A common VFS and a Common conf-system [Part II]
Waldo Bastian
bastian at kde.org
Tue Mar 1 19:03:18 EET 2005
On Tuesday 01 March 2005 16:48, Sean Middleditch wrote:
> As promised, here's some more notes/ideas. Still dead tired due to only
> four hours of sleep, but maybe I won't babble too uselessly.
First of all thanks for your efforts in this area. It's refreshing to see some
ideas that actually make sense when it comes to vfs.
> My original idea was to *NOT* have the backends run in the library or
> host app itself, but instead to have a per-user daemon that handled all
> of the actual VFS work, and then the library would simply be an API that
> made it easy for an app to talk to the daemon.
Yes, I think this is a good approach. We may want to put some thought in
whether we would want to have a single-threaded daemon process, a
multi-threaded daemon or a single process deamon with additional worker
processes.
> That said, the daemon itself should be an implementation detail of the
> library. Users of the library should not be forced to even consider
> whether there's a daemon doing the real work or not; all they should
> think about is their app. Additionally, there are backends where the
> daemon might not make a lot of sense, or cases where admins or
> developers might prefer in-process backends over the daemon.
ClearCase and I believe also SELinux may present the application process with
a slightly different environment in comparison with the daemon process, in
such cases in-process (or at least forking off from the application process)
may be needed.
> The differentiation between not-supported and default has an interesting
> possibility. Many VFS operations are in truth specialized combination
> of other operations. Move could be implemented as a copy followed by a
> delete. Copy could be implemented as a read from the source to a write
> to the destination. In many cases, a backend can be provide a more
> efficient version - network file systems often have a copy or move
> operation that doesn't need any round trips to the client and can
> possibly use fast-paths on the server like the rename syscall.
There will also be cases of "partially supported". E.g. a ftp backend will be
able to provide "copy" functionality if the host and user credentials are the
same for source and destination, other backends may even be able to copy
between different hosts (and skip the current machine altogether).
In order to be more efficient (think highspeed networks) it may also be worth
to support "copy to file" and "copy from file" in the backend so that you
don't need to pass the data around to another process or in buffers, but can
use something like sendfile().
In KDE we have ".protocol" files that list capabilities that describes certain
operations that a protocol supports. We also have the vtable like approach
where methods can return "not supported" and then we do something else. The
default implementation returns "not supported" everywhere. In KDE the main
reason for the capabilities is that we wanted to extend existing behavior in
a compatible way. E.g. originally we only called the "copy" method if host
and user credentials match between source and destination. We can't then just
start calling the "copy" method for copies between different hosts because
the existing backends will not be expecting that and may fail to handle such
situation correctly. With a capability the backend can indicate that it can
support such copies and we will be able to feed a backend only those kind of
copy operations that it will actually be able to support.
Bottom line:
* We should plan for different gradations of "support".
* vtables alone are most likely too rigid for that.
* Some form of capabilities (a method that returns the capabilities?) would be
useful.
I wonder if there is truly a need for both "not supported" and "use default
method". Is there a case where you would want to return "not supported" if
there was a default method available? In KDE we only have "not supported" and
we interpret that as "use default method" the end result automatically
becomes "not supported" if we run out of default methods.
> However, some backends don't have the ability to provide those services,
> or developers of backends may not have the time or inclination to write
> code for those operations. In these cases, I think it would be best
> that the library provide default versions of the operations that
> aggregate simpler operations. The default move function would do copy
> and delete. The default copy operation would start up a read/write pair
> and essentially stream the file to the second copy.
Yes, that what we do in KDE (in kdelibs/kio/kio/jobs.cpp to be precise).
Having read/write/delete is enough to do move :-) Or get/put/delete as its
called in KDE (showing the original focus on http)
> A final cool feature that the library can handle would be interactivity.
> The biggest use-case here is authentication information. Again, I
> believe it best that a daemon be used such that the individual apps
> don't have to handle the GUI, or have access to the information entered
> into the GUI (like passwords).
>
> The D-VFS daemon could get a request to access, say,
> http://idisk.mac.com. That requires authentication. It uses D-BUS to
> ask the authentication helper to ask for a username and password for the
> URI. User enters it, it gets sent to the daemon, access continues. Due
> to the asynchronous nature of the client-side API, the application sees
> no difference between waiting for authentication and a really slow
> network connection.
Yes, this is the approach that we do in KDE basically. Our backends ask a
central deamon for a password and the daemon then either fetches it from the
keyring, from local cache or it pops up a dialog. Since we use multiple
processes for our backends in KDE, we need a local cache to store
authentication information so that we don't need to popup multiple dialogs if
two different backend processes access the same site as part of the same
operation. (Typical example: fetching a html page and its css style sheet)
And you also need a way for the backend to say to the authentication daemon
"that last password that you gave me doesn't work"
(This is a problem with FTP sites btw, where it's hard to decide whether the
password is wrong or the FTP site has reached some sort of limit)
> We can take this a step further, though, if desired. Look back to the
> idea above about restricting what apps can do and access to sensitive
> data. Sure, with a daemon, we can be sure that Malicious App Foo can't
> get my password for idisk.mac.com, but it can still grab, delete, or
> edit files there. With interactivity, we can specify that apps outside
> of /usr must get user permission to access shares; maybe even that apps
> in, say, /tmp are just flat out denied.
Is it possible for the daemon to reliably establish the executable path of the
connecting process?
Cheers,
Waldo
--
bastian at kde.org | Free Novell Linux Desktop 9 Evaluation Download
bastian at suse.com | http://www.novell.com/products/desktop/eval.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freedesktop.org/archives/xdg/attachments/20050301/83e3c4bd/attachment.pgp
More information about the xdg
mailing list