New ZFS "passthrough" ACL inheritance rules [PSARC/2008/231 FastTrack timeout 04/08/2008]

Alan M Wright amw at sun.com
Tue Apr 1 13:37:43 PDT 2008 

Mark Shellenbaum wrote:
> Darren J Moffat wrote:
>> Mark Shellenbaum wrote:
>>> Darren J Moffat wrote:
>>>> Since this proposed behaviour is the default for ACLs on UFS why 
>>>> isn't it the default for ZFS too ?
>>>
>>> I'm more than willing to make this the default behavior for ZFS, but 
>>> it will affect POSIX compliance.  If thats alright with everyone then 
>>> I can change it to be the default.
>>
>> Would this be the one and only setting that means that a ZFS dataset 
>> wouldn't be in a POSIX compliant configuration by default ?  If it is 
>> then I would say it shouldn't be changed.  However if there are others 
>> then IMO the default ACL behaviour should be the one that matches 
>> NFSv4 and what people expect of ACLs regardless of what POSIX thinks.
>>
> 
> Lets leave the default as it is, and have the new inheritance behavior 
> only take place under "passthrough".  We can always change this later 
> with another fast track.
> 
>>
>>>>
>>>> Also shouldn't "secure" be "posix" because "secure" is subjective 
>>>> and relative.
>>>>
>>>
>>> secure is what it was called in the original ZFS ARC case.  I can 
>>> change it to "posix" if you want.  My only concern would be if users 
>>> have become accustomed to its present value.
>>
>> What about an alias ?
>>
> 
> How about I rename "secure" to "restricted" and have an alias for "secure".
> 
>   -Mark

Mark,

While you are doing this, would it be possible to get aliases for some
standard chmod settings?

For example, currently, to set FullControl we have:

	chmod A=everyone@:rwxpdDaARWcCos:fd:allow /pool/fs

For most people that probably requires use of the man page every time.
It would be nice if we could do:

	chmod A=everyone@:$FullControl:fd:allow /pool/fs

How about three aliases: $READ, $CHANGE, $FULLCONTROL

$Read:         read, execute, view properties/permissions
                (directory: list contents)
                Alias for: rxacR

$Change:       $Read, write, delete, modify properties/permissions
                (directory: add files/sub-directories)
                Alias for: rwxpdDaARWcC

$FullControl:  $Change, write-owner
                Alias for: rwxpdDaARWcCos

I'm not hung up on the doller ($) prefix or the names but it would
be good to have something to make this easier than it is now.

Alan

More information about the opensolaris-arc mailing list