ace

type ACE ¶

type ACE struct {
	// contains filtered or unexported fields
}

ACE represents an Access Control Entry, mimicing NFSv4 ACLs The difference is tht grant ACEs are not propagated down the tree when being set on a dir. The tradeoff is that every read has to check the permissions of all path segments up to the root, to determine the permissions. But reads can be scaled better than writes, so here we are. See https://github.com/cs3org/reva/pull/1170#issuecomment-700526118 for more details.

The following is taken from the nfs4_acl man page, see https://linux.die.net/man/5/nfs4_acl: the extended attributes will look like this "user.oc.grant.<type>:<flags>:<principal>:<permissions>"

*type*: will be limited to A for now

• A: Allow

  allow *principal* to perform actions requiring *permissions* In the future we can use:

• U: aUdit

  log any attempted access by principal which requires permissions.

• L: aLarm

  generate a system alarm at any attempted access by principal which requires permissions

• D: for Deny is not recommended

*flags*: for now empty or g for group, no inheritance yet

• d directory-inherit

  newly-created subdirectories will inherit the ACE.

• f file-inherit

  newly-created files will inherit the ACE, minus its inheritance flags. Newly-created subdirectories will inherit the ACE; if directory-inherit is not also specified in the parent ACE, inherit-only will be added to the inherited ACE.

• n no-propagate-inherit

  newly-created subdirectories will inherit the ACE, minus its inheritance flags.

• i inherit-only

  the ACE is not considered in permissions checks, but it is heritable; however, the inherit-only flag is stripped from inherited ACEs.

*principal* a named user, group or special principal

• the oidc sub@iss maps nicely to this

• 'OWNER@', 'GROUP@', and 'EVERYONE@', which are, respectively, analogous to the POSIX user/group/other

*permissions*

• r read-data (files) / list-directory (directories)

• w write-data (files) / create-file (directories)

• a append-data (files) / create-subdirectory (directories)

• x execute (files) / change-directory (directories)

• d delete - delete the file/directory. Some servers will allow a delete to occur if either this permission is set in the file/directory or if the delete-child permission is set in its parent directory.

• D delete-child - remove a file or subdirectory from within the given directory (directories only)

• t read-attributes - read the attributes of the file/directory.

• T write-attributes - write the attributes of the file/directory.

• n read-named-attributes - read the named attributes of the file/directory.

• N write-named-attributes - write the named attributes of the file/directory.

• c read-ACL - read the file/directory NFSv4 ACL.

• C write-ACL - write the file/directory NFSv4 ACL.

• o write-owner - change ownership of the file/directory.

• y synchronize - allow clients to use synchronous I/O with the server.

*TODO*

• implement OWNER@ as "user.oc.grant.A::OWNER@:rwaDxtTnNcCy"

*Limitations*

attribute names are limited to 255 chars by the linux kernel vfs, values to 64 kb
ext3 extended attributes must fit inside a single filesystem block ... 4096 bytes
that leaves us with "user.oc.grant.A::someonewithaslightlylongersubject@whateverissuer:rwaDxtTnNcCy" ~80 chars
4096/80 = 51 shares ... with luck we might move the actual permissions to the value, saving ~15 chars
4096/64 = 64 shares ... still meh ... we can do better by using ints instead of strings for principals

"user.oc.grant.u:100000" is pretty neat, but we can still do better: base64 encode the int
"user.oc.grant.u:6Jqg" but base64 always has at least 4 chars, maybe hex is better for smaller numbers
well use 4 chars in addition to the ace: "user.oc.grant.u:////" = 65535 -> 18 chars

4096/18 = 227 shares
still ... ext attrs for this are not infinite scale ...
so .. attach shares via fileid.
<userhome>/metadata/<fileid>/shares, similar to <userhome>/files
<userhome>/metadata/<fileid>/shares/u/<issuer>/<subject>/A:fdi:rwaDxtTnNcCy permissions as filename to keep them in the stat cache?

whatever ... 50 shares is good enough. If more is needed we can delegate to the metadata
if "user.oc.grant.M" is present look inside the metadata app.

*Notes*

• if we cannot set an ace we might get an io error. in that case convert all shares to metadata and try to set "user.oc.grant.m"

  what about metadata like share creator, share time, expiry?

• creator is same as owner, but can be set

• share date, or abbreviated st is a unix timestamp

• expiry is a unix timestamp

• can be put inside the value

• we need to reorder the fields: "user.oc.grant.<u|g|o>:<principal>" -> "kv:t=<type>:f=<flags>:p=<permissions>:st=<share time>:c=<creator>:e=<expiry>:pw=<password>:n=<name>" "user.oc.grant.<u|g|o>:<principal>" -> "v1:<type>:<flags>:<permissions>:<share time>:<creator>:<expiry>:<password>:<name>" or the first byte determines the format 0x00 = key value 0x01 = v1 ...

func FromGrant(g *provider.Grant) *ACE

func Unmarshal(principal string, v []byte) (e *ACE, err error)

func (e *ACE) Grant() *provider.Grant

func (e *ACE) Marshal() (string, []byte)

func (e *ACE) Principal() string