[illumos-Developer] revisiting aclmode options

Paul B. Henson henson at acm.org
Mon Jul 18 18:44:25 PDT 2011 

Now that illumos has restored the aclmode option to zfs, I would like to 
revisit the topic of potentially expanding the suite of available modes. 
Some of you no doubt recall a fairly lengthy (and sometimes heated ;) ) 
discussion of this topic on the zfs-discuss mailing list a bit over a 
year ago, looks like a fairly comprehensive thread archive is available at:

http://opensolaris.org/jive/thread.jspa?messageID=463237&#463237

The final outcome at the time was decided solely by Sun/Oracle as the 
arbitrator of OpenSolaris, and their decision was to simply remove 
aclmode entirely. The basis for that decision was not necessarily 
technical merit, nor lack of a need for such a feature, but quite simply 
a business case analysis -- they felt it would cost them less to support 
an operating system without that particular tuning knob.

It's obvious that decision didn't agree with the community, as evidenced 
by the re-addition of the option in the open source illumos. I'm hoping 
that the community might also be more willing to consider the technical 
merits of additional flexibility in the option and be more focused on 
providing functionality than on minimizing support costs :).

My basic premise is that there should be some way to effectively treat a 
zfs filesystem as ACL-only; while mode bits will most likely be needed 
for quite some time for backwards compatibility, they should be treated 
as a second-class citizen, reflecting as closely as possible the 
intention of the underlying ACL, but in a read-only fashion, with no way 
to destroy the underlying ACL by manipulating them.

I initially proposed two extensions to aclmode. First, "deny" -- any 
attempt to execute a chmod that would result in a change to the 
underlying ACL would fail with a permission denied error. Second, 
"discard" -- any attempt to execute a chmod that would result in a 
change to the underlying ACL, assuming it would otherwise succeed, would 
appear to suceed but not actually change the permissions.

Clearly, these types of modes could cause problems for certain 
scenarios. On the other hand, the existing modes also cause problems for 
certain scenarios. Ideally, an administrator would have the flexibility 
to choose which problems he prefers to deal with :). It would be really 
nice if the aclmode could be specified on a per object level rather than 
a per file system level, but that would be considerably more difficult 
to achieve 8-/.

If illumos would be willing to consider integrating a change like this, 
I would like to discuss the technical details and determine the best 
possible implementation.

Thanks...


-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson at csupomona.edu
California State Polytechnic University  |  Pomona CA 91768

More information about the Developer mailing list