>>>>> "pbh" == Paul B Henson <hen...@acm.org> writes:
pbh> the inability to apply an ACL to a file kind of sucked. It was not a stupid limitation: You can still apply simple, easily-understood UNIX ACL's to files because the separate rulespaces are ANDed together, but if you want baroque if-OR-then set-theory math spaghetti you get to do it at most once per directory so it's harder for people to forget to what rules they're subject, and it's not so impractical or information-overload to display the rules along with a list of files, like it is now where individual files need retarded and difficult-to-parse-with-standard-tools multi-line stanzas or modal dialog boxes to fully specify their access rules. Also, the rights that make sense for directories and files are not the same sets of rights, so the AFS way your messy ACL's only need to invent one set of rights (the directory kind) and we needn't bother pondering what list of rights make sense for files. However NFSv4 ACL's wanted to be Windows-compatible, so this must not have been an option. Anyway, whether Unix ACL's are a projection of complicated ACL's like Solaris's Windows-compatible ones, or a parallel independent system like AFS was, is a completely separate decision from whether or not files are allowed to have complicated ACL's, too, or only directories. I've said before I think your Samba use-case is way too specific: if you can really fix your whole problem by commenting out one line and you don't care about anything else, then do it and STFU. If you can't make a simple fucking one-line change without causing all kinds of management drama, then complain validly that you can't currently get both source code and paid support so where is the open in opensolaris and why should you pay, which is just business and nothing to do with design, instead of badgering persistently to flip this one line of source in the direction you like without solving anything real. Architecturally, we should be interested in something more general, should we not? And it sounds like you are. It's just sad because it feels like PHP, x86, HTML email and ``forums'', FCoE, all this other crap that sounds nice to fresh people ignorant of the history: pandering to rabble that just wants what they want and won't think things through or imagine an alternate reality fully instead of just the immediate itches it causes. And I think these NFSv4 ACL's are the worst kind of rabble-pandering. But, in spute of how it feels I'm mostly wrong here! This should not be the goal of ACL's: the real result of the AFS experiment was, ``no one competent cares about ACL's that much. only stupid windows admins are obsessed with them, and they always set them wrong anyway---they just like fiddling with all the knobs and bragging about what they wrongly think the ACL's are doing.'' and secondly ``cross-domain Kerberos == tl;dr''. so we're not trying to design the ultimate post-Unix ACL system that respects our tradition without becoming bogged down with brittle half-solutions, like I wish we were doing---that debate died with the lack of interest in AFS. With NFSv4 acl's we're jsut trying (failing so far imho but not w/o hope) to accomodate windows brain-damaged crappo without making the shell into a second-class interface or breaking basic maintainability like backups and subtree copies. The real lesson of history is that hoping for anything more is just going in circles.
pgpO95e3iSCOJ.pgp
Description: PGP signature
_______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
