On 04/23/09 15:39, Nicolas Williams wrote: > On Thu, Apr 23, 2009 at 03:35:32PM -0700, Alan M Wright wrote: >> On 04/23/09 09:12, Nicolas Williams wrote: >>> More to the point: if only the CIFS service has this feature then it >>> follows that enabling ABE on a share ought to disable NFS service for >>> that share as otherwise users could use NFS to defeat ABE. At the very >>> least this should be documented. >> As a per share property, I don't think we need to document this >> specifically. Shares with ABE enabled will perform filtering, >> shares that do not have ABE enabled will not perform filtering. >> >> For example, if you share the same directory twice over SMB but >> only enable ABE on one of those shares, the same user would have >> a different view based on the specific share being accessed. > > What I meant was that if we don't have this feature in NFS then we > should document that sharing with CIFS w/ ABE and NFS allows users to > circumvent ABE by using NFS, that if you want ABE then you don't want > NFS.
I understand but I don't think it's an exception because it applies regardless of protocol. Any share over any protocol that does not enforce ABE will allow you to "bypass" ABE on other (ABE enabled) shares of the same directory hierarchy. Perhaps we can postpone this point until I resolve the NFS support question. >>> If I understand this case correctly the changes to the CIFS server to >>> support ABE will be minor, and so should be the changes to the NFS >>> server. Did I understand correctly? >> I would imagine that adding ABE support to NFS would be straight- >> forward because everything would be local, i.e. add the ability >> to set the ABE share property and have the NFS service interrogate >> that property for readdir requests. >> >> The CIFS service requires additional MSRPC work because the ABE >> property can be managed remotely (via the MMC on Windows clients) >> as well as locally via sharemgr, sharaesmb etc. >> >> I'll talk to the NFS team about introducing NFS ABE support at the >> same time as CIFS support. > > Thanks. > > The next question is whether it makes sense for ABE to be a share-level > option or a dataset property or directory xattr. I think the latter is > more appropriate if CIFS and NFS will both support ABE... We covered that in earlier discussion of this case. Alan
