Re: [nfsv4] Re: [NFS] NFSv4 ACL and POSIX interaction / mask, draft-ietf-nfsv4-acls-00 not ready

[Andreas Gruenbacher <agruen@suse.de>]

On Friday, 14. July 2006 22:05, Yoder, Alan wrote:
> > > Let me see if I understand.
> > >
> > > A POSIX ACL client sees ALLOW bfields READ+WRITE
> >
> > Not necessarily "POSIX ACL" clients, but clients that request the new
> > mask attributes.  Such clients also understand that the relevant mask
> > makes that ALLOW effectively the same as just an allow of READ.
>
>    The hell comes from having to explain this on the phone
> to mystified customers.  It took years for the phone to stop
> ringing after Netapp's first multiprotocol implementation.
> In fact, it still hasn't completely stopped, in spite of a
> huge documentation and education effort.

I understand your concerns. My point would be that no matter how we implement 
the correct semantics, the semantics will remain just as complex. The worst 
that could happen is that an implementation uses unsuitable abstractions and 
through that makes the semantics even less obvious, or introduces 
unintentional artefacts.

>    But it sounds like you're telling me an admin will
> never be able to see different permissions on files depending
> on what OS she happens to be looking at them with.  Is that
> correct?

Clients who understand the concept of masking will see that there are some 
permissions which are not efective (= masked). Clients which do not undestand 
this concept will only see the effective permissions. At least this is what I 
was proposing, so I would call your statement correct. More capable clients 
will see some additional details that are hidden from other, less capable 
ones.

Indeed it would be bizarre and wrong to show masked permissions to clients 
which do not understand masking.

Thanks,
Andreas

-- 
Andreas Gruenbacher <agruen@suse.de>
Novell / SUSE Labs

_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www1.ietf.org/mailman/listinfo/nfsv4