Thanks for the review, Haohui. I'm attaching patch version 2 to show what this looks like when we keep permissions required.
Is it possible to simply ignore the value in removeAclEntries?
Yes, the logic currently ignores it. If we wanted to strictly match existing implementations like Linux, then we would actually send an error back to the user if they tried to specify permissions in a remove call. I don't know that we need to be rigid about that, and we could always choose to implement that check at the CLI layer if we want it, so I'm fine with this approach.
The effect of this is that protobuf will default initialize the enum field to the 0'th element (NONE) on conversion from proto to model. For symmetry, this patch adds the corresponding logic in the conversion from model to proto too.