On Tue, Dec 05, 2006 at 03:44:31PM -0600, Rob Ross wrote:
quoted text
> The openg() really just does the lookup and permission checking). The 
> openfh() creates the file descriptor and starts that context if the 
> particular FS tracks that sort of thing.

...

quoted text
> Well you've caught me. I don't want to cache the values, because I 
> fundamentally believe that sharing state between clients and servers is 
> braindead (to use Christoph's phrase) in systems of this scale 
> (thousands to tens of thousands of clients). So I don't want locks, so I 
> can't keep the cache consistent, ... So someone else will have to run 
> the tests you propose :)...

Besides the whole ugliness you miss a few points about the fundamental
architecture of the unix filesystem permission model unfortunately.

Say you want to lookup a path /foo/bar/baz, then the access permission
is based on the following things:

 - the credentials of the user.  let's only take traditional uid/gid
   for this example although credentials are much more complex these
   days
 - the kind of operation you want to perform
 - the access permission of the actual object the path points to (inode)
 - the lookup permission (x bit) for every object on the way to you object

In your proposal sutoc is a simple conversion operation, that means
openg needs to perfom all these access checks and encodes them in the
fh_t.  That means an fh_t must fundamentally be an object that is kept
in the kernel aka a capability as defined by Henry Levy.  This does imply
you _do_ need to keep state.  And because it needs kernel support you
fh_t is more or less equivalent to a file descriptor with sutoc equivalent
to a dup variant that really duplicates the backing object instead of just
the userspace index into it.

Note somewhat similar open by filehandle APIs like oben by inode number
as used by lustre or the XFS *_by_handle APIs are privilegued operations
because of exactly this problem.

What according to your mail is the most important bit in this proposal is
that you thing the filehandles should be easily shared with other system
in a cluster.  That fact is not mentioned in the actual proposal at all,
and is in fact that hardest part because of inherent statefulness of
the API.


quoted text
> What's the etiquette on changing subject lines here? It might be useful 
> to separate the openg() etc. discussion from the readdirplus() etc. 
> discussion.

Changing subject lines is fine.

-
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html