Paul B. Henson
2008-Sep-11 01:35 UTC
[zfs-discuss] Apache module for ZFS ACL based authorization
We are currently working on a Solaris/ZFS based central file system to replace the DCE/DFS-based implementation we have had in place for over 10 years. One of the features of our previous implementation was that access to files regardless of method (CIFS, AFP, HTTP, FTP, etc) was completely controlled by the DFS ACL. Our ZFS implementation will be available by NFSv4 and CIFS, both of which respect the ACL. To provide ZFS ACL-based authorization to files via HTTP, I put together a small Apache module. The module allows for files to be either delivered without authentication required (if they are world readable) or requires authentication and restricts file delivery to users with access based on the ACL. If anyone is interested in taking a look at it, it is available from: http://www.csupomona.edu/~henson/www/projects/mod_authz_fsacl/dist/mod_authz_fsacl-0.10.tar.gz I''d appreciate any feedback, particularly about things that don''t work right :). -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | henson at csupomona.edu California State Polytechnic University | Pomona CA 91768
Nicolas Williams
2008-Sep-11 17:20 UTC
[zfs-discuss] Apache module for ZFS ACL based authorization
On Wed, Sep 10, 2008 at 06:35:49PM -0700, Paul B. Henson wrote:> I''d appreciate any feedback, particularly about things that don''t work > right :).I bet you think it''d be nice if we had a public equivalent of _getgroupsbymember()... Even better if we just had utility functions to do ACL evaluation for user-land apps.
Paul B. Henson
2008-Sep-11 17:36 UTC
[zfs-discuss] Apache module for ZFS ACL based authorization
On Thu, 11 Sep 2008, Nicolas Williams wrote:> I bet you think it''d be nice if we had a public equivalent of > _getgroupsbymember()...Indeed, that would be useful in numerous contexts. It would be even nicer if the appropriate standards body added it alongside of the current getgr* functions to make it generally available on all systems.> Even better if we just had utility functions to do ACL evaluation for > user-land apps.I vaguely recall asking about that sometime recently :). -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | henson at csupomona.edu California State Polytechnic University | Pomona CA 91768
Nicolas Williams
2008-Sep-11 17:43 UTC
[zfs-discuss] Apache module for ZFS ACL based authorization
On Thu, Sep 11, 2008 at 10:36:38AM -0700, Paul B. Henson wrote:> On Thu, 11 Sep 2008, Nicolas Williams wrote: > > > I bet you think it''d be nice if we had a public equivalent of > > _getgroupsbymember()... > > Indeed, that would be useful in numerous contexts. It would be even nicer > if the appropriate standards body added it alongside of the current > getgr* functions to make it generally available on all systems.I''ll ask around. I really don''t understand why _getgroupsbymember() couldn''t be made public.> > Even better if we just had utility functions to do ACL evaluation for > > user-land apps. > > I vaguely recall asking about that sometime recently :).:)
Nicolas Williams
2008-Sep-11 20:38 UTC
[zfs-discuss] Apache module for ZFS ACL based authorization
On Thu, Sep 11, 2008 at 10:36:38AM -0700, Paul B. Henson wrote:> On Thu, 11 Sep 2008, Nicolas Williams wrote: > > I bet you think it''d be nice if we had a public equivalent of > > _getgroupsbymember()... > > Indeed, that would be useful in numerous contexts. It would be even nicer > if the appropriate standards body added it alongside of the current > getgr* functions to make it generally available on all systems.I''ve filed "PSARC/2008/574 Make _getgroupsbymember public" to take care of this. I forgot to state that we would (I think) leave an alias by the old name just in case anyone is using it. I''ll update the case. Nico --