
conversion.

Which is a much larger problem.

(There may also, of course, be translation problems even when only one
side is translating--but I think the id/name translation is still the
bigger problem.)

> At worst this is a security exposure and at
> best it is confusing to the user (and we don't control the tools).
> And Linux client to Linux server is worse than Linux client to some other
> servers because of the extra conversion (which is counter intuitive)
> 
> >    - native v4 support in filesystems, or
> Doesn't help now.  In the future would be nice to have something
> similar to native cifs/ntfs/nfsv4 ACLs in btrfs - but that wouldn't help
> for years - and won't help all of the other Linux
> file systems.

Here's one attempt for ext3:

	http://www.suse.de/~agruen/nfs4acl/

> CIFS and NTFS (and SMB2 in the future) could be modified to return
> something like an NFSv4 ACL, but local file systems aren't likely to
> change.

Could be.  I'd expect serious resistance, but nobody has really tried
yet that I'm aware of.

> In the meantime we don't even have
> a generalized system interface to set/get nfsv4/cifs/ntfs acls so

The current client is using raw xdr-formatted v4 acls in an extended
attribute.  We could consider some other interface if that would be more
useful to other projects.  (Andreas' patches have a different
xattr-based interface which might serve as another example.)

> Linux ACL tools and libraries and server software
> like Samba could be updated to handle something other than
> posix ACLs.   I expect that jra and others of us on the Samba team
> would love to see a few Linux file systems support CIFS/NFSv4/NTFS
> ACLs but as he has reminded people - posix acls are Linux's native
> ACL model.
> 
> >    - improved client-side acl tools that provided a user interface
> >      for v4 acls closer to that for v3 acls, or
> Problem is that ACLs are a "system feature" and the OS tools,
> utilities and desktop GUI tools for Linux use POSIX ACLs since
> Linux's "native acl interface" is the posix one.   It would make
> sense to add a way to query the "preferred acl interface"
> for a file system (and NFSv4 client could query the server
> perhaps via a named attribute to determine the ACL type
> preferred by the server fs).  It is important to use the
> native ACL model of the server operating system
> so that information is not lost unnecessarily in the conversion.
> 
> >    - a v4.x extension to add support to the main protocol?
> 
> Sounds fine to me to add an extension to the main protocol
> but I doubt that it would be necessary - no extension was
> formally added when v3 was extended for posix acls.
> By analogy with cifs - we defined a new request and a new capability
> bit for posix acl support.   CIFS ACL support is expected
> ("should" implement) but posix acl support is optional.  The
> Linux client uses posix acls if the server claims support for it
> and it has not been disabled on the client by mount option.

I'm sympathetic to this kind of argument, but it should be made at
nfsv4@ietf.org.  It will be much harder to push patches that aren't
based on something well on its way to standardization.

--b.

Re: POSIX ACL support for NFSV4 (using sideband protocol)

[Steve French]

"J. Bruce Fields" <bfields@fieldses.org> wrote on 09/02/2009 11:42:43 AM:
> On Wed, Sep 02, 2009 at 05:54:20PM +0530, Aneesh Kumar K.V wrote:
> > This patch series implement POSIX ACL support for NFSV4 clients
> > using sideband protocol.
>
> What motivates this?  Who exactly wants this and why?   What would be
> the advantages compared to other options, such as:

The most obvious reason to me is that security information
can be lost as the ACL which was generated by Linux utilities and
client acl tools (which get/set posix acls) are converted by the Linux
nfs v4 client
to NFSv4 ACLs on the wire and then the server converts them back to posix
to save them in ext3 (or ext4 or xfs etc.).  This double conversion can result
in a different ACL returned on subsequent queries (e.g. getfacl) than the
one that the user just set.  At worst this is a security exposure and at
best it is confusing to the user (and we don't control the tools).
And Linux client to Linux server is worse than Linux client to some other
servers because of the extra conversion (which is counter intuitive)

>    - native v4 support in filesystems, or
Doesn't help now.  In the future would be nice to have something
similar to native cifs/ntfs/nfsv4 ACLs in btrfs - but that wouldn't help
for years - and won't help all of the other Linux
file systems.   CIFS and NTFS (and SMB2 in the future) could be
modified to return something like an NFSv4 ACL, but local file systems
aren't likely to change.  In the meantime we don't even have
a generalized system interface to set/get nfsv4/cifs/ntfs acls so
Linux ACL tools and libraries and server software
like Samba could be updated to handle something other than
posix ACLs.   I expect that jra and others of us on the Samba team
would love to see a few Linux file systems support CIFS/NFSv4/NTFS
ACLs but as he has reminded people - posix acls are Linux's native
ACL model.

