Access-based Enumeration (December 04, 2009)

Posted by user12612012 on Oracle Blogs See other posts from Oracle Blogs or by user12612012
Published on Fri, 17 Jun 2011 08:21:53 -0700 Indexed on 2011/06/20 16:32 UTC
Read the original article Hit count: 370

Filed under:

Access-based Enumeration (ABE) is another recent addition to the Solaris CIFS Service - delivered into snv_124.  Designed to be compatible with Windows ABE, which was introduced in Windows Server 2003 SP1, this feature filters directory content based on the user browsing the directory.  Each user can only see the files and directories to which they have access.  This can be useful to implement an out-of-sight, out-of-mind policy or simply to reduce the number of files presented to each user - to make it easier to find files in directories containing a large number of files.

ABE is managed on a per share basis by a new boolean share property called, as you might imagine, abe, which is described insharemgr(1M).  When set to true, ABE filtering is enabled on the share and directory entries to which the user has no access will be omitted from directory listings returned to the client.  When set to false or not defined, ABE filtering will not be performed on the share.  The abe property is not defined by default.

Administration is straightforward, for example:

# zfs sharesmb=abe=true,name=jane tank/home/jane
# sharemgr show -vp
    zfs

       zfs/tank/home/jane nfs=() smb=()

          jane=/export/home/jane     smb=(abe="true")

ABE is also supported via sharemgr(1M) and on smbautohome(4) shares.

Note that even though a file is visible in a share, with ABE enabled, it doesn't automatically mean that the user will always be able to open the file.  If a user has read attribute access to a file ABE will show the it but access will be denied if this user tries to open the file for reading or writing.

We considered supporting ABE on NFS shares, as suggested by the name of PSARC/2009/375, but we ran into problems due to NFS client readdir caching.  NFS clients maintain a common directory entry cache for all users, which not only defeats the intent of ABE but can lead to very confusing results.  If multiple users are looking at the content of a directory with ABE enabled, the entries that get cached will depend on who looks at the directory first.  Subsequent users may see files that ABE on the server would have filtered out or files may be missing because they were filtered out for the original user.

Although this issue can be resolved by disabling the NFS client readdir cache, this was deemed to be an unsuitable solution because it would create a dependency between a server share property and the configuration on all NFS clients, and there was the potential for differences in behavior across the various NFS clients.  It just seemed to add unnecessary administration complexity so we pulled it out.

References for more information

PSARC/2009/246 ZFS support for Access Based Enumeration

PSARC/2009/375 ABE share property for NFS and SMB

6802734 Support for Access Based Enumeration

6802736 SMB share support for Access Based Enumeration

Windows Access-based Enumeration

© Oracle Blogs or respective owner

Related posts about /Oracle