[All] Share-jail folder to contain all the accepted shares #7
Comments
|
@labkode Do you already have a server setup with those permissions? |
|
@michaelstingl no, we need your input from the sync client team to understand what PROPFIND permissions are expected from the client to mimic such behaviour. Maybe @TheOneRing and @ogoffart can help here. |
|
https://stackoverflow.com/questions/31708957/how-to-make-file-read-only-when-exposed-through-webdav In regards of "needs" to happen. We disagree with quite some of the needs. Please also check how ownCloud Server works today when a /Shared folder is enforced. Which was the default till 9.0 or so and sharing 2.0 implementation. For migrations the oCIS storage shouldn't behave too different and different design choices need great reasons. What does the CS3 API deliver us in regards of read-only markers which we could then at least set client-side? |
|
The desktop client tries to detect a MOVE on the local machine. When we detect a deleted file an a created file we even try to correlate them by checksum inode and magic to reconstruct the MOVE. Yet, in corner cases the client might send a PUT / upload and DELETE as a fallback. How the server treats the DELETE depends on the folder semantics. If it it is the MYSHARES folder I think we are unsharing the share. Which would prevent redownloading of shared files ... @labkode we could prevent unsharing by deleting the entry in the MYSHARES folder. In posix if a folder is readonly, you cannot add, rename or delete children in it. Which translates to not being able to send a DELETE to any MYSHARES/child. might be an option ... then unsharing would need a dedicated endpoint ... og in the sharing api ... like rejecting the share again ... |
|
Furthermore, looking at the above list it reads as if you are triggering the actions in the web ui ... with the question how the clients will then behave. If so we should seperate the three scenarios, because mobile might be different again ... well come to think of it they should all be the same, however treating a DELETE as an unshare is a special case, because the desktop client might just detect that a file was locally deleted. should it then redownload or unshare? in theory it should be redownloaded. also renaming shares in expected, but the shared folder is actually read only so in theory shares cannot be renamed inside the MYSHARES folder. we need to clarify the semantics. because I think we cannot say the MYSHARES folder is readonly. I think we can only say the MYSHARES folder cannot be deleted. @labkode can we agree to start with that proposition: 'The MYSHARES folder cannot be deleted.'? |
|
second restriction: you cannot PUT files or folders there |
|
in theory we could use webdav references to create shares, see https://tools.ietf.org/html/rfc4437 which nobody implments anyway ... so we should just stick to the ocs sharing api |
|
Clients can deal with read-only folders.
|
|
Hi @butonic, calling read-only the "MyShares" folder is not what we expect from POSIX read-only, I don't have a better adjective to call it, maybe "special" shared folder. The restrictions are the ones explained in the issue description. |
|
@labkode Clear communication is important and I think we should find a good name for this kind of folder.
I would however not unshare all shares when the shared folder is deleted locally. That seems to be too drastic and it is hard to recreate all shares. So option 2 is what we should aim for. @michaelstingl the |
|
Yes I have to validate the behavior but I would expect that the propagation of changes should end after the MyShares delete failed, and not continue for files below that folder. |
I asked for test setup already in March (#7 (comment)) to validate such assumptions. @butonic invite for meeting/workshop for the next steps? |
|
@butonic I like the share jail, @TheOneRing @michaelstingl is important the desktop client handles in a smooth way these actions, for example deleting the share folder and re-creating it should trigger any red banner on the client, perhaps a notification to the user of what could happen (like when they deleted the entire folder). |
|
@michaelstingl this is part of OCIS with local filesystem and also with EOS. |
|
The testing of the Shares jail can be tested against: From the web UI you can use different users to share among them and test the behaviour. |
labkode
changed the title
|
@jnweiger could you test those scenarios 😃 |
|
Even if you could enforce the MYSHARES folder on the server, you can not on the client. On the client it will aways be possible to remove it, move stuff in and out and change it's permisison because it is local filesystem. Putting the discussed restrictions and rules has big potential to confuse users IMHO. Details: Putting files into the MYSHARES folderCould be ignored and end up in the "not synchronised" tab. Possible... But as a user I would wonder why that happens, and will be potential data loss. As @moscicki always says, all data that is not on the server, is potentially lost... Deleting and Renaming a shared folder in MYSHARESWould work as described and expected. Rename or delete MYSHARESThe proposed solution would appear to me as a kind of "zombi behaviour", as it shows up again and again after renaming. I think the local filesystem is owned by the user, and we should not try to restrict the users possibilities with it, as that will decrease the acceptance of the tool. I think the best solution would be to have the MYSHARES folder on the server, and if it is renamed locally, it is renamed on the server as well. But that would be very much the default behaviour as of today, and I am sure was already discussed. Adding this kind of behaviour to the sync client would make the sync code much more complex and add kind of arbitrary exceptions for the MYSHARES. We could find ways to present shares differently in the sync client GUI, but we can not get around the local filesystem. Also setting the MYSHARES folder to read only does not really solve that, as users will find ways... |
|
Answers inline:
This behaviour is already present in the client when accessing read-only shares. Users can do whatever they please on the local filesystem while the client is or is not running and the client guarantees a correct state. This behaviour has been in the client for long time and end-users are used to it. This is not a change of behaviour, only reducing it to happen on a particular folder rather to in an unbound number of them.
