Access-based Enumeration (December 04, 2009)
Posted
by user12612012
on Oracle Blogs
See other posts from Oracle Blogs
or by user12612012
Published on Fri, 17 Jun 2011 08:21:53 -0700
Indexed on
2011/06/20
16:32 UTC
Read the original article
Hit count: 375
/Oracle
Access-based Enumeration (ABE) is another recent addition to the Solaris CIFS Service - delivered into snv_124. Designed to be compatible with Windows ABE, which was introduced in Windows Server 2003 SP1, this feature filters directory content based on the user browsing the directory. Each user can only see the files and directories to which they have access. This can be useful to implement an out-of-sight, out-of-mind policy or simply to reduce the number of files presented to each user - to make it easier to find files in directories containing a large number of files.
ABE is managed on a per share basis by a new boolean share property called, as you might imagine, abe, which is described insharemgr(1M).
When set to true, ABE filtering is enabled on the share and directory
entries to which the user has no access will be omitted from directory
listings returned to the client. When set to false or not defined, ABE
filtering will not be performed on the share. The abe property is not
defined by default.
Administration is straightforward, for example:
# zfs sharesmb=abe=true,name=jane tank/home/jane
# sharemgr show -vp
zfs
zfs/tank/home/jane nfs=() smb=()
jane=/export/home/jane smb=(abe="true")
ABE is also supported via sharemgr(1M) and on smbautohome(4) shares.
Note that even though a file is visible in a share, with ABE enabled, it doesn't automatically mean that the user will always be able to open the file. If a user has read attribute access to a file ABE will show the it but access will be denied if this user tries to open the file for reading or writing.
We considered supporting ABE on NFS shares, as suggested by the name of PSARC/2009/375, but we ran into problems due to NFS client readdir caching. NFS clients maintain a common directory entry cache for all users, which not only defeats the intent of ABE but can lead to very confusing results. If multiple users are looking at the content of a directory with ABE enabled, the entries that get cached will depend on who looks at the directory first. Subsequent users may see files that ABE on the server would have filtered out or files may be missing because they were filtered out for the original user.
Although
this issue can be resolved by disabling the NFS client readdir cache,
this was deemed to be an unsuitable solution because it would create a
dependency between a server share property and the configuration on all
NFS clients, and there was the potential for differences in behavior
across the various NFS clients. It just seemed to add unnecessary
administration complexity so we pulled it out.
References for more information
PSARC/2009/246 ZFS support for Access Based Enumeration
PSARC/2009/375 ABE share property for NFS and SMB
6802734 Support for Access Based Enumeration
© Oracle Blogs or respective owner