>    - improved client-side acl tools that provided a user interface
>      for v4 acls closer to that for v3 acls, or
Problem is that ACLs are a "system feature" and the OS tools,
utilities and desktop GUI tools for Linux use POSIX ACLs since
Linux's "native acl interface" is the posix one.   It would make
sense to add a way to query the "preferred acl interface"
for a file system (and NFSv4 client could query the server
perhaps via a named attribute to determine the ACL type
preferred by the server fs).  It is important to use the
native ACL model of the server operating system
so that information is not lost unnecessarily in the conversion.

>    - a v4.x extension to add support to the main protocol?

Sounds fine to me to add an extension to the main protocol
but I doubt that it would be necessary - no extension was
formally added when v3 was extended for posix acls.
By analogy with cifs - we defined a new request and a new capability
bit for posix acl support.   CIFS ACL support is expected
("should" implement) but posix acl support is optional.  The
Linux client uses posix acls if the server claims support for it
and it has not been disabled on the client by mount option.

> > The ACL support can be disabled/enabled
> > using -o noacl/-o acl mount option. The feature enables to
> > view and  modify POSIX acls from NFSv4 client.


--
Thanks,

Steve

Re: POSIX ACL support for NFSV4 (using sideband protocol)

[Steve French]

[-- Attachment #1.1: Type: text/plain, Size: 3280 bytes --]

"J. Bruce Fields" <bfields@fieldses.org> wrote on 09/02/2009 11:42:43 AM:
> On Wed, Sep 02, 2009 at 05:54:20PM +0530, Aneesh Kumar K.V wrote:
> > This patch series implement POSIX ACL support for NFSV4 clients
> > using sideband protocol.
>
> What motivates this?  Who exactly wants this and why?   What would be
> the advantages compared to other options, such as:

The most obvious reason to me is that security information
can be lost as the ACL which was generated by Linux utilities and
client acl tools (which get/set posix acls) are converted by the Linux nfs
v4 client
to NFSv4 ACLs on the wire and then the server converts them back to posix
to save them in ext3 (or ext4 or xfs etc.).  This double conversion can
result
in a different ACL returned on subsequent queries (e.g. getfacl) than the
one that the user just set.  At worst this is a security exposure and at
best it is confusing to the user (and we don't control the tools).
And Linux client to Linux server is worse than Linux client to some other
servers because of the extra conversion (which is counter intuitive)

>    - native v4 support in filesystems, or
Doesn't help now.  In the future would be nice to have something
similar to native cifs/ntfs/nfsv4 ACLs in btrfs - but that wouldn't help
for years - and won't help all of the other Linux
file systems.   CIFS and NTFS (and SMB2 in the future) could be
modified to return something like an NFSv4 ACL, but local file systems
aren't likely to change.  In the meantime we don't even have
a generalized system interface to set/get nfsv4/cifs/ntfs acls so
Linux ACL tools and libraries and server software
like Samba could be updated to handle something other than
posix ACLs.   I expect that jra and others of us on the Samba team
would love to see a few Linux file systems support CIFS/NFSv4/NTFS
ACLs but as he has reminded people - posix acls are Linux's native
ACL model.

>    - improved client-side acl tools that provided a user interface
>      for v4 acls closer to that for v3 acls, or
Problem is that ACLs are a "system feature" and the OS tools,
utilities and desktop GUI tools for Linux use POSIX ACLs since
Linux's "native acl interface" is the posix one.   It would make
sense to add a way to query the "preferred acl interface"
for a file system (and NFSv4 client could query the server
perhaps via a named attribute to determine the ACL type
preferred by the server fs).  It is important to use the
native ACL model of the server operating system
so that information is not lost unnecessarily in the conversion.

>    - a v4.x extension to add support to the main protocol?

Sounds fine to me to add an extension to the main protocol
but I doubt that it would be necessary - no extension was
formally added when v3 was extended for posix acls.
By analogy with cifs - we defined a new request and a new capability
bit for posix acl support.   CIFS ACL support is expected
("should" implement) but posix acl support is optional.  The
Linux client uses posix acls if the server claims support for it
and it has not been disabled on the client by mount option.

> > The ACL support can be disabled/enabled
> > using -o noacl/-o acl mount option. The feature enables to
> > view and  modify POSIX acls from NFSv4 client.

-- 
Thanks,

Steve

[-- Attachment #1.2: Type: text/html, Size: 3914 bytes --]

[-- Attachment #2: Type: text/plain, Size: 138 bytes --]

_______________________________________________
NFSv4 mailing list
NFSv4@linux-nfs.org
http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4