nfs4j icon indicating copy to clipboard operation
nfs4j copied to clipboard

Published 20 hours ago verified publisher icon dCache

Access Has No User Credentials

Open amarcionek opened this issue 6 years ago • 3 comments

According to both the V3 and V4 RFCs, the function access() is supposed to check the requested permissions against the permissions on the object considering the user in the request. The current definition of access in VirtualFileSystem does not have any user (Subject?) Is this intentional?

amarcionek avatar Dec 19 '18 20:12 amarcionek

The Subject is taken credentials of issued RPC request. However, we can update access method to accept a subject as well, if you have a good reason to have it.

kofemann avatar Dec 19 '18 21:12 kofemann

I believe its required to have access to the caller's RPC credentials, otherwise, how would you know which part of the object's mode (user, group or other) to apply to requested access flags?

We actually have a fork where we are doing that currently. Effectively, we added Subject to the VirtualFileSystem interface for access and then extracted it out of the call via call$.getCredential().getSubject() in OperationOPEN and OperationACCESS and NFSPROC3_ACCESS_3 I'm happy to submit a PR.

However, how would you like to handle backwards compatibility? Make Subject an Optional<Subject>? I'd hate to break compatibility for people.

amarcionek avatar Dec 19 '18 22:12 amarcionek

The one options would be to add a new method and deprecate the old one. After two major releases the deprecated one can be deleted, somewhere around 0.21.x.

kofemann avatar Dec 23 '18 10:12 kofemann