IETF Logo Mail Archive

Re: [Ldap-dir] Concerns about draft-ietf-nfsv4-federated-fs-protocol

Nicolas Williams <Nicolas.Williams@sun.com> Thu, 10 September 2009 17:03 UTC

Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: ldap-dir@core3.amsl.com
Delivered-To: ldap-dir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B86583A6A1D for <ldap-dir@core3.amsl.com>; Thu, 10 Sep 2009 10:03:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.233
X-Spam-Level:
X-Spam-Status: No, score=-5.233 tagged_above=-999 required=5 tests=[AWL=-0.387, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_15=0.6, J_CHICKENPOX_53=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TrJ4fWYmq2GH for <ldap-dir@core3.amsl.com>; Thu, 10 Sep 2009 10:03:06 -0700 (PDT)
Received: from brmea-mail-2.sun.com (brmea-mail-2.Sun.COM [192.18.98.43]) by core3.amsl.com (Postfix) with ESMTP id 17A1B3A6B24 for <ldap-dir@ietf.org>; Thu, 10 Sep 2009 10:03:06 -0700 (PDT)
Received: from dm-central-01.central.sun.com ([129.147.62.4]) by brmea-mail-2.sun.com (8.13.6+Sun/8.12.9) with ESMTP id n8AH3e4i021679 for <ldap-dir@ietf.org>; Thu, 10 Sep 2009 17:03:40 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id n8AH3e14049154 for <ldap-dir@ietf.org>; Thu, 10 Sep 2009 11:03:40 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id n8AGqedP013827; Thu, 10 Sep 2009 11:52:40 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id n8AGqeHx013826; Thu, 10 Sep 2009 11:52:40 -0500 (CDT)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Thu, 10 Sep 2009 11:52:40 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Leif Johansson <leifj@it.su.se>
Message-ID: <20090910165239.GN1033@Sun.COM>
References: <20090909160952.GV1048@Sun.COM> <200909101758.10049.leifj@it.su.se>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <200909101758.10049.leifj@it.su.se>
User-Agent: Mutt/1.5.7i
X-Mailman-Approved-At: Thu, 10 Sep 2009 10:08:54 -0700
Cc: ldap-dir@ietf.org
Subject: Re: [Ldap-dir] Concerns about draft-ietf-nfsv4-federated-fs-protocol
X-BeenThere: ldap-dir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: LDAP Directorate <ldap-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ldap-dir>, <mailto:ldap-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldap-dir>
List-Post: <mailto:ldap-dir@ietf.org>
List-Help: <mailto:ldap-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldap-dir>, <mailto:ldap-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2009 17:03:07 -0000

On Thu, Sep 10, 2009 at 05:58:05PM +0200, Leif Johansson wrote:
> On Wednesday 09 September 2009 18.09.52 Nicolas Williams wrote:
> > Dear LDAP directorate,
> >
> > I have several issues with draft-ietf-nfsv4-federated-fs-protocol-03, of
> > which at least two remain outstanding, and which the authors do not wish
> > to address.  My concerns:
> >
> 
> I had a conversation with them at the last IETF and voiced similar concerns. 
> While I mostly agree with you (comments on details in line) I'm not sure how 
> serious they are for practical deployment of this stuff.

They are.  I spoke to one of them yesterday, and will speak to the rest
today, and I understand better why they made some of their design
choices.  For example: the objects they have are all named from UUIDs,
and represent nothing special, access wise, so that letting anonymous
principals read them is perfectly reasonable.  And for publishing the
only control needed is a resource consumption control.  There's not much
benefit to re-using an existing directory infrastructure then, not
beyond the hardware (and software license) re-use aspect.

But I still think that the model should allow for re-use of existing
directory infrastructure.  After talking to one of them about it I've
concluded that mostly that would just mean that their "NSDB name"
attribute (fedfsNsdbName) needs to track not just the name of the NSDB,
but also a base DN for it.

That's another thing, the NSDB name is just a hostname; it's expected
to have multiple A RRs if there are multiple NSDB servers.  An SRV RR
would be better, but it's not clear how to name it: a domain could
have more than one distinct NSDB, which means that simply naming the SRV
RR something like _nsdb._ldap._tcp.<domainname> wouldn't work.

> It is quite possible (and I explained how in Stockholm) to redesign the 
> searches to remove all of these requirements.

Yes, but it should be possible to avoid an extensive redesign.

Allowing arbitrary DN suffixes is just a matter of adding an attribute
to FSNs and to junctions (which are a server-local concept, without an
NSDB object class to represent them) to track the base DN of the NSDB.
I think that'd be sufficient.

Fileservers store {UUID, NSDB name} in their 'junctions'.  They'd have
to store {UUID, NSDB name, NSDB base DN} to allow for arbitrary base
DNs.  To avoid the use of UUIDs, scope=one and o=fedfs container,
fileservers would have to store {FSN DN, NSDB name} or {FSN RDN, NSDB
name, NSDB base DN}.  It might be too late to change from using UUIDs to
name FSNs, in which case, for uniqueness, one would want all FSNs in one
container, so it may not be possible to remove the o=fedfs requirement,
but we might still be able to get an NSDB base DN attribute added to the
mix.

> However I'm not sure anyone will ever deploy NSDB along with any other
> directory information anyway because NSDB requires read access to all
> data in the subtree. I've found that most directory admins can't manage
> access rights and asking them to stick a large dataset in their systems 
> with public access is like asking a DNS admin to add a RR for which there is 
> no GUI in the admin tool. The result is consternation at best.

Interesting.  Of course, some directory servers make it trivial to setup
inherittable ACLs so the right thing happens...

> I believe that practically speaking NSDB will run on dedicated directory 
> servers administrated separately from other directory servers in the
> enterprise no matter how hard you try and I don't see how that is 
> such a big problem...

Interesting.  Well, I may well just give then.

> Having said that I do agree with the technical points you make.

Well, if no one would ever want to deploy NSDBs in existing directory
infrastructure, then my technical points would be rendered irrelevant.
Don't you agree?

If so then I would withdraw all my complaints.

> > 2) The use of UUIDs for object naming to guarantee object DN uniqueness,
> > while not necessarily a problem, seems unnecessary: the directory should
> > ensure object DN uniqueness, thus there is no need to enforce uniqueness
> > at the application layer!
> 
> Well yes but since you can't "lock" a name you can't first figure out which
> name to give your new entry and then go away and create it - unless you
> depend on extensions for transaction-like grouping of operations in LDAP.

LDAP is supposed to ensure DN uniqueness atomically, is it not?

You'd create the FSLs first, then the creat/update FSNs to refer to the
FSLs.

> > I believe this document represents a gross misuse of LDAP.  But I cannot
> > convince the authors that that is the case.  Hopefully the App Area will
> > have a chance to review this document and review my concerns.
> 
> I think gross misuse is an overstatement. Do they use LDAP the way a
> normal identity-oriented directory does? Nope. Will that be the end of
> the world as we know it? Probably not.

Now that I understand the federated FS proposal better I agree.

Nico
--

v2.23.0 | Report a Bug | By Email