From 06376634604be21996508df33caa86bd6ebb78ad Mon Sep 17 00:00:00 2001 From: Gianmaria Del Monte Date: Mon, 31 Jan 2022 15:05:20 +0100 Subject: [PATCH 1/4] Use sys.acl for files --- pkg/eosclient/eosbinary/eosbinary.go | 21 ++++----------------- 1 file changed, 4 insertions(+), 17 deletions(-) diff --git a/pkg/eosclient/eosbinary/eosbinary.go b/pkg/eosclient/eosbinary/eosbinary.go index 0da98de2d6..185c905ea6 100644 --- a/pkg/eosclient/eosbinary/eosbinary.go +++ b/pkg/eosclient/eosbinary/eosbinary.go @@ -323,20 +323,9 @@ func (c *Client) AddACL(ctx context.Context, auth, rootAuth eosclient.Authorizat } sysACL := a.CitrineSerialize() - args := []string{"acl"} - + args := []string{"acl", "--sys"} if finfo.IsDir { - args = append(args, "--sys", "--recursive") - } else { - args = append(args, "--user") - userACLAttr := &eosclient.Attribute{ - Type: SystemAttr, - Key: userACLEvalKey, - Val: "1", - } - if err = c.SetAttr(ctx, auth, userACLAttr, false, path); err != nil { - return err - } + args = append(args, "--recursive") } // set position of ACLs to add. The default is to append to the end, so no arguments will be added in this case @@ -387,11 +376,9 @@ func (c *Client) RemoveACL(ctx context.Context, auth, rootAuth eosclient.Authori } sysACL := a.CitrineSerialize() - args := []string{"acl"} + args := []string{"acl", "--sys"} if finfo.IsDir { - args = append(args, "--sys", "--recursive") - } else { - args = append(args, "--user") + args = append(args, "--recursive") } args = append(args, sysACL, path) From f7f924c291a3b0bb252806b297f1539232a39b9a Mon Sep 17 00:00:00 2001 From: Gianmaria Del Monte Date: Mon, 31 Jan 2022 15:33:44 +0100 Subject: [PATCH 2/4] Add changelog --- changelog/unreleased/eos-sys-acl-files.md | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 changelog/unreleased/eos-sys-acl-files.md diff --git a/changelog/unreleased/eos-sys-acl-files.md b/changelog/unreleased/eos-sys-acl-files.md new file mode 100644 index 0000000000..3836fa6830 --- /dev/null +++ b/changelog/unreleased/eos-sys-acl-files.md @@ -0,0 +1,3 @@ +Enhancement: Use sys ACLs for file permissions + +https://github.com/cs3org/reva/pull/2494 \ No newline at end of file From dbe2adb6ca2e4132c21a797856dc54593475cdbb Mon Sep 17 00:00:00 2001 From: Gianmaria Del Monte Date: Thu, 3 Feb 2022 15:22:32 +0100 Subject: [PATCH 3/4] eosbinary: remove user.acl parsing --- pkg/eosclient/eosbinary/eosbinary.go | 16 ---------------- pkg/eosclient/eosgrpc/eosgrpc.go | 1 - 2 files changed, 17 deletions(-) diff --git a/pkg/eosclient/eosbinary/eosbinary.go b/pkg/eosclient/eosbinary/eosbinary.go index 185c905ea6..7976d858ed 100644 --- a/pkg/eosclient/eosbinary/eosbinary.go +++ b/pkg/eosclient/eosbinary/eosbinary.go @@ -1108,22 +1108,6 @@ func (c *Client) mapToFileInfo(kv, attrs map[string]string) (*eosclient.FileInfo return nil, err } - // Read user ACLs if sys.eval.useracl is set - if userACLEval, ok := attrs["sys."+userACLEvalKey]; ok && userACLEval == "1" { - if userACL, ok := attrs["user.acl"]; ok { - userAcls, err := acl.Parse(userACL, acl.ShortTextForm) - if err != nil { - return nil, err - } - for _, e := range userAcls.Entries { - err = sysACL.SetEntry(e.Type, e.Qualifier, e.Permissions) - if err != nil { - return nil, err - } - } - } - } - // Read lightweight ACLs recognized by the sys.reva.lwshare attr if lwACLStr, ok := attrs["sys."+lwShareAttrKey]; ok { lwAcls, err := acl.Parse(lwACLStr, acl.ShortTextForm) diff --git a/pkg/eosclient/eosgrpc/eosgrpc.go b/pkg/eosclient/eosgrpc/eosgrpc.go index 8cd4c62b6a..64b5dc6a00 100644 --- a/pkg/eosclient/eosgrpc/eosgrpc.go +++ b/pkg/eosclient/eosgrpc/eosgrpc.go @@ -49,7 +49,6 @@ import ( const ( versionPrefix = ".sys.v#." // lwShareAttrKey = "reva.lwshare" - userACLEvalKey = "eval.useracl" ) const ( From 389787623effedd8c5cce5971f6a2bd9f361c796 Mon Sep 17 00:00:00 2001 From: Gianmaria Del Monte Date: Thu, 3 Feb 2022 10:40:06 +0100 Subject: [PATCH 4/4] eosgrpc: remove user.acl parsing --- pkg/eosclient/eosbinary/eosbinary.go | 1 - pkg/eosclient/eosgrpc/eosgrpc.go | 16 ---------------- 2 files changed, 17 deletions(-) diff --git a/pkg/eosclient/eosbinary/eosbinary.go b/pkg/eosclient/eosbinary/eosbinary.go index 7976d858ed..e77bf8472b 100644 --- a/pkg/eosclient/eosbinary/eosbinary.go +++ b/pkg/eosclient/eosbinary/eosbinary.go @@ -45,7 +45,6 @@ import ( const ( versionPrefix = ".sys.v#." lwShareAttrKey = "reva.lwshare" - userACLEvalKey = "eval.useracl" ) const ( diff --git a/pkg/eosclient/eosgrpc/eosgrpc.go b/pkg/eosclient/eosgrpc/eosgrpc.go index 64b5dc6a00..eec5cf89af 100644 --- a/pkg/eosclient/eosgrpc/eosgrpc.go +++ b/pkg/eosclient/eosgrpc/eosgrpc.go @@ -501,22 +501,6 @@ func (c *Client) fixupACLs(ctx context.Context, auth eosclient.Authorization, in } } - // Read user ACLs if sys.eval.useracl is set - if userACLEval, ok := info.Attrs["sys."+userACLEvalKey]; ok && userACLEval == "1" { - if userACL, ok := info.Attrs["user.acl"]; ok { - userAcls, err := acl.Parse(userACL, acl.ShortTextForm) - if err != nil { - return nil - } - for _, e := range userAcls.Entries { - err = info.SysACL.SetEntry(e.Type, e.Qualifier, e.Permissions) - if err != nil { - return nil - } - } - } - } - // We need to inherit the ACLs for the parent directory as these are not available for files if !info.IsDir { parentInfo, err := c.GetFileInfoByPath(ctx, auth, path.Dir(info.File))