ZFS Acltype nfsv4 vs posix does it matter?

ralphbsz

Son of Beastie

Reaction score: 2,335
Messages: 3,233

Most people never use ACLs. Most people don't even understand how ACLs work. That includes many sys admins. The differences between Posix and NFSv4 are both massive (traditionally Posix was simply a subset of NFSv4, I don't think that's 100% true today), and subtle (in some cases, ACL entries that look the same in Posix and NFSv4 can have subtly different meaning, for example if you change the group of a file without adjusting the ACL). If you are running a large multi-user machine, you might care. Or if you are running a server that has production-level Windows clients (Windows is quite fond of ACLs). Otherwise, ignore it, and leave it at the default.

Same goes for EA = extended attributes. Most people ignore them, and rightfully should. Highly trained professionals can do wonderful things with them. I see ACLs and EAs as somewhat like chainsaws: If you are well trained, understand how they work (including the performance implications and unintended consequences), they are powerful. In some environments (such as professional forestry), they are necessary. For amateurs, they are neither needed nor safe.
 

chungy

Member

Reaction score: 33
Messages: 55

POSIX ACLs are an extremely simple extension of the typical Unix file modes. Rather than being limited to just one owner and group, you can set any number of them with privileges they normally wouldn't have. POSIX ACLs are only additive, they can never deny.

NFSv4 ACLs are a lot more complicated. They are designed as a superset of NTFS ACLs, with all kinds of permissions available pertaining to file creation, deletion, append, write, execute, metadata access, et al. ACLs can be set in both allow and deny modes per-user and per-group. They are extremely more complicated but also more powerful.
 
OP
Alain De Vos

Alain De Vos

Daemon

Reaction score: 640
Messages: 2,151

I suppose Windows does not implement posix acls but its own version ?
 

chungy

Member

Reaction score: 33
Messages: 55

Windows ACLs are a subset of NFSv4. Sun designed NFSv4 specifically to have 100% interoperability with Windows.
 

ralphbsz

Son of Beastie

Reaction score: 2,335
Messages: 3,233

I suppose Windows does not implement posix acls but its own version ?
I think Windows ACLs may even predate Posix ACLs. Remember, the Windows NT development was started by hiring a lot of people from Digital's VMS group, and NT got its own file system NTFS. The VMS file system has extensive ACLs (which I used to use), and that tradition was carried forward into NTFS, and from there into SMB and CIFS. I think the Posix committee ACLs came relatively late, in the late 90s, when there were already ACLs in production in various other file systems such as NTFS.

As chungy said, the NFSv4 ACL specification was deliberately intended to be a superset of Windows and Posix, because various Unix and storage system providers saw NFSv4 as a universal file serving platform, on which they could sell their products. A lot of NFSv4 came from Sun, whose big Solaris servers were the preferred Unix server of the day. Another big ingredient came from Panasas (and academia), for serving data in parallel for high performance. Now, whether today all of Windows ACLs can be 100% translated into NFSv4 ACLs, I'm no longer sure; one would have to ask some Samba implementation experts about that.

Another area where file service is different between Unix (Posix) and Windows is file locking (both access locking and byte range locking). So file servers that want to work with both Unix and Windows clients have to implement locking that is subtly incompatible between the two. Again, since most people don't use fine-grain locking in their day-to-day programming, this problem rarely surfaces.
 
Top