Metaacl
=======

Metaacls are a special for of ACL's which define the access to
metadata.

Syntax
------

_meta/*/_metaacl_::
Lists which metaoperations ('call') are allowed for
an action as *user action type call meta constr* tuple.
* A '\*' matches anything and a '!' in front of something reverses the match.
* Any item in that list can be a comma separated suublist (without spaces).


*user*::
 A user, group or role.
*action*::
 The name of an action.
*type*::
 The type in effect for the operation (path).
*call*::
 The metacall to be executed (set, get, lookup, erase, ...).
*meta*::
 The metadata type involved (without the leading \'_\').
*constr*::
 An extra constraint:;;
  \* (all)::     - No path check is done.
  exact::        - Must exactly match the given metadata path.
  recursive::    - Matches also the parent dirs (metalookup).
  deny::         - Explicitly forbids access.

.Usage
==========================
Admin acl \* acl \*:: \
-- Admins can acl-admin
Admin metaedit \* !metaacl,\* \*:: \
-- Admins can edit any metadata except metaacls
Blacklisted \* \* \* deny:: \
-- Anyone in group blacklisted gets anything denied
\* create set \* exact:: \
-- the 'create' action may set any metadata for the file it operates on
\* account * users recursive:: \
-- the 'account' action has full access to the user account data
\* \* lookup !acl,!metaacl,!groups,!users,!roles,\* \*:: \
-- anyone and any action may lookup any non security related metadata
==========================