>> >> >> - The fabricated (Posix Draft) ACL may be very different from the >> legitimate (NFSv4-style) ACL that exists on the server. Note that >> the fabricated ACL it is based solely on the mode of the file which >> can't represent all the information in the legitimate ACL. > > Could the fabrication technique be changed to take the NFSv4 ACL into > account? The resulting POSIX-Draft ACL could potentially be a much > better approximation of the original. In many cases, they would have > identical semantics. One question to investigate is how frequent and > severe the mismatch cases are. > > A possibility the proposal doesn't mention is trying to fabricate a > semantically equivalent ACL and forcing the request to fail only when > that's not possible. >
Hi Glenn, Problem with returning an error from NFSv2/v3 servers without doing an ACL fabrication was resulting in vn_createat() to fail on client. ACL fabrication was introduced in NFSv2/v3 server to fix this problem on client. This was the real intent of fabricating ACLs in the first place. Problem of vn_createat() failing has now been fixed in nevada and Solaris 10 code. http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/fs/vnode.c#1349 With this fix on client side, ACL fabrication has become redundant on Server. However, the fix on Client has not been backported to Solaris 9 and lower releases. We will have older versions of Solaris client fail if ACL fabrication code on server is removed. More over other NFS vendors might now be relying on this behavior and removing ACL fabrication will make interoperability fail. The best would have been to remove ACL fabrications completely, but for reasons stated above this is going to be risky. Hence the safest approach of making this a share option. Improving ACL fabrication and making it do a better job of approximating NFSv4 ACL, will still have the following problem: >> >> - The user could retrieve the fabricated ACL on the client and attempt >> to perform some operation only to be denied when the "real" ACL is >> evaluated on the server. Thanks. -Vallish
