Every files and directories in Gfarm filesystem can have extended attributes. Extended attributes are name:value pairs.
The extended attributes which have "gfarm." or "gfarm_root." prefix name are specially treated in Gfarm filesystem. General Gfarm users can freely use the extended attributes which have "user." prefix name. XML extended attributes can have any names.
Everyone can get the "gfarm.*" extended attributes. Owner or gfarmroot group can modify the "gfarm.*" extended attributes.
The users in gfarmroot group or the users in "gfarm_root.uesr" of the entry or the groups in "gfarm_root.group" of the entry can get/modify the "gfarm_root.*" extended attributes.
The "user.*" extended attributes can be gotten/modified on the entry (file or directory) permission.
Symbolic links cannot have any extended attributes.
The following is a list of the extended attribute names used in Gfarm filesystem.
gfarm.ncopyThis is the number of file replicas to be created automatically. See the manual page of gfncopy(1) for more details.
gfarm.replicainfoThis is the attribute for automatic replication represented by host groups. See the manual page of gfncopy(1) for more details.
gfarm.acl_accessThis is Access ACL (Access Control List).
gfarm.acl_defaultThis is Default ACL. Only directories can have/use this extended attribute.
gfarm.effective_permThis is user's effective permissions for a file. The value is read-only, and represents bits in combination with read (4), write (2) and execute (1).
gfarm_root.userThis is the list of user names who can have the privilege for the entry (file or directory). The names are separated by a new line (\n). This extended attribute is copied to a new entry (file or directory) from the parent directory (when the parent directory has this extended attribute).
gfarm_root.groupThis is the list of group names who can have the privilege for the entry (file or directory). The names are separated by a new line (\n). This extended attribute is copied to a new entry (file or directory) from the parent directory (when the parent directory has this extended attribute).
When untrusted users are registered in the gfarm_root.{user,group} extended attributes of any files or directories, a Security Hole exists on the mount point of gfarm2fs with "-o suid,allow_other" option executed by root (even if either "-o ro" option or "-o default_permissions" option is also specified). Therefore both "-o suid,allow_other" option and gfarm_root.{user,group} extended attributes should not be used.