Faking it: step 2: relaxed NFSv4->POSIX mapping
Requirements:
- Server should accept (almost) any NFSv4 ACL.
- "If a server receives a SETATTR request that it cannot accurately
implement, it should error in the direction of more restricted
access."
Algorithm outline:
- Process the NFSv4 ACL as the file owner, find the minimum
permissions it must grant that owner.
- Repeat for each named user.
- Repeat for a hypothetical member of the owning group that isn't the file
owner or one of the named users.
- Repeat similarly for each named group.
- Repeat for a user not the file owner or any named user, and not a
member of the file group or any named group.
- Assemble resulting permissions into a POSIX ACL.
Result:
- Simpler code
- Reasonable results for simple NFSv4 ACLs
Also:
- Allows transition to full NFSv4 ACL support on the client.
What have we learned?