This could be doable and could match the user expectations, however, does the user want this local folder rename to be propagated also to other clients? Enforcing the MYSHARES folder naming ensures the folder is the same in any device. Allowing arbitrary share folders on the tree poses a significant performance penalty when propagating changes and reason why we had to not mount them in the user home. Having the folder living on depth-1, we limit this performance issue while allowing the users to access all the shares.
In the long run, having native support on the OS like the latest Dropbox that creates a virtual drive only when the application runs is much better strategy to control user behaviour, as the user only have access to the files when the app is active. Happy to discuss further and find other alternatives. |
|
Let's not get sidetracked. I'd love to show that jailing shares into a single folder still requires multiple writes and can be further optimized by caching the etag for all mount points - but we agreed to start with a What needs to be checked
Race conditions, heads up
|
|
I think the short conclusion is: Currently, by adding the read only With the new architecture in oCIS the limitations of the old share system being slow is going away, so some of the reason for having the shares in the jail is going away. IMHO we only can implement the jail idea properly if we go for a FUSE layer above the file system completely. That is currently not on the roadmap. |
|
@dragotin @micbar @labkode so how do we continue? We saw the sharing use case, but we still need to write down what to do. AFAICT the
That way, clients at cern, which already use the deskrop client branding option to jail the initial sync into @labkode Any objections? Do we need to migrate anything? IIRC you said the current plan is to go into production with the shares mounted at For the web ui we have owncloud/web#4248 @labkode does that work? What about android and iOS? Also ... this approach wont work for any other oc10 deployment unless a branded client with the initial |
|
FYI, please see this PR describing an API to query the available spaces for clients: owncloud/ocis#1827 |
|
DONE:
|
New special folder “MYSHARES”
CERNBox Share folder semantics
What needs to happen
MYSHARES folder should be marked as read/only, perhaps with some additional visual clue to indicate its special status.
Change content of the MYSHARES (ro) folder
PUTing files and directories directly at the top level of this folder should be rejected.MOVEinto the MYSHARES folder should be rejected.Q: what should happen with these local entries in MYSHARES?
DELETEa share should be fine and should be interpreted by the server as "unmounting" a share. This should be notified to the user with a Sync Client notification. Nothing inside the share should be removed.Q: what is the meaning of “unmounting share”? will it continue to be visible on the web UI and synchronized with other clients?
Rename a SHARE folder
It should be allowed to
MOVEa share folder within MYSHARES. In practice, doing this should mean that the share , for that user, changed name.Q: should the rename affect all the clients rather than just one? The rename should only affect the user mounting the share.
Move share to some other place outside the ro folder
MOVEing a share outside of MYSHARES should create a copy. It shouldn't prevent the sync client from re-downloading the same SHARE back. This would make it clear that the original share is still there, even though it created a copy in some other place.Q: should this create a re-download of the share or unshare?
Rename My Shares folder
MOVEing the MYSHARES folder should make a copy of all the files. But the original MYSHARES folder, and its SHAREs inside, should be re-downloaded again, signaling to the user that a copy was created but nothing changed in the original. Maybe a notification could be given, explaining that a copy was created but nothing else changed. At any point the MYSHARES folder should stay so the user can continue working with the shares.Race conditions, heads up
If there are files created inside this MYSHARES folder, we can't prevent that from happening? What should the system do in case a user created by hand some entries that will clash with the shares? Simple test, remove a SHARE folder and replace it with another one completely different.
Renaming/moving MYSHARES around: another behaviour to consider, sync client keeps track of it and simply uses this. The rename/move is only client side, operation is not propagated to server side.
The text was updated successfully, but these errors were encountered: