Bug #931
closedopening up security. xattr
0%
Description
Working on samba integration. In order to use the samba module which stores NT ACLs in xattrs, the security namespace/prefix needs to be opened up.
While it looks like 'security.NTACL' is most immediately necessary, other samba modules use other elements within the 'security.' namespace.
Updated by Sage Weil about 13 years ago
Do you mean with the kernel client? See fs/ceph/xattr.c,
static bool ceph_is_valid_xattr(const char *name)
{
return !strncmp(name, "ceph.", 5) ||
!strncmp(name, XATTR_SECURITY_PREFIX,
XATTR_SECURITY_PREFIX_LEN) ||
!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) ||
!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN);
}
Aside from that, I don't think there should be any restrictions on allowed xattrs... which means security.* should work today?
Updated by Brian Chrisman about 13 years ago
We were specifically thinking about implementing the samba-vfs/libceph connection. I had the impression this went through client/Client.h.
When I tested with a cfuse mount, it gave me op not supported on anything but user.*.
There were other issues as well, of which this was just one.
Though for now we can test ACLs with the kernel client underlying samba with just the vfs_xattr module.
Updated by Brian Chrisman about 13 years ago
This brings up a question about how tightly we can link the kernel client and libceph/cfuse/other-clients to prevent divergence in code?
What other applications are expected to exercise the object interface or libceph?
Updated by Greg Farnum about 13 years ago
Yes, libceph goes through the Client.
Unfortunately, the uClient and the kclient are presently not linked at all -- they implement the same communications protocol but their base components (message handling, etc) are so different that I don't think there's really not a good way to link them.
Anything not in the kernel should be built either on top of Client or libceph, though, so those will all have the same internal workings! At present we don't have a lot of libceph users -- there's a (merged) Hypertable client and an (unmerged) Hadoop client but that's all I know of. The object interface is used by everything talking to RADOS, though -- librados is build on the objecter; the MDS uses the Objecter; the Client uses the Objecter...
Updated by Brian Chrisman about 13 years ago
I'd like to implement the same code from the kernel client as mentioned above.
However, to use those macro definitions I'd need to include a kernel header file, which would create a ceph-compile dependency on kernel headers.
There doesn't seem to be any standard system headers which define these.
Updated by Sage Weil about 13 years ago
- Target version set to v0.27
- Translation missing: en.field_position set to 543
Updated by Sage Weil about 13 years ago
- Translation missing: en.field_story_points set to 1
- Translation missing: en.field_position deleted (
559) - Translation missing: en.field_position set to 342
Updated by Sage Weil about 13 years ago
- Translation missing: en.field_story_points changed from 1 to 0
- Translation missing: en.field_position deleted (
342) - Translation missing: en.field_position set to 342
Updated by Sage Weil about 13 years ago
- Translation missing: en.field_position deleted (
347) - Translation missing: en.field_position set to 8
Updated by Greg Farnum about 13 years ago
- Status changed from New to Resolved
Believe the patch from last week fixed